Thursday, April 28, 2011
Just a couple of quick updates and some announcements.
1. We are currently awaiting the verification to complete for our code signing cert - as soon as I receive the cert I will be pushing 2.0GA out the door!
2. There was an excellent paper done on the ESAPI4JS project and I have blogged about it (and linked to the paper hosted at OWASP) - blog is at http://yet-another-dev.blogspot.com
3. I have made a run at some initial contrib modules for esapi and will be creating a contrib branch to host the source and binaries (as well as making the binaries available via maven) sometime this week. Contrive include authn/authz integration with Spring-security, contextual encoding integration with freemarker, and hopefully validation integration using jsr303, spring and hibernate-validator. These have been hands-down the most asked about integrations that I have been asked about and I wrote then for use in an app that I am currently writing.
Monday, April 25, 2011
The competition starts on 21st April and will run for 4 weeks until 15th May.
Once the competition is over, the winner will get a FREE ticket to the conference.
You could find more info here: http://www.appseceu.org/?p=542
Training Courses include: Threat Modeling, Assessing and Exploiting Web Apps with Samurai-WTF, Tactical Defense with ModSecurity, Secure Application Development, and Designing, Building and Testing Secure Applications on Mobile Devices
The plenary sessions include three different tracks that will focus on defense, prevention, and attacks.
There will be ample time for networking, including KartCon EU 2011!
Complete information on the training, agenda, Trinity College, KartCon, and links for registration can be found here: http://www.appseceu.org/
Sunday, April 10, 2011
(From Dave Wichers)
I took a first stab at the Common Authentication requirements based on Keith's SCP Guide and the ASVS. Keith and I spent a couple hours going through these changes and have together produced the following:
The numbering scheme I have proposed is here, if you haven't looked at it yet: https://www.owasp.org/index.php/OWASP_Common_Numbering_Project#tab=OWASP_Common_Requirements_Numbering_Scheme
The requirements are here:
An updated version of Keith's Secure Coding Best Practices is attached where just the Authentication section has been updated to match these requirements. Keith has decided to have his guide use exactly the same requirements numbers as the common numbering project. But for ASVS, and the Dev/Test/Code review guides I would imagine we would just cross reference to the Common Numbers rather than adopt them.
· Please ignore the rest of my comments on his document. Focus only on the Authentication section.
Also attached is my working notes for these common requirements and a mapping of them to the old Secure Coding Best Practices Guide and the current ASVS.
I plan to update the Authentication section of ASVS to match these new common requirements, but haven't done that yet, as I didn’t want to hold up your review.
I wanted to get your feedback before we follow this model/approach for all the other sections, which is a lot of work. So if you have any major comments on the approach, now is the time to raise them and reach some consensus so we can avoid major rework later.
Here are my major questions:
1. Any comments on the numbering scheme proposed?
a. I have developed suggested areas for requirements based on the various OWASP docs but they can easily change. If you have any suggested changes, let me know.
2. Any comments on our overall approach for developing a full requirements area and mapping that to the Secure Coding Best Practices?
3. Any specific comments on the requirements we have identified so far?
After getting Authentication worked out, I plan to work with Keith to crank out either all the rest all at once or maybe in 2-3 rounds to get all the rest done.
Any and all feedback welcome.
Wednesday, April 6, 2011
The OWASP Foundation is a 99.9% volunteer driven organization! Let’s take this time to recognize those volunteers who have dedicated their time and talent to making the universe safer for the rest of us.
How about a contest to nominate volunteers? What about a blog page? Twitter? How can we raise awareness of the great things we are doing globally?
Mailing list of 25,000, 135 active projects, 70 active chapters globally, volunteer organized conferences on every continent, committees, influencing education and government
This is big…let wave our flag!