Friday, July 29, 2011

AppSec USA Open Source Support!

OWASP is piloting a new initiative to promote open source ideals at our Global AppSec Conferences!  
For the first time, we are offering a limited number of free booth spaces to open source projects as part of the OWASP Open Source Showcase at OWASP AppSec USA 2011!  We invite ANY open source project - not just OWASP projects - to apply for a booth at this showcase to demo and promote their project. Showcase participants need to be ticketed attendees and will be responsible for manning their booth.  
Learn more about this opportunity, including how to submit projects for consideration, by visiting the following URL:   Applications are due Friday, August 19, 2011, and are considered on a rolling basis - so get moving!  
Contact if you have any questions.  
OWASP MSP: Host to OWASP AppSec USA 2011
September 20-23
Training, Talks, CTF, Showroom and more @appsecusa

Application Security Tutorial Videos

The OWASP application video tutorial series, led by Jerry Hoff,  has produced three great security videos and has many more on the way. These videos are short and to the point. The 10 minute videos cover core application security risks such as cross site scripting or sql injection and future episodes will cover defense in depth security techniques such as Strict Transport Security or X-Frame-Options.

The following videos are currently available as part of the AppSec Tutorial Video Series.

    •    Episode 1 - Introduction
    •    Episode 2 - Injection Attacks
    •    Episode 3 - Cross Site Scripting
The following link will take you to the OWASP AppSec Video Series homepage on youtube.

You can also watch the three videos embedded below.


Wednesday, July 27, 2011

OWASP Codes of Conduct Project

By Colin Watson

At the summit in Portugal earlier this year, a working session on "Defining a Minimal AppSec Program for Universities, Governments, and Standards Bodies" created a document defining minimal requirements for three types of organization, specifying what are the most effective ways to support OWASP's mission. These are OWASP's objectives for other organizations and do not relate to members or other participants.

The three types of organization were:

- Government Bodies
- Educational Institutions
- Standards Groups

with Jeff Williams, Dave Wichers and Dinis Cruz as primary contributors.

Although I didn't attend that particular session, I was able to contribute to an early draft version of the document, and subsequently created a parallel document for:

- Trade Organizations

At another working session on Certification, the participants created another closely-related document on expectations for:

- Certifying Bodies

with Jason Li, Jason Taylor, Martin Knobloch, Matthew Chalmers and Justin Searle as
primary contributors.

Each document has been give a colour name to make it more identifiable, and to provide a shorter title. Thus the document "The OWASP Application Security Code of Conduct for Government Bodies: is also "The OWASP Green Book".

OWASP would like to formalize, complete and create release-quality documents, and therefore I have offered to start a project and become project leader for the OWASP Codes of Conduct Project. The project will nurture these initiatives and collect feedback on the draft documents with the aim of issuing and promoting the documents later this year. With Paulo Coimbra's welcome assistance, the project and
current draft versions can be found at:

The v1.1 draft documents were created from the summit outcomes, and to date I have:

1) standardized their formatting
2) removed reference to "free membership [of bodies, groups] " where
this does not match current policy
3) removed "free attendance at events" for liaison contacts since
this hasn't been more widely discussed
4) made liaison groups within OWASP less specific since we do not
have a "OWASP Educational Institution Executive Council" for example
5) changed the mandatory Code of Conduct items to a numbered list,
and the recommendations to an alphabetical list to distinguish between
them better
6) added hyperlinks to OWASP resources and a summary sheet on the last page

I would welcome feedback on these using the project's mailing list:

Please contribute in the next 4 weeks, after which I will be seeking project formal reviewers. Some things to be discussed before then:

- have all the contributors been captured correctly?
- the documents do not have licensing or copyright stated
- the Green Book requires government organizations to adopt a
definition of "application security", but in the Yellow Book for
Standards Groups, this is an optional requirement, and perhaps they
should be the same
- some organizations might decide they do everything we suggest, and
we might want to state a form of words for any statement of adoption

PLUS ANYTHING ELSE you feel is important. You may have ideas for another similar document. Please join the mailing list.

Colin Watson

Thursday, July 21, 2011


Fabio Cerullo presented the OWASP training day in Argentina on 7/19/2011. There were over 40 attendees (58 registered) and 17 NEW members registered including 5 educational supporters. Outstanding!

The next stop on the tour is Uruguay on 7/26/2011. Mateo is estimating over 120 attendees (although they will need to sign up still J) of the 8 registered for the upcoming training day, 6 have signed up for membership!

Brazil and Peru are scheduled for August, so I will provide updates as we get closer.

Wednesday, July 20, 2011

AppSec Asia 2011

AppSec Asia 2011

Building on its successes of the past two years, OWASP’s China chapter is again hosting a flagship OWASP outreach event in Beijing, China. The Global AppSec Asia 2011 will be held from November 8 to 11, 2011. This event offers expo, training and conferences and includes many opportunities to converse with the government, industry and education leaders from China and the entire Asia Pacific region.

If you are interested in speaking at the conference (November 8 to 9, 2011) or a training session (November 10 to 11, 2011) then please submit your proposal here.

If your company or other companies you know are interested in reaching out to the vast and growing Asia Pacific market then please contact Helen Gao (516-582-4943). The sponsorship document can be downloaded here. If you are interested in the product exhibit then please let Helen know by July 31, 2011.

Thank you very much for your support.

OWASP AppSec USA 2011

AppSec USA 2011 is a conference for information security and software development professionals who are challenged with solving tough application security problems. This year's format will be eight tracks spread across two days, with each talk running 50 minutes in length. Speakers are just being announced. For more details:

The tracks are:

· Cloud Security

· Mobile Security

· Secure SDLC

· OWASP Projects

· New Attacks & Defenses

· Thought Leadership

· Software & Architecture Patterns for Security

· Software Assurance

AppSec USA’s early bird discount ends: 7/29/11 so register now:

Follow us on twitter @appsecusa, our linked in group, or on facebook and check the site often for updates we’ll be announcing an Open Source Project demo area, a University CTF Challenge, Thursday evening networking event and more! We also have several events already listed: Women in AppSec | 5K/10K | CR0WD50URC3D

Kate Hartmann

Operations Director


Skype: Kate.hartmann1

_______________________________________________ To unsubscribe from the Owasp-all mailing list, you will need to unsubscribe yourself from all OWASP mailing lists you belong too. This list is automatically generated to allow OWASP to contact all it’s members in one distribution.   Best regards, OWASP

Sunday, July 17, 2011

ESAPI for C++

(from Kevin Wall)

There's a new mailing list on the OWASP ESAPI block at: 

Yes, that's right. ESAPI for C++. Well, spare me the oxymoron jokes (my resemblance to an ox and an moron is strictly coincidence)...and besides that was my first reaction as well.

ESAPI for C++ will be a *greatly* stripped down version of ESAPI for JavaEE. The intent will be more similar to ESAPI for C (yes, Virginia, there's one of those too; see

So sign up for the OWASP ESAPI for C++ mailing list. Even though it's mostly intended for developers, we welcome hecklers and other nay sayers as well. (Keeps us from getting too many "yes men" that way.)

Or better yet, sign up, and then get involved. Yes sir (or ma'am). ESAPI for C++ is your chance to become rich and famous. OK, just famous. Hmm, maybe not. But it is a chance for all of you, who like me just sat out there for years using FOSS but without every contributing anything back. (No, those 3 patches that you submitted 7 years ago and that $10 donation to GNU's Free Software Foundation are not enough to make up for all the free software that you've used over the years. C'mon, you tip your barber more than that!)

Uncle OWASP wants you!
-kevin wall

Monday, July 11, 2011

OWASP New Zealand Day 2011 Wrap-up

(from Nick Freeman & Scott Bell)

Dear OWASP Leaders,

This email is a brief wrap-up of how the OWASP New Zealand Day 2011 conference went on Thursday July 7.

The conference was a great success, with a 33% increase in attendance from previous years. We had just over 200 people attend our single track, 10 talk conference and two training sessions.

This shows a growing interest in web application security in New Zealand, and we will be pushing the attendees to attend chapter meetings and spread the word about OWASP with their friends, colleagues and other industry groups. We have had a great response from a number of development groups who are interested in having OWASP content presented at their meetings, which we see as an excellent opportunity to expand the OWASP community and web application security awareness in New Zealand.

Feedback from conference attendees has been glowing, with very positive comments and some constructive suggestions. We are still dissecting it all, and will be combining the feedback with our own learnt lessons to ensure future chapter meetings and OWASP NZ Day conferences get better and better.

We'd like to give a very big thanks to Kate Hartmann, Sarah Baso, Mark Bristow, Alison Shrader and everyone else who has helped us organise the conference and make it the success that it was. Special thanks also go out to Roberto Suggi Liverani, previous OWASP NZ Chapter Leader, who organised the previous two OWASP day conferences and has helped OWASP New Zealand grow to its current size.

Final thanks go to our sponsors; The University of Auckland Business School,, Lateral Security, F5 and Aura Information Security. Their generous donations allowed us to keep OWASP New Zealand Day a free conference in an excellent venue with quality catering.

Most content from the conference is already posted on the OWASP New Zealand Day 2011 conference wiki page ( - we will be uploading the remaining content in the next day or two. In the mean time, a celebratory whisky or two is in order :)

Kind Regards

Nick Freeman & Scott Bell
OWASP New Zealand Chapter Leaders

Sunday, July 10, 2011

OWASP Global AppSec Asia 2011

Dear OWASP Chapter leaders,


I am Rip , Chairman of OWASP China. OWASP China invites you to join OWASP Global AppSec Asia 2011 conference.

This AppSec Asia 2011 offers expo,conferences and trainings. Over 500 people attended the conference last year, representing organizations including: Huawei,, Baidu, China Telecom, China Mobile, China Merchants Bank, Shenzhen Stock Exchange, Ping An Insurance Group, Chinese Ministry of Industry and Information Technology, Chinese Ministry of Commerce, Forrester Research,Inc., Chinese Academy of Sciences.

AppSec Asia 2011 is not just a conference for mainland China, it is also for Hong Kong, Taiwan, Singapore, India, Malaysia, Indonesia, Japan and all Asian countries.We plan to add a product exposition this year. Please introduce this opportunity to companies in your country. As a matter of fact, in order to encourage you to participate, the conference committee has decided to reimburse your travel expenses if your chapter brings in two qualified sponsors. Please see attached for sponsorship details. And English interpretation will be provided for the entire conference.

For more information, please see OWASP Website.

If you have any questions, please fee free to contact:

Thank you and Best Regards!


Thursday, July 7, 2011

US and Canadian Chapter Leader Workshop


Dear Fellow Chapter Leaders,

Global Chapter Committee invites you to US and Canadian Chapter Leader Workshop at AppSec USA 2011, in Minneapolis. The workshop will be on September 21, from noon to 3:00PM. Its format will be based on the successful chapter workshop at AppSec EU in Dublin, earlier this year.

While we are still working on the agenda, it will closely resemble the agenda at AppSec EU. It will include review of the chapter handbook, managing chapter finances, Top 10 advice, and how to cross-pollinate and cooperate among chapters. EU event's agenda can be seen below.

We strongly encourage you to participate in this opportunity. Chapter leaders are encouraged to use chapter funds for the travel. Chapter leaders will get a free admission to the conference. The committee has limited funds available for chapter leaders with limited chapter funds.

We would like to ask the following.

* Save the date, September 21, 2011, from noon to 3:00PM, for the workshop.
* Register for AppSec USA event. Ask Lorna Alamri for registration code.
* Start making travel arrangements -- hotel rooms are running out -- if your chapter has funds available.
* If needed, ask for funding by emailing me and Sarah Baso, administrator for the chapter committee.
* Start thinking what topics to discuss.
* Stay tuned to further emails and upcoming Wiki page.

A word about funding. While we wish we could fund every chapter leader, due to the limited amount of budget allocated for this event, we may not be able to fund 100% to all the requests. We will have a deadline for applying funding, and after that deadline, we will make funding decision in a fair and transparent manner. When you apply for funding, please highlight your past contributions to OWASP and your future plans for the local chapter and OWASP.

We will try to have an option to participate, via Skype, for those who cannot make it.

If any questions, please email us.

Best regards,

Tuesday, July 5, 2011

OWASP Gothenburg

(posted by Ulf Larson)

Dear Leaders!

It is my pleasure to announce the birth of OWASP Gothenburg!

OWASP Gothenburg is the second chapter to start in Sweden, some four years after the start of OWASP Sweden. Gothenburg is situated on the west coast of Sweden. Gothenburg has a large port and is also a well known player in the automotive area (Volvo, for example). Furthermore, Gothenburg is home to Chalmers University, a (hopefully) well known education facility with several strong research groups. We also have Liseberg (a large and pretty much awesome amusement park in the center of the city) which is well worth a visit if you happen to pass through.

We (board members, leaders, in total six persons) met for the first time in the beginning of May this year. Discussing, not if, but how, we would go about creating a chapter. We have since had lots of help from John Wilander, Kate Hartmann, and to our great pleasure, Jason Alexander, who heard our twitter call for assistance!

The board and leaders have mixed backgrounds from academia and industry but with the common denominator of application security. The leaders are Jonas Magazinius, Mattias Jidhage, and Ulf Larson. Jonas is a Ph.D. student at Chalmers University, researching on application security, most recently in the context of web mash-ups. Mattias has a master's degree from Chalmers University. He currently works at Omegapoint AB as security specialist/project manager focusing on application security. Ulf has a Ph.D. from Chalmers University. He currently works as a security specialist/systems developer at Adecco IT Konsult.

That's it. It is a pleasure for us to enter the OWASP community, and I hope we meet once or twice in the future!

Best regards

OWASP Gothenburg chapter through Ulf Larson