Thursday, September 29, 2011

OWASP AppSec USA 2011 – The Wrap up

Article by Lorna Alamri

While the planning team is still sending out documentation, requesting invoices and finishing up tasks for the event. It’s time to give a summary of the event from a numbers perspective.

The Conference:

OWASP AppSecs bring together people around application security. What better opportunity to get attendees excited and involved in OWASP projects. Outside of an OWASP Summit it’s the largest gathering of OWASP and application security leaders, so a great opportunity to work on solutions and keep momentum going from the OWASP Summit.

Our goals:
500 attendees. $100,000 in funds raised for the OWASP Foundation. Raise awareness around OWASP and application security among developers.

Registrations: 
639, Total registration revenue as of 9/15/11 (536 attendees) $251,476.15
Sponsors: 24 with a total of $130,600 in funds raised.
Expenses: Estimated at $210,000. (We’re still waiting for some invoices from vendors.) 

The Talks:

2 days/4 tracks
75 speakers, 48 talks, 3 keynotes and one board discussion.

The Training:
4 two-day training courses
4 one-day training courses
Training Course Students: 146, OWASP profit from training: $63,000

The CTFs:
One University CTF challenge - 3 teams
One CTF -2 days

Organizers/Volunteers: 48

Statistics on Attendance:





*Education included both students and employees who attended OWASP AppSecUSA 2011.
*OWASP Employees and non-industry volunteers are not included in numbers.
 

Overall Attendees by Country

US Attendance by State




The Events:
We took the opportunity to try out a lot of new events at AppSec USA which we hope will be included in future OWASP AppSecs.

  • 5K/10K Run for Charity – funds raised were donated to the Bakken Musuem.
  • University Challenge – A CTF aimed at University students to increase OWASP awareness at a University level.
  • Women in AppSec – A grant program to increase particpation at OWASP AppSec USA by women.
  • Open Source Showcase – An opportunity to demonstrate OWASP and other open source projects to attendees of OWASP AppSecs.
  • Project work groups: ESAPI, AppSensor, Chapters and Industry along with board and committee meetings.

Lorna Alamri
OWASP AppSec USA


OWASP ModSecurity CRS v2.2.2


(From ryan.barnett@owasp.org)
 
I am pleased to announce the release of OWASP ModSecurity CRS v2.2.2.  

===========
CHANGELOG
===========
--------------------------
Version 2.2.2 - 09/28/2011
--------------------------

Improvements:
- Updated the AppSensor Profiling (to use Lua scripts) for Request Exceptions Detection Points 
- Added new Range header detection checks to prevent Apache DoS
- Added new Security Scanner User-Agent strings
- Added example script to the /util directory to convert Arachni DAST scanner XML data into ModSecurity virtual patching rules.
- Updated the SQLi Character Anomaly Detection Rules
- Added Host header info to the RESOURCE collection key for AppSensor profiling rules

Bug Fixes:
- Fixed action list for XSS rules (replaced pass,nolog,auditlog with block)
- Fixed Request Limit rules by removing & from variables
- Fixed Session Hijacking IP/UA hash captures 
- Updated the SQLi regex for rule ID 981242

 
--------------------------
DOWNLOADING
--------------------------
Manual Downloading:
You can always download the latest CRS version here -

Automated Downloading:
Use the rules-updater.pl script in the CRS /util directory

# Get a list of what the repository contains:


modsecurity-crs {
          2.0.0: modsecurity-crs_2.0.0.zip
          2.0.1: modsecurity-crs_2.0.1.zip
          2.0.2: modsecurity-crs_2.0.2.zip
          2.0.3: modsecurity-crs_2.0.3.zip
          2.0.4: modsecurity-crs_2.0.4.zip
          2.0.5: modsecurity-crs_2.0.5.zip
          2.0.6: modsecurity-crs_2.0.6.zip
          2.0.7: modsecurity-crs_2.0.7.zip
          2.0.8: modsecurity-crs_2.0.8.zip
          2.0.9: modsecurity-crs_2.0.9.zip
          2.0.9: modsecurity-crs_2.0.10.zip
          2.1.0: modsecurity-crs_2.1.0.zip
          2.1.1: modsecurity-crs_2.1.1.zip
          2.1.2: modsecurity-crs_2.1.2.zip
  2.2.0: modsecurity-crs_2.2.0.zip
          2.2.1: modsecurity-crs_2.2.1.zip
          2.2.2: modsecurity-crs_2.2.2.zip
}

# Get the latest stable version of "modsecurity-crs":
$ ./rules-updater.pl -rhttp://www.modsecurity.org/autoupdate/repository/ -prules -Smodsecurity-crs
Fetching: modsecurity-crs/modsecurity-crs_2.2.2.zip ...
$ ls -R rules
modsecurity-crs

rules/modsecurity-crs:
modsecurity-crs_2.2.2.zip    modsecurity-crs_2.2.2.zip.sig

--
Ryan Barnett
OWASP ModSecurity Core Rule Set Project Lead


_______________________________________________
OWASP-Leaders mailing list
OWASP-Leaders@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-leaders

OWASP Board 2012

I am very please to announce the results of the recent OWASP Board Election!

Turnout: 771 (46.2%) of 1670 electors voted in this ballot.
Top (3) have been elected.
  • Michael Coates - 524 (31.0%)
  • Dave Wichers - 460 (27.2%)
  • Sebastien Deleersnyder - 423 (25.0%)
  • Christian Heinrich - 286 (16.9%)
Your International Board of Directors term is effective 1-Jan-2012 for (24) months governed by the OWASP Bylaws: https://www.owasp.org/images/d/d6/2011-06-OWASP-BYLAWS.pdf

The Board also held elections at AppSec USA to decide new board roles and responsibilities.  The results are as follows:

Michael Coates - OWASP Chair
michael.coates(at)owasp.org

Eoin Keary - Vice Chair
eoin(at)owasp.org

Tom Brennan - Secretary
tom.brennan(at)owasp.org

Matt Tesauro - Treasurer
matt.tesauro(at)owasp.org

Sebastien Deleersnyder - Board Member
seba(at)owasp.org

Dave Wichers - Board Member
dave.wichers(at)owasp.org

Please join me in offering our new board congratulations and support.

Aloha,
Jim Manico
OWASP Connections Committee Chair
jim@owasp.org
 

Wednesday, September 7, 2011

AppSec USA 2011 Conference - Two Weeks Away

Hello OWASP Community,

The OWASP AppSec USA 2011 conference in Minneapolis is only two weeks away. Classes are filling up fast (the OWASP WTE class is full), and the conference talks lineup is impressive. Sign up today for the training on September 20-21 and the main conference talks, CTF, showroom, and Open Source Showcase on September 22-23!

http://www.appsecusa.org/

OWASP is in its tenth year, and application security is on everyone's radar. And this year we have some wonderful new initiatives as part of OWASP AppSec USA 2011. For the first time, we're:

* Funding the conference experience for two women in college through the OWASP Women in AppSec grant. Congratulations to Tara Wilson and Chandni Bhowmik on securing these grants! And thank you to The Wells Fargo Foundation for its generous seed funding.

* Raising funds for science education for inner city youth with the 5K/10K for Charity.

* Hosting a University Challenge offense/defense competition.

* Running an Open Source Showcase during the conference proceedings. Open source community members will demo their awesome work.

Additionally, the OWASP Chapters Committee and the ESAPI and AppSensor teams will be meeting September 21 to build upon their great work in OWASP.

Be a part of AppSec USA 2011, where OWASP propels itself into the next ten years. Lots of cool talks and training. And many opportunities to learn, grow, and give back.

http://www.appsecusa.org/attend.html


We would like to thank the OWASP AppSec USA 2011 donors and sponsors and the many conference contributors for helping us to build an awesome event for the application security and development community.

--

Adam Baso
OWASP AppSec USA 2011 Organizer

OWASP AppSec USA 2011: Your life is in the cloud.
September 20-23 Training, Talks, CTF, Showroom, and More
www.appsecusa.org
@appsecusa

To learn more about OWASP, visit https://www.owasp.org.