Friday, March 30, 2012

Outside the "O" of OWASP

Hello OWASP Community,

This is Jim Manico, the chair of the OWASP Connections Committee. I would like to highlight a series of OWASP members and volunteers who are taking the OWASP message outside of the inner circle, outside the "O" so to speak.

In their own words:

Andy Willingham
What I did and tired to get others to do was set up internal training for the network and server teams and also try to spend time with them helping them see a bit of my world. I think  that we security guys tend to get so caught up in our own little world that we forget that others don't have our passion and mindset. We spend time "preaching to the choir" when what we need is a good swift kick in the butt by the choir at times.
I also love the concept of OWASP stepping outside the norm to reach more people. If we are to narrowly focused on our audience or topic we miss lots of great opportunities to help others. One thing that I do with my chapter meetings it's too bring in speakers who talk about other security disciplines from time to time. That way we are not losing out on great info that can help us as we secure code and apps.

Sven Vetsch
I also trained quite a lot of web developers and gave talks to
developers on AppSec, mostly in Switzerland. There about 80%-90% of all
the devs already knew what a XSS and SQLi is, even though they only know
the very basics of those topics.
I don't know why my experience is so different from what you described
and I totally agree with you, that OWASP has still a lot of work to do.
Still, the difference between 10%-20% and 80%-90% is huge and it really
makes me wonder, what could be the reason for this.

Antonio 'Chouchou' Fontes OWASP Geneva
Philippe 'Neldor' Gamache OWASP Montreal

Since 2010 we giving some talks on AppSec and they have been well attended by the developers!

Paolo Perego
I just submitted two talk proposals for Italy Ruby Day on about how to use ruby in a penetration test and how to use test driven development to check for Owasp Top 10 while writing a ruby app.

Glen Letift
I have also been reaching out to the development community, I have really made a point of speaking at mostly development or QA events and fewer security events.  As I look at the developers in the communities I have interacted with in the past year I have noted a couple of points:

1)  Developers who tend to visit code camps and regional conferences tend to be the ones who are experimenting with new technologies and are often interested in how they can improve, and security is often actually in that mix.  (They know that they don't know and just want to learn)
2)  The high number of developers that exist in organizations are really 9-5 developers with no desire to educate themselves outside of those hours.  Even the development world is having a hard time reaching these folks.
3)   Our content needs to be fresh to engage, not just talk about XSS, but talk about how XSS or SQL injection pertains to the new technologies that are being talked about that day.  It needs to be developer relevant which is something in the security space we often struggle with.

With these things being said, the reception has been fantastic for the security talks I have given, over the last few years the crowds have risen from 6-8 interested people to over 100 interested folks.  The good news is that if we engage the development community well, they will come....all be it they will practice what we speak about when it does not effect deadlines, etc, but they are listening.

I would encourage each of our OWASP chapters to reach out to their local code camps, or regional development conferences and become engaged.  Maybe offer an event that piggybacks, or at least submit a few presentations.  I think there is a lot we can do here to help continue the evangelism.

Michael Coates
I gave a talk at a health care technology startup and there was a large percentage of developers that were very knew to many of the basic security defenses that we prescribe.
Never underestimate the power of covering the foundation of application security to an eager new group of developers.

Martin Knoblock
As a following up to the 'outside the O' I want to let you know the ROOTs Conference in Bergen, Norway, is dedicating a track to (application) security:http://www.rootsconf.no/Continuously, I am looking for developer conferences and events to speak about application security.
In my experience, developer are more then willing, they (mostly) just did not know as they are not thought about security.
Anyway, security is getting more important and the need to know about security becomes more and more visual. Last is most definite as you see developer events do look for security experts!
Have replied to the CFP for the security track at the ROOTs conference 2012, I hope others might be interested and follo! For me, it will be the third time to be in Bergen. A small conference with high value!

Josh Sokol 
Seems like a good time to announce the theme of this year's AppSec USA Conference: "Bridging the Gap Between Software Developers and Security" Look for an announcement very soon on our keynotes and invited speakers.  The CFP should be up by the end of February. 

Sebastian Goria
I teach course 940 (Securing App and Server) at LearningTree Inc. to help promote the OWASP mission.

Aloha,
Jim Manico

Global AppSec Research 2012, Athens Greece


Colleagues,

In 2012, OWASP is holding its Global AppSec Research (EU) Conference
in Athens, Greece! The OWASP AppSec Research conference is a premier
gathering for Information Security leaders and researchers. It brings
together the application security community to share cutting-edge
ideas, initiatives and technology advancements.


The OWASP AppSec Research 2012 Call for Papers (CFP) is open. Visit the
following URL to submit your proposal for the July 12-13, 2012 talks
in Athens, Greece:


The final closing date for submissions is Sunday, April 15, 2012. We
look forward to receiving submissions for technical presentations,
demos or research papers on the following topics:

* Security aspects of new/emerging web technologies/paradigms (mashups, web 2.0, offline support, etc)
* Security in web services, XML, REST, and service oriented architectures
* Security in cloud-based services
* Security of development frameworks (Struts, Spring, ASP.Net MVC etc)
* New security features in platforms or languages
* Next-generation browser security
* Security for the mobile web
* Secure application development (methods, processes etc) and secure coding practices
* Business risks of Application Security
* Starting and Managing Secure Development Lifecycle Programs.
* Privacy Concerns regarding applications and Data Storage
* Threat modeling of applications
* Vulnerability analysis and application security testing (code review, pentest, static analysis etc)
* Countermeasures for application vulnerabilities
* Metrics for application security
* Application security awareness and education
* Securing e-government applications and services
* Government Initiatives & Case Studies
* OWASP Tools and Projects


OWASP AppSec Research 2012 is also currently soliciting training
providers for the conference. Visit the following URL to submit your
training proposal for the July 10-11, 2012 training days in Athens,
Greece:


The following conditions apply for people or organizations that want
to provide training at the conference:

Training provider should provide class syllabus / training materials.
Proceeds will be split 60/40 (OWASP/Trainer) for the training class.
OWASP will provide the Venue, Marketing with Conference materials,
Registration and basic AV. 

Trainers will cover travel and accommodations for the instructor(s)
and all course materials for students

OWASP will reserve up to 2 training slots at no cost and the trainer
may reserve up to one slot at no cost

Price per attendee: 2-Day Class €990 / 1-Day Class €495.

Trainers can brand training materials to increase their exposure
Classes are to be focused around Application Security but are in no
way limited to web application security.
We will look favourably on laboration-based/hands-on training.


We will make the first round of selections, based on the Training
proposals we have received by March 30, 2012. We have extended the
final closing date for submissions to Sunday, April 15, 2012.

Submit proposals to training@appsecresearch.org using the CFT template
All trainers will be required to submit a Training Instructor
in order to have their classed scheduled.

Additional information can be found at http://www.appsecresearch.org.

Please forward to all interested practitioners and colleagues.

OWASP WebGoat 1.2

Greetings folks,

FYI, we released iGoat version 1.2 today. The primary change over 1.1 is the addition of a new keychain exercise, contributed by a newcomer to the team, Mansi Sheth.

https://www.owasp.org/index.php/OWASP_iGoat_Project

Thanks Mansi and Sean for pulling this together.

It's great to see some external participation on the project, of course. We'd love to see more -- any time!

Cheers,
Ken van Wyk
iGoat Project Leader

Sunday, March 25, 2012

OWASP AppSec Asia Pacific 2012


PRESS RELEASE: OWASP AppSec Asia Pacific 2012


Asia's Premier Information Security Conference Returns with OWASP AppSec Asia Pacific 2012

Popular Event to Attract Leading Experts for Four Days of Discussion and Training, April 11 - 14

Sydney, March 25, 2012—AppSec Asia Pacific, after it's very successful conference last year in Beijing, Asia's premier information security conference, returns with AppSec Asia Pacific 2012 (http://www.appsecAPAC.org) back to Sydney. AppSec Asia Pacific is the Open Web & Application Security Project's (OWASP's) annual gathering of leading experts in the field of application security. The event will be held at the Four Points Sheraton, Darling Harbour, Sydney, Australia, April 11-14.

AppSec Asia Pacific features two days of training April 11-12, followed by two days of talks, April 13-14. The event will provide a forum for hundreds of IT professionals and managers interested in securing web technologies to learn, interact, network, and attend presentations and training given by some of the world's top practitioners of application security.

"With the ever growing number and complexity of attacks that have taken place over the past year, we feel that the business and communities across the Asia Pacific region could greatly benefit from what we offer now more than ever," said Justin Derrry, AppSec APAC organizer. "We encourage and welcome security professionals, technology executives, students, and everyone who realises the importance that application security plays in all of our lives to attend."

Highlight's of AppSec Asia Pacific 2012 will include:
Ø Keynotes by Dr. Jason Smith, Assistant Director at CERT Australia, Alastair MacGibbon, Managing Partner of Surete Group, Jeremiah Grossman, CTO of WhiteHat Security and Jacob West, Director at Fortify at Hewlett-Packard
Ø Industry Panel topics from Finance and Insurance Sectors
Ø Presentation by Matt Tesauro, member of the global OWASP board and project leader of the OWASP WTE project with tools and documentation for testing web applications
Ø Presentation by Tobias Gondrom, from OWASP London and working group chair of the Web Security WG at the IETF, responsible for international standards to improve internet and web security
Ø Training classes to include Assessing & Exploiting Web Applications with Samurai-WTF, Mobile Penetration Testing, Advanced Training for Developers and a training for CISO and senior information security managers
Ø Networking Opportunities to meet peers, industry experts and other developers
Ø Gain access to resources within OWASP projects as well as leading vendors
Ø Full schedule at http://www.appsecAPAC.org    
Derry added, "In accordance with the broadening of OWASP's mission after the 2011 OWASP Global Summit, AppSec APAC is extending its content beyond the realm of web applications to include all aspects of web and application security. We invite all practitioners of application security and those who work with or interact with all facets of application security to submit papers and participate in the conference."

OWASP AppSec APAC attracts a worldwide audience. Executives from Fortune 500 firms along with technical thought leaders such as security architects and lead developers will be traveling to hear the cutting-edge ideas presented by Information Security’s top talent. Past conferences have drawn more than 800 technologists from Government, Financial Services, Media, Pharmaceuticals, Healthcare, Technology, and many other verticals.

Sponsored by Fortify, Appsecure, Imperva, Ionize, Content Security Pty Ltd. and Trustwave, AppSec APAC is hosted by the Open Web & Application Security Project (OWASP), a 501c3 Not-For-Profit. OWASP is an open-source application security project made up of corporations, educational organizations, and individuals from around the world. Providing free, vendor-neutral, practical, cost-effective application security guidelines, the organization has become the de facto standards body for application security over the past decade. 

To attend OWASP AppSec APAC 2012, visit: http://www.appsecAPAC.org or register at https://www.regonline.com/appsecapac2012. To become a member of OWASP or a sponsor of AppSec APAC 2012, kindly drop us a note at: appsecasia2012@owasp.org.   

About OWASP:
The Open Web & Application Security Project (OWASP) is a worldwide free and open community focused on improving the security of application software. Our mission is to make application security visible, so that people and organizations can make informed decisions about true application security risks. Everyone is free to participate in OWASP and all of our materials are available under a free and open software license. The OWASP Foundation is a 501c3 not-for-profit charitable organization that ensures the ongoing availability and support for our work from Individuals, Organization Supporters & Accredited University Supporters. For more information, please visit: http://www.owasp.org/


MEDIA CONTACT:


Sarah Baso
OWASP Operational Support
Conference Logistics & Community Relations
appsecasia2012@owasp.org
tel: 001-312-869-2779 

Saturday, March 24, 2012

Vive la OWASP France!


Bonjour à tous,

Dans un esprit de totale transparence vis-à-vis de la Communauté et des quelques membres supportant le Chapitre par leurs adhésions, le Board du Chapitre OWASP France souhaite vous faire part du contenu de sa dernière réunion relative à la Roadmap 2012-2013, dont voici le CR de synthèse.

Nous avons certes quelques ambitions, bien légitimes au regard de la vocation de la Fondation OWASP, mais il important de garder à l'esprit que votre concours est nécessaire pour nous aider à répondre à vos attentes et besoins spécifiques.

Le rôle du Chapitre est clair, promouvoir la Sécurité des Applications Web, ce qui en soi est un vaste programme.

Conformément aux statuts de la Fondation, nous ne faisons aucun business avec l'OWASP. Je rappelle que 40% du montant de l'adhésion d'un membre est reversé au Chapitre ou au Projet OWASP de votre choix lors de la souscription, les 60% restant étant dédiés à la Fondation qui réinjecte elle-même cette somme dans les projets communautaires. Ces sommes servent à payer les déplacements des speakers et organiser les events, à louer les salles et le matériel nécessaires, etc.

C'est pourquoi votre concours est important, c'est un challenge gagnant-gagnant (win-win situation): plus nous aurons de membres officiels (i.e. qui cotisent officiellement, Cf. Flyer joint), mieux nous saurons répondre à vos attentes, y compris spécifiques.

Je m'adresse ici plus particulièrement aux grands-comptes, vous avez tout à y gagner croyez-moi, vos services, votre business sont sur le Web. Avez-vous au moins essayé d'auditer votre site par rapport au 10 Risques Sécurité commentés dans le Top Ten? Faîtes-le, n'attendez pas!

Je n'oublie bien évidemment pas les membres individuels, aussi importants pour nous.

J'en profite aussi pour vous annoncer que nombres de projets OWASP sont suivis par de grands groupes internationaux, des entités gouvernementales (en France et dans le monde) et organismes de référence (ENISA - European Network and Information Security Agency, etc.) qui y contribuent. Le référentiel de l'OWASP tout autant que l'expertise de ces membres officiels est connu et reconnu, utilisez-les!

Bien, assez parlé, passons au CR. A noter qu'un de nos membres individuel c'est proposé de nous accompagner bénévolement dans cette roadmap importante, qu'il en soit ici très sincèrement remercié au nom de l'OWASP France!

SYNTHESE
Constat, à date

o   Le Chapitre OWASP France est au point mort: beaucoup d'intérêt de la communauté, mais peu de membres officiels et encore moins de contributeurs.

Objectifs 2012

o   Faire décoller le Chapter OWASP France

o   Maîtrise du Budget du Chapitre OWASP France

o   Disposer de la visibilité mensuelle exacte du budget du Chapitre OWASP France

o   la maitrise du budget permettra

o   la gestion financière du Chapter

o   le remboursement des Speakers OWASP / intervenants étrangers

o   payer les déplacements & interventions des membres du Board

o   Organiser dès que possible une roadmap de 1 Chapter Meeting tous les 2 mois à Paris

o   Appels à contribution via la mailing list

o   Interventions de Speakers OWASP étrangers

o   Aucun problème mais nous avons toutefois besoin de fonds (finance) minimums*

Objectifs 2013

o   Organiser un Event OWASP France Days

o   Par exemple : 2 jours de Conférence

o   1 jour dédié aux Workshops WebApp Sec

o   1 jour de Conférence

Membership & Connections Committee Call

o   Effectué Mercredi 15 Feb pour discuter et identifier les axes d'amélioration de la stratégie OWASP pour accroitre la visibilité de la Foundation et l'aide aux Local Chapters concernant  les adhésions

Membership Flyer refait par Ludovic (Cf. Draft joint - que vous pouvez toutefois utiliser)

o   En cours de validation avec le Board US

Adhésions au Chapter OWASP France

o   Ludovic travaille actuellement avec Jim Manico (Global Connections Committe) & le Board US sur un process décrivant les modalités d'approche de grands-comptes afin de booster les adhésions Corporate, donc que le budget des Chapters Locaux

Adhésion 5000$

Présentation de 2h par le Chapter Lead sur l'OWASP et WebApp Sec, dans les locaux de l'entreprise concernée

Adhésion 5000$ + Extra Fee (coût et perspective à établir conjointement en fonction des besoins spécifiques de l'entreprise concernée)

Présentation de 2h par le Chapter Lead sur l'OWASP et WebApp Sec, dans les locaux de l'entreprise concernée

x sessions de Sensibilisation WebApp Sec par le Chapter Lead et par des speakers OWASP sur des sujets spécifiques identifiés par l'entreprise concernée, dans les locaux de l'entreprise concernée

Visibilité du Chapter OWASP France

o   La visibilité est conditionnée par la nécessite de disposer d'Actualités

o   Les points #1, #2 et #3 (Site web) vont aussi conditionner/contribuer à cette actualité

Site Web OWASP France

o   Création d'un site web OWASP France avec Contenu, Actualités, News

Relai sur la page de référence OWASP France sur le Wiki Owasp.org

Disponibilité de Salles équipées pour Chapter Meetings

o   Appel à contribution via la mailing list

o   Sollicitation de nos contacts grands-comptes et institutions

Organisation d'Events

o   Périodicité : En fonction des Objectifs 2012

o   Disponibilité de Salle équipée

o   Contenu / Sujets / Speakers

Appel à contribution via la mailing list

Intervention de speakers OWASP (mais coûts à imputer au Chapter France, donc Adhésions à promouvoir, notamment Corporate) 

Toute aide de votre part est bienvenue, n'hésitez pas à commenter et nous faire part de vos suggestions.

Sébastien et moi-même sommes à votre disposition, n'hésitez pas à nous solliciter!

Bon vent à tous
--

Ludovic Petit
Chapter Leader OWASP France
OWASP Global Connections Committee

Mobile: +33 (0) 611 726 164
E-mail: ludovic.petit@owasp.org<mailto:ludovic.petit@owasp.org>
LinkedIn: http://www.linkedin.com/in/lpetit

-------

Homepage: https://www.owasp.org/index.php/France
Mailing list: https://lists.owasp.org/mailman/listinfo/owasp-france

Thursday, March 15, 2012

AppSecDC 2012

WASHINGTON, D.C. March 16, 2012—AppSec DC 2012 (http://www.AppSecDC.org), the East Coast's premier information security conference, has added a full roster of training seminars to its four-day schedule of discussions and events. The seminars will be a mixture of one- and two-day sessions organized by OWASP in order to serve both its membership and the broader technology community. As a special offering, OWASP has aligned with (ISC)², the world’s largest information security professional body and administrators of the CSSLP®, on a free seminar for all AppSec DC attendees.

"OWASP seeks to be proactive, rather than reactive," said Mark Bristow, AppSec DC Organizer. "With these training sessions, we hope to empower everyone in the enterprise and in the public sector with the most current best practices in web and information security."  

AppSec's DC's training seminars will be held on April 2-3 before the plenary sessions. Information on OWASP's free seminar with (ISC)² for all AppSec DC attendees is as follows:

Certified Secure Software Lifecycle Professional (CSSLP) Clinic (*)
 - Tuesday, April 3, 1-5 PM

WHY YOU SHOULD REGISTER: Educate yourself in Secure Software Design and Development, two of the seven domains found in the CSSLP certification, held by over 1,000 secure software professionals worldwide and recently labeled the “Holy Grail” of secure software development certifications by analyst David Foote. This session will provide an in-depth education of these two tough domains of the CSSLP and will cover the skills and knowledge needed to design and develop secure code. In the Secure Software Design domain, attendees will learn the fundamentals of design principles, when applied, will save costly rework. The Secure Software Development domain will discuss the OWASP Top 10 threats and how to mitigate them effectively.

The CSSLP contains seven domains focusing on the fundamental topics needed to develop secure software. CSSLPs are professionals who have validated their competency in incorporating security into each phase of the software lifecycle.

(*) Please note that all attendees of the free seminar must pre-register at the AppSec site: http://appsecdc.org/training/

Other training sessions include:

•   Building Secure Android Apps
•   The Art of Exploiting Injection Flaws
•   Assessing and Exploiting Web Applications with Samurai-WTF
•   Secure Web Application Development Training
•   Source Code Analysis – Discovering Vulnerabilities in Web 2.0, HTML5, RIA
•   Practical Threat Modeling
•   Mobile Hacking and Securing
•   WebAppSec: Developing Secure Web Applications
•   Virtual Patching Workshop
•   Complete list of seminars: and additional information at http://appsecdc.org/training/

OWASP strives to provide world-class training for a variety of skill levels and interests at its conferences. From the novice to the expert, developers to managers, there is a training course for you. Classes will begin at 9 AM each day and run until 5 PM. Please check each course for required materials and whether a course is one or two days.

OWASP AppSec DC attracts a worldwide audience. Executives from Fortune 500 firms along with technical thought leaders such as security architects and lead developers will be traveling to hear the cutting-edge ideas presented by Information Security’s top talent.

Along with training seminars, AppSec DC 2012 has also lined up a robust list of speakers, including representatives from Homeland Security, LivingSocial.com and thought-leaders such as Dan Geer, Creator of the Index of Cyber Security (2011) and the Cyber Security Decision Market (2011), among other accomplishments. Past conferences have drawn more than 700 technologists from Government, Financial Services, Media, Pharmaceuticals, Healthcare, Technology, and many other verticals.  A full schedule can be found at http://appsecdc.org/2012schedule/

Sponsored by Aspect Security, Securicon, MANDIANT, Trustwave SpiderLabs, Secure Ideas, and nVisium Security, AppSec DC is hosted by the Washington, D.C. chapter of Open Web & Application Security Project (OWASP), a 501c3 Not-For-Profit, is an open-source application security project made up of corporations, educational organizations, and individuals from around the world. Providing free, vendor-neutral, practical, cost-effective application security guidelines, the organization has become the de facto standards body for application security over the past decade. 

To attend OWASP AppSec DC 2012, visit: www.AppSecDC.org or register at http://reg.appsecdc.org. To become a member of OWASP or a sponsor of AppSec DC 2012, kindly drop us a note at: sponsors@appsecdc.org.  

About OWASP:
The Open Web & Application Security Project (OWASP) is a worldwide free and open community focused on improving the security of application software. Our mission is to make application security visible, so that people and organizations can make informed decisions about true application security risks. Everyone is free to participate in OWASP and all of our materials are available under a free and open software license. The OWASP Foundation is a 501c3 not-for-profit charitable organization that ensures the ongoing availability and support for our work from Individuals, Organization Supporters & Accredited University Supporters. For more information, please visit: http://www.owasp.org/

MEDIA CONTACT:

Bill Lessard
PRwithBrains
914.476.6089 - office
914.330.3501 - cell

Wednesday, March 14, 2012

OWASP Hacking-Lab

Dear OWASP leaders,

As you might know, Hacking-Lab is providing free OWASP TOP 10 hands-on challenges to the OWASP community. This is an inner service of GEC (Global Education Commitee) as part of the Academy Portal project.

Vulnerabilities within used frameworks and libraries, like the Apache Struts vulnerability do not have a prominent place with the OWASP TOP 10 list, but very important because of it's remote code execution characteristic. Hacking-Lab has written a vulnerable Apache Struts service and a tutorial video. Check it out.

I think it is important to discuss library and dependency risks.

Please watch the tutorial here:
* http://media.hacking-lab.com/movies/struts2/

Please read more about the Apache vulnerability here
* http://struts.apache.org/2.x/docs/s2-009.html

Please try it our, mess around in Hacking-Lab (if you like, it's free!)
* https://www.hacking-lab.com/events/registerform.html?eventid=199

Looking forward to hearing from you
Ivan Buetler, Switzerland

OWASP Security-101 List


(from michael.coates@owasp.org )
Leaders,

A few weeks back I started a thread about a security 101 list.  The idea is that this is a place we can direct people new to OWASP with any intro security questions.  Here we can respond with answers to their questions or provide links to OWASP projects, presentations, tools, etc.  We may even find out that the most common questions we don't have material available to address (i.e. future wiki doc or project ideas)

If you like this idea you can help out in the following ways:
1. Subscribe to the mailing list in order to help answer the questions
2. Add the mailing lists in the end of your slide decks or presentations as a place where the audience can go with any sort of security or owasp question

security101@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/security101


http://michael-coates.blogspot.com/2012/03/security-101-owasp-community.html


Thanks!

-------
Michael Coates | OWASP
michael.coates@owasp.org | @_mwc

Friday, March 9, 2012

OWASP Mission and Principles

Recent events in the media have mentioned the OWASP organization and I'd like to use this opportunity to provide background on OWASP and also highlight our mission and guiding principles

First and foremost, OWASP is a worldwide non-profit organization with the mission of increasing application security by providing free and open tools, knowledge, and a thriving global community. With the exception of our talented four-person operations team, we are driven entirely by volunteers from project contributors, chapter leaders, and even the board.

Since OWASP is an open source, grass roots movement, any individual is able to contribute resources or participate in the community.  Like other open source projects, individuals from all over the world will donate code, documentation or expertise. Similarly, this organization does not perform background checks or submit participants to invasive reviews in order to participate in the community. This is standard practice for open organizations.

OWASP is driven and align all of our activities around the mission, core values, code of ethics, and our core principles.

The OWASP community consists of over ten thousand individuals on our mailing lists, 1500 members organized into 200+ volunteer led chapters around the world, volunteer chapter leaders, multiple global committees and an elected board. OWASP fosters a thriving community of open source projects and coordinates annual security conferences on nearly every major continent and a variety of regional outreach and university events.

OWASP is a force for good and believes strongly in our mission and values. We do not support projects or activates that are counter to these views, goals or ethics.



Michael Coates
Chair of OWASP Board
michael.coates@owasp.org

Thursday, March 8, 2012

OWASP India Call For Papers (August 24-25 2012)


Greetings!

OWASP India is pleased to announce the CFP (Call for Papers) for its 3rd upcoming conference to be held on 24th - 25th August 2012 at Hotel Crowne Plaza Today, Gurgaon, New Delhi (NCR), India.

OWASP conference in India is the largest and premier platform in the region to bring information security leaders, policy makers, regulators, investigators, defense, government departments and decision makers from over 200 organization from across the world.

Our last event in India was attended by over 500 participants and we anticipate much larger participation this year.

Quick Links:

Quick Contacts:
 1. CFPs: cfp@owasp.in
 2. Sponsors: sponsors@owasp.in
 3. General: info@owasp.in

With Regards,
Organizing Committee
OWASP InfoSec India Conference 2012

======
OWASP India Archives:
 1. OWASP India's 2nd Conference, New Delhi:
 2. OWASP India's 1st Conference, New Delhi:

Friday, March 2, 2012

PRESS RELEASE: OWASP AppSec DC 2012


FOR IMMEDIATE RELEASE:

East Coast's Premier Information Security Conference Returns with OWASP AppSec DC 2012

Popular Event to Attract Leading Experts for Four Days of Discussion and Training, April 2 - 5

WASHINGTON, D.C. March 5, 2012—AppSec DC, the East Coast's premier information security conference, returns with AppSec DC 2012 (http://www.AppSecDC.org). Now in its third year, AppSec DC is the Open Web & Application Security Project's (OWASP's) annual gathering of leading experts in the field of application security. The event will be held at the Walter E. Washington Convention Center, April 2-5.

AppSec DC features two days of training April 2-3, followed by two days of talks, April 4-5. The event will provide a forum for hundreds of IT professionals interested in securing web technologies to learn, interact, network, and attend presentations and training given by some of the world's top practitioners of application security.

"With the ever growing number of intrusions that have taken place over the past year, we feel that the business and federal communities could greatly benefit from what we offer now more than ever," said Mark Bristow, AppSec DC Organizer. "We encourage security professionals, technology executives, students, and anyone with who realizes the importance that application security plays in all of our lives to attend."

Highlight's of AppSec DC 2012 will include:
  •  Keynote by Daniel Earl Geer, Jr., Sc.D., Creator of the Index of Cyber Security (2011) and the Cyber Security Decision Market (2011), among his numerous other accomplishments
  • Presentation by Joe Jarzombek, Director for Software Assurance, National Cyber Security Division of the Department of Homeland Security
  • Presentation by Ken Johnson, Senior Security Architect for LivingSocial.com, responsible for securing mobile applications, web services and web applications
  • Panel topics to include Critical Infrastructure, Pentesting Smart Grid Web Apps, How to Get Every IT Architect to Become a Security Ambassador, Adapting and Managing IT Security Solutions for Industrial Control Systems
  • Training classes to include Assessing and Exploiting Web Applications with Samurai-WTF, Building Secure Android Apps, Secure Web Application Development Training
  • Full schedule at https://schedule.appsecdc.org
Bristow added, "In accordance with the broadening of OWASP's mission after the 2011 OWASP Global Summit, AppSec DC is not restricting its content to strictly to the realm of web applications. We invite all practitioners of application security and those who work with or interact with all facets of application security to submit papers and participate in the conference."

OWASP AppSec DC attracts a worldwide audience. Executives from Fortune 500 firms along with technical thought leaders such as security architects and lead developers will be traveling to hear the cutting-edge ideas presented by Information Security’s top talent. Past conferences have drawn more than 700 technologists from Government, Financial Services, Media, Pharmaceuticals, Healthcare, Technology, and many other verticals.

Sponsored by Aspect Security, Securicon, MANDIANT, Trustwave, Secure Ideas, and nVisium Security, AppSec DC is hosted by the Washington, D.C. chapter of Open Web &Application Security Project (OWASP), a 501c3 Not-For-Profit, is an open-source application security project made up of corporations, educational organizations, and individuals from around the world. Providing free, vendor-neutral, practical, cost-effective application security guidelines, the organization has become the de facto standards body for application security over the past decade. 

To attend OWASP AppSec DC 2012, visit: www.AppSecDC.org or register at http://reg.appsecdc.org. To become a member of OWASP or a sponsor of AppSec DC 2012, kindly drop us a note at: sponsors@appsecdc.org.   

About OWASP:
The Open Web & Application Security Project (OWASP) is a worldwide free and open community focused on improving the security of application software. Our mission is to make application security visible, so that people and organizations can make informed decisions about true application security risks. Everyone is free to participate in OWASP and all of our materials are available under a free and open software license. The OWASP Foundation is a 501c3 not-for-profit charitable organization that ensures the ongoing availability and support for our work from Individuals, Organization Supporters & Accredited University Supporters. For more information, please visit: http://www.owasp.org/


MEDIA CONTACT:

Bill Lessard
PRwithBrains
914.476.6089 - office
914.330.3501 - cell