Friday, June 24, 2011

Board Election Update

Attention OWASP Community,

Daily we learn of malicious hackers in the news - software security has never been more important to consumers, businesses, governments or students.

We trust that you have found valuable resources at OWASP Foundation in forms of guides, tools, resources and a professional community of over 25,000 worldwide - thank you.

As we continue to evolve our professional association, OWASP is hosting it's second election of its International Board of Directors. This year, three (3) of six board seats are up for election for a twenty-four month term and details of the process and candidates can be found online at:


Who will you support?

Thank you in advance for your continued support.

On behalf of the OWASP Foundation.

Kate Hartmann
Operations Director
Skype: Kate.hartmann1

Election of Officers @ OWASP

OWASP Community,

Daily we learn of malicious hackers in the news - software security has never been more important to consumers, businesses, governments or students.

We trust that you have found valuable resources at OWASP Foundation in forms of guides, tools, resources and a professional community of over 25,000 worldwide - thank you.

As we continue to evolve our professional association, OWASP is hosting its second election of its International Board of Directors. This year, three (3) of six board seats are up for election for a twenty-four month term and details of the process and candidates can be found online


Who will you support?

Thank you in advance for your continued support.

On behalf of the OWASP Foundation.


Tuesday, June 21, 2011

Attention Chapter Leaders

Attention Chapter Leaders!
The goal of the Chapter Leader mailing list is to:

  1. To exchange chapter leader experience
  2. To ask questions (and hopefully get responses) on chapter topics
  3. To announce chapter related topics

There already are a lot of resources available:

There is a chapter leader handbook:

But all of this material can and should be further improved to enable you - as chapter leader - in creating and maintaining our community.

If you need help: ask your question on the mailing list.

If you have some spare time: start building a chapter leaders FAQ as part of the chapter leaders handbook.



Friday, June 17, 2011

CFP OWASP AppSec LATAM and Partner event, Rochester Security Summit


OWASP is currently soliciting presentations for the OWASP AppSec Latam 2011 Conference that will take place at PUC-RS in Porto Alegre, RS, Brazil on October 4th through 7th, 2011. There will be training courses on October 4th and 5th followed by plenary sessions on the 6th and 7th with each day having one single track.

We are seeking people and organizations that want to present on any of the following topics (in no particular order), or any other topics related to application security:

  • Application Threat Modeling
  • Business Risks with Application Security
  • Hands-on Source Code Review
  • Metrics for Application Security
  • OWASP Tools and Projects
  • Privacy Concerns with Applications and Data Storage
  • Secure Coding Practices (J2EE/.NET)
  • Starting and Managing Secure Development Lifecycle Programs
  • Technology specific presentations on security such as AJAX, XML, etc
  • Web Application Security countermeasures
  • Web Application Security Testing
  • Web Services-, XML- and Application Security
  • Anything else relating to OWASP and Application Security

To make a submission you must fill out the form available at

and submit through the easychair conference interface at

Each presenter will have 45 minutes for the presentation, followed by 10 minutes reserved for questions from the audience. The presentations must respect the restrictions of the OWASP Speaker Agreement.

Important Dates

· Submission deadline is July 18, 2011 at 11:59 PM (UTC/GMT -3).

· Notification of acceptance is August 5, 2011.

· Presentation slides are due September 19, 2011.

The conference organization team may be contacted by email at appsec2011 (at)

For more information, please see the following web pages:

Conference Website: or

OWASP Speaker Agreement:

OWASP Website:

Easychair conference site:

Presentation proposal form:


Rochester Security Summit October 4th-5th, 2011 Rochester, NY

We are pleased to announce that the sixth annual Rochester Security Summit is being planned for October 4-5, 2011 in Rochester, NY at the beautiful and totally renovated Hyatt Regency Rochester. This year’s theme is “Security Sanity” with Marcus J. Ranum as our keynote speaker. The Rochester Security Summit is the premiere IT security event in Upstate/Western NY.

In 2010 the Rochester Security Summit gathered more than 200 attendees, including executives from Fortune 500 firms, information security professionals, auditors, developers and software architects. We had 26 outstanding presentations, a sold-out Capture the Flag (a.k.a. Ethical Hacking 101) event and an extremely well received end panel with representatives of the 3 sponsoring organizations, ISSA, ISACA and OWASP.

The Rochester Security Summit is currently soliciting presentations from researchers, academia and industry for the 3 main tracks: Business Professional, Technical Professional and Software Professional. If you believe you have a significant research or technical presentation that the security community would value and enjoy hearing, we invite you to submit your presentation topic for consideration.

All three tracks will consist of presentations in 50-minute blocks, including Q&A. Presentations may be allowed to span two blocks to accommodate topic exploration to different depths if the committee sees the merit in the longer time allotment.

  • Please submit your proposal before June 30th
  • We will respond to proposals by July 30th
  • Draft copy of the slides for the papers must be submitted by August 26th
  • Final submissions are due by September 23rd

Please review the speaker guidelines on the web site, before submitting a proposal.

Proposals may be submitted via e-mail to

Summit attendees are a mix of technical security professionals, vendors, programmers, web application developers, security testers, students, network administrators and IT executives. Preference will be given to speakers who can present innovative technical content to a broad technical audience. Of course, all presentations are expected to challenge the brightest and quickest of attendees.

The Rochester Security Summit is not a vendor fest. There is zero tolerance for heavy commercial content in presentations. Presenters are expected to avoid any marketing that is not immediately backed up with rationale for its inclusion.

Proposals should consist of the following information:

1. Presenter and contact info (country of origin and residence-mail, postal address, phone, fax).

2. Employer and/or affiliations.

3. Brief biography, list of publications and papers.

4. Any significant presentation and educational experience/background.

5. Topic synopsis, proposed paper title, and a one paragraph description.

6. Reason why this material is innovative or significant or an important tutorial.

7. Optionally, any samples of prepared material or outlines ready.

8. Will you have full text available or only slides?

9. Please list any other publications or conferences where this material has been or will be published or submitted.

10. If you think a second 50-minute block will be required to do your topic justice, please let us know and give a rationale for the longer format.

Please include the plain text version of this information in your email as well as any file, pdf, sxw, ppt, or html attachments.

Please forward the above information to

For more event information, or to register, visit us online at

Thank you,

Rochester Security Summit Organizing Committee

  • Kate Hartmann
  • Operations Director
  • 301-275-9403
  • Skype: Kate.hartmann1

Thursday, June 16, 2011

OWASP iGoat 1.0

(From Ken van Wyk)
Greetings all.
Yesterday, we put out the first public release of the OWASP iGoat project. This message is a brief description and call for participants in the project.  
The iGoat tool is a learning tool, primarily meant for iOS developers (but also useful to IT security practitioners, security architects, and others who simply want to learn about iOS security). It takes its name and inspiration from the venerable OWASP WebGoat tool. Like WebGoat, iGoat users explore a number of security weaknesses in iOS by exploiting  them first. Then, once each weakness has been explored, the iGoat user must implement a remediation to protect against each weakness and validate that the remediation was successful--similar to the WebGoat Developer Edition.  Hints and other background information are provided, right down to commented solutions in the source code, so that developers can use iGoat as a self-study learning tool to explore and understand iOS weaknesses and how to avoid them.  Further, the iGoat platform was specifically designed and built to be as easily extensible as possible, so that new exercises can be easily built and integrated over time.  iGoat was sponsored and initially developed by KRvW Associates, LLC (, and is being released under GPLv3 licensing to the community.  
With the first public release, we've included several initial exercises and exercise  categories. These include such well known topics as SQL Injection, secure communications, etc. We plan to further integrate another handful of exercises in the short term, as well as make several improvements to the user interface. In the short term, we'll also be adding more documentation in the form of HOWTO documents that will cover how to install and use iGoat, as well as how to add new exercises to it.  No doubt, further improvements will quickly surface as the community starts using the   tool...  
Project Site  
iGoat can be found at:
All releases and source code are on Google Code. See the project home page above for   further details.  Call for Participation  The iGoat team would like to invite anyone interested to participate and contribute to iGoat's further development. Please contact the project leader, Ken van Wyk ( if you wish to contribute to the project.
Mailing List  
An open, unmoderated forum has been set up for the iGoat project. To subscribe, see 
Cheers, Ken  

Wednesday, June 15, 2011

Question on 3rd party JS

Question: How do you best use external JavaScripts and comply with PCI-DSS (from @joffemannen)

(Great answer from @johnwilander)

I've had more than one consultation on this issue and we've always had to start by explaining the full access and full trust model of loading 3rd party code and content. To start with there's an important distinction between loading a 3rd party code library such as jQuery, and loading DOM content with or without JavaScript. If they want DOM content then traditional iframing works fine until they want to interact with the 3rd party content or vice versa. Since they will be loaded from different domains they will not be able to access each other.

If they want interaction they have four ways ahead:
  • Hosted + controlled releases. Establish a B2B release cycle with the vendor in which new versions of script files are released to them via file transfer and not directly into production. Then they do whatever auditing and analysis their process requires and deploy under their own domain. Note that this works for code-only cases too, i.e. no 3rd party content. This used to be an issue back when everyone was "hot linking" but nowadays you typically see requirements to download and host yourself since 3rd parties don't want to have to pay for the bandwidth or even have the tough SLAs in place.
  • Reverse proxy. Setup a reverse proxy to mimic that the 3rd party content is served by themselves. This makes it look like they're hosting everything themselves but really they're not. However, in this case they can potentially filter and detect code changes. If code changes happen daily it'll just become noise but detecting less frequent changes may prove useful for the cert team.
  • Normal loading + ajax proxy. Let the 3rd party have their own release cycle, load from 3rd party's domain and set up an ajax proxy if the code requires that. That means their own domain is still serving the client calls but they just reflect whatever source code the vendor serves up.
  • Point subdomain to 3rd party. If they point a subdomain of their own such as pointing to Google Maps and host their own content on they can have both the iframe and the outer page set their docment.domain to a and thus enable interaction.
In the three latter cases they're basically giving the 3rd party code the same privileges their own code has. So it has to be covered by the same processes (pentests and what not). This is typically when my customers have started considering the first option – "Hey, maybe we need to control what code runs on our page? And who writes that code. And how easy it is to hack into the hosting servers and replace that code. Damn!".

Regards, @johnwilander

Saturday, June 11, 2011

OWASP Zed Attack Proxy 1.3.0 released


Hi folks,

Version 1.3.0 of the OWASP Zed Attack Proxy (ZAP) has now been released.

ZAP is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications.

This release adds the following main features:
  • Fuzzing, using the JBroFuzz library
  • Dynamic SSL Certificates
  • Daemon mode and API
  • BeanShell integration
  • Full internationalization
  • Out of the box support for 10 languages

For more information and to download this release please visit the ZAP homepage:

Many thanks to everyone who contributed code, language files, enhancement requests, bug reports and general feedback.


AppSecEU Was Awesome

(from Seba)

I am just back from AppSecEU, held in Dublin this week.

I want to congratulate the whole team for a great and inspiring event!

AppSec EU Conference Team:
  • Eoin Keary
  • Fabio Cerullo
  • Fiona Walsh
  • Kate Hartmann
  • Lorna Alamri
  • Sarah Baso
  • Ana Loza
  • Ralph Durkee
  • Owen Pendlebury
  • Niall Jordan
  • Ronan O'Mullane
  • Federico Feraboli
And probably a whole lot of people working behind the scenes.

Having co-organized conferences before, I know it has taken them several months of sweat, blood and energy.


Kind regards,

Friday, June 3, 2011

AppSec USA 2011 CFP Reminder, CTF Pre-Conference Challenge #2

Hello OWASP Community!

This is an update about the OWASP AppSec USA 2011 software security conference in Minneapolis this September I just sent to several other mailing lists. Maybe on your way to AppSec EU you can work on a paper and get it submitted! I would be most thankful if you would share the CFP link, as well as the CTF pre-con challenge #2 (free ticket opportunity) and Training links with your friends and local chapters.


Have something important to say about software security? The OWASP AppSec USA 2011 Call for Papers is still open. We're looking for hardcore talks in cloud security, mobile security, new attacks & defenses, and straight up software development platforms. Get your submission in before time runs out. And have your developer friends submit a talk!

The AppSec USA 2011 talks will be delivered September 22-23, 2011 in Minneapolis, Minnesota. In addition to the talks, we'll have excellent keynotes like Moxie Marlinspike.

Leaders: The CFP system for the OWASP-specific track is Contact Mark Bristow or Jason Li for more information.


Last month ChrisKarel won pre-conference challenge #1 for a pass to the OWASP AppSec USA 2011 talks. Congratulations, ChrisKarel!

For June, we're back with another chance for you to score a free conference pass and get a feel for the AppSec USA 2011 CTF challenges coming this September. Good luck.

*** TRAINING ***

We have awesome training at a fair price. Register for mobile security, penetration testing, secure coding, and attack detection and response courses being held September 20-21. Hurry before classes fill up.
*** MORE APPSEC USA 2011 ***

Check out for other events including a 5K / 10K charity run, the first ever Women in AppSec grant, and a chance to have your own original music played at the conference.

Thanks to our wonderful supporters - check them out at!


Adam Baso
OWASP AppSec USA 2011: Your life is in the cloud.
September 20-23 Training, Talks, CTF, Showroom, and More

OWASP Project Update

Reposted from by Paulo Coimbra


* OWASP Common Numbering Project, led by Dave Wichers, this project is a new numbering scheme that will be common across OWASP Guides and References is being developed.

* OWASP HTTP Post Tool, led by Tom Brenann, this project is a tool for the purpose of performing web application security assessment around the availability concerns.

* OWASP Forward Exploit Tool Project, led by Marcos Mateos Garcia, this aims to develop a tool to exploit Top 10 2010 – A10 – Unvalidated Forward vulnerability to bypass access control to protected Java application files.

* OWASP Java XML Templates Project, led by Jeff Ichnowski, this is a fast and secure XHTML-compliant template language that runs on a model similar to JSP.

* OWASP ASIDE Project, led by Jing Xie, Bill Chu and John Melton, ASIDE is an abbreviation for Assured Software Integrated Development Environment. It is an Eclipse Plugin which is a software tool primarily designed to help students write more secure code by detecting and identifying potentially vulnerable code and providing informative fixes during the construction of programs in IDEs.

* OWASP Secure Password Project, led by Josh Sokol, this project will have a two pronged approach designed to put more nails in the single-factor method of authentication: an interactive portal where penetration testers are able to enter known information about the target and the results of all data collected into a large database.

* OWASP Secure the Flag Competition Project, led by Mark Bristow, this project aims to create a different type of competition that encourages secure coding rather than hacking skills.

* OWASP Security Baseline Project, led by Marian Ventuneac, this projects aims to benchmark the security of various enterprise security products/services against OWASP Top 10 risks.

* OWASP ESAPI Objective – C Project, led by Deepak Subramanian, this project is the Objective-C (Cocoa) implementation of ESAPI.

* OWASP Academy Portal Project, led by Martin Knobloch, Ricardo Melo and Konstantinos Papapanagiotou, this project envisages the creation of a Portal to offer academic material in usable blocks, lab’s, video’s and forum.

* OWASP Exams Project, led by Jason Taylor, this project will establish the model by which the OWASP community can create and distribute CC-licensed exams for use by educators.

* OWASP Portuguese Language Project, led by Lucas Ferreira and Carlos Serrão, this project aims to coordinate and push foward the iniciatives developed to translate OWASP materials to Portuguese.

* OWASP Browser Security ACID Tests Project, led by Dave Wichers, John Wilander and David Lindsay, this project was started in order to help people get a better understanding of what these issues are while also providing browser vendors a forum to compare strategies, vulnerabilities, and new features.

* OWASP Web Browser Testing System Project, led by Isaac Dawson, this project was built to quickly automate and test various browser and user-agents for security issues. It contains all the necessary services required for testing a browser.

* OWASP Java Project, led by Matthias Rohr, this project’s goal is to enable Java and J2EE developers to build secure applications efficiently.

* OWASP Myth Breakers Project, led by Stefano Di Paola and Dinis Cruz,this project similar to but for appsec, urban legends and assumptions regarding appsec will be tested and there’ll be a set of examples that will prove the correctness/incorrectness of a statement related to the question.

* OWASP LAPSE Project, led by Pablo Martín Pérez and José María Sierra Cámara, LAPSE is designed to help with the task of auditing Java EE Applications for common types of security vulnerabilities found in Web Applications.

* OWASP Software Security Assurance Process, led by Mateo Martínez, this project envisages to outline mandatory and recommended processes and practices to manage risks associated with applications.

* OWASP Enhancing Security Options Framework (ESOP Framework, led by Amber Marfatia, the purpose of the framework is to provide a security layer to a given web application / web site via web service which can use the functions / modules to protect the site from several specified vulnerabilities.

* OWASP German Language Project, led by Matthias Rohr, this project will provide a foundation, guideance and common terminology for German translations (as well as other German language specific activities) of OWASP documents and parts of the OWASP web site. Furthermore, it will organize, plan and priorize new language projects such as translations.

* OWASP Mantra – Security Framework, led by Abhi M BalaKrishnan, this project is a security framework which can be very helpful in performing all the five phases of attacks including reconnaissance, scanning and enumeration, gaining access, escalation of privileges,maintaining access, and covering tracks.

* OWASP Java HTML Sanitizer, led by by Mike Samuel and Jim Manico, this this is a fast Java-based HTML Sanitizer which provides XSS protection.

* OWASP Java Encoder Project, led by Jeff Ichnowski, this project is a simple-to-use drop-in encoder class with little baggage.

* OWASP WebScarab NG Project, led by Daniel Brzozowsk, this project is a robust tool that assists the user in penetration test. This is a complete rewrite of the old WebScarab application, with a special focus on making the application more user-friendly.

* OWASP Threat Modelling Project, led by Anurag Agarwal, this project envisages to establish a single and inclusive software-centric OWASP Threat modeling Methodology, addressing vulnerability in client and web application-level services over the Internet.

* OWASP Application Security Assessment Standards Project, led by Matteo Michelini, the Project’s primary objective is to establish common, consistent methods for application security assessments standards that organizations can use as guidance on what tasks should be completed, how the tasks should be completed and what level of assessment is appropriate based on business requirement.

* OWASP Hackademic Challenges Project, led by Anastasios Stasinopoulos and Konstantinos Papapanagiotou, this is an open source project that can be used to test and improve one’s knowledge of web application security.

* OWASP Hatkit Proxy Project, led by Martin Holst Swende, this is an intercepting http/tcp proxy based on the Owasp Proxy, but with several additions.

* OWASP Hatkit Datafiddler Project, led by Martin Holst Swende, this is a tool for performing advanced analysis of http traffic.

* OWASP ESAPI Swingset Interactive Project, led by Cathal Courtney and Fabio Cerullo, this a web application which demonstrates common security vulnerabilities and asks users to secure the application against these vulnerabilities using the ESAPI library.

* OWASP ESAPI Swingset Demo Project, led by Craig Younkins, this is a web application which demonstrates the many uses of the Enterprise Security API (ESAPI).

* OWASP Web Application Security Accessibility Project, led by Petr Závodský, this project will focus extensively on the issue of web application security accessibility.

* OWASP Cloud ‐ 10 Project, led by Vinay Bansal, Shankar Babu Chebrolu, Pankaj Telang, Ken Huang, and Ove Hansen, the goal of the project is to maintain a list of top 10 security risks faced with the Cloud Computing and SaaS Models. List will be maintained by input from community, security experts and security incidences at cloud/SaaS providers.

* OWASP Web Testing Environment Project,l ed by Matt Tesauro, this project was thought o receive all contents OWASP Live CD related.

* OWASP iGoat Project, led by Kenneth R. van Wyk, this project aims to be a developer learning environment for iOS app developers. It was inspired by the OWASP WebGoat project in particular the developer edition of WebGoat.

* Opa, led by David Rajchenbach-Teller, usher in a new generation of web development tools and methodologies.

* OWASP Mobile Security Project – Mobile Threat Model, led by Jack Mannino this sub-project is a component of the OWASP Mobile Security Project.

* OWASP Codes of Conduct, led by Colin Watson, this project envisages to create and maintain OWASP Codes of Conduct. In order to achieve our mission, OWASP needs to take advantage of every opportunity to affect software development everywhere. At the OWASP Summit 2011 in Portugal, the idea was created to try to influence educational institutions, government bodies, standards groups, and trade organizations.


* OWASP Cross-Site Request Forgery Research Pool