Monday, May 28, 2012

Are you our next OWASP Project Manager?

Projects are at the heart of the Open Web Application Security Project (OWASP).

OWASP is currently searching for a new OWASP project manager who will support 140+ project leaders in starting and running their OWASP projects.

The OWASP project manager will report to the OWASP operations director and work closely together with the Global Projects Committee.

  • operational follow-up of all OWASP project related questions
  • assist with setting up new project wiki templates
  • document "how to" guides for project managers using the wiki templates
  • address queries from project leaders and channel these queries to the appropriate person(s)
  • supply metrics on project activities and requirements
  • assist with setting up new projects
  • create and maintain an OWASP Projects Handbook for new and existing OWASP project leaders
  • set up, maintain and facilitate the OWASP projects review process
  • set up and maintain an OWASP projects dashboard with health metrics
  • promote and support the i18n of OWASP projects
  • attend worldwide OWASP conferences to meet project leaders
Required experience:
  • the candidate should be familiar with the OWASP projects (desired)
  • the candidate has at least 5 years experience in setting up or running open source projects him/herself
  • the candidate should have excellent presentation, verbal and writing communication skills in - at least - English. Active or passive knowledge of other languages would be great.
  • the candidate should be patient and sensitive towards cross-cultural communications.
  • the candidate should have experience with managing global and remote teams
  • the candidate should be able to work with Google applications, Salesforce, Office and MediaWiki (required). Familiarity with MediaWiki templates in particular will be required for execution of duties.
  • the candidate is a driven, self-motivated person with a determination to achieve OWASP focused objectives/goals.
  • the candidate is a team player with high integrity, confidence and maturity.
  • having a project manager certification (e.g. PMP or Prince2) is a plus, not mandatory
This is an international position and will require limited travel to OWASP conferences and summits. The majority of the work can be performed remotely. OWASP will not provide relocation costs. This position is open in the US as employee or contractor. If you live outside the US, we prefer to hire you as contractor.

Feel free to forward this call for candidates. Updates will be announced on

If you are up for the challenge and want to become part of a great community:
send your letter of motivation together with your resume to no later than 15-Jun-2012.

Thank you,

Kind regards

Seba Deleersnyder

Friday, May 25, 2012

OWASP AppSec Research 2012 Update


OWASP AppSec Research 2012 is accepting proposals for
workshops/hackathons/mini-summits on OWASP projects. If you are
looking for an opportunity to revive or move your project forward,
this is it! For four days, a large number of OWASP leaders and
international experts will be in Athens, Greece for the conference, so
this is a unique chance for you to get together and do some actual
work on your project.

OWASP will provide:
- Rooms that can accommodate from 5-50 people, according to your needs
- Internet access
- Whiteboard
- projector if needed
- food, coffee and refreshments

Workshop participants will need to register for the conference
( As you may know, OWASP
Leaders can register for free (but they still have to register!).
OWASP AppSec Research 2012 takes place in Athens, Greece on July

Proposals will be evaluated on a first-come first-served basis, so if
you want to reserve a room for your project submit your proposal as
early as possible and definitely before June 25th.

Send your proposals to:
In your message you should include the OWASP project name, title of
the workshop (if different), proposed date(s) and time, expected
number of participants and expected outcome.

Looking forward to your proposals,

The OWASP AppSec Research 2012 Team

Thursday, May 24, 2012

OWASP Marketing RFP

With the assistance of the Global Connections Committee, we are currently soliciting proposals to help OWASP develop a scalable marketing strategy for the organization with two primary goals (initially):
  1. Developing a strategy to solicit and maintain corporate supporters with a target of increasing corporate membership income
  2. Developing a strategy for marketing OWASP events with a target of increasing both conference attendance and conference sponsors
Details about the RFP objectives and requirements are available here: 

Submission Information
RFP open: May 24, 2012
RFP close: June 8, 2012

Please email proposals to:

Last but not least, please forward to anyone you think would be interested in making a submission!

Monday, May 21, 2012

OWASP Project Reboot Fundraising 2012

Announcement from Global OWASP Foundation

OWASP Reboot Project Has Started and we have raised $15,280 details will you help?

What is the OWASP Project ReBoot initiative?

OWASP needs to refresh, revitalize & update its projects. We need to make the software development community more aware of our efforts and demonstrate the foundations library of solutions & guidance designed to help with the secure application development lifecycle.

The proposal for this initiative is here:

Tuesday, May 15, 2012

New OWASP Chapters

Please welcome our latest OWASP chapters!
  • OWASP Khartoum (Sudan) - lead by Ali Hussein
  • OWASP Manila (Philippines) - lead by Michael Dungog
For more information on the OWASP Chapter program, please see

Monday, May 14, 2012

OWASP Projects Reboot 2012

What is the OWASP Project ReBoot initiative?

OWASP needs to refresh, revitalize & update its projects. We need to make the software development community more aware of our efforts and demonstrate the foundations library of solutions & guidance designed to help with the secure application development lifecycle.

The proposal for this initiative is here: Project Re-Boot Proposal

To that end we have a budget to fund various project related activities. We hope putting some financial support behind projects will re-energise our community and hopefully deliver some great high quality material which can be used to support software developers and testers for years to come:

Current Submissions
OWASP Application Security Guide For CISOs
OWASP Development Guide
OWASP Testing Guide  (Agreement reached. Awaiting proposal.)

Activity types:

Type 1: Update, rewrite & complete guides or tools.
This "type" is aimed at both existing and new tools or guides which require development effort to update, augment, rewrite, develop in order to achieve a high quality release quality product.

  1. "Mini" Project based summits: Expenses associated with getting global workshops, with the aim of releasing a new version of a project.
  2. Paying contributors for their time and effort.
  3. Paying for user guides etc to be professionally developed (technical writing etc).
Type 2: Market, Training, Awareness, increase adoption.
Existing, healthy robust tools and guides can utilise Type 2 activities to help with creating awareness and increasing adoption of that project.

  1. Assisting with expenses associated with marketing a project.
  2. Costs facilitating OWASP project focused training and awareness events
How are we going to fund this?

We are requesting all OWASP chapters which are in a healthy financial position to pledge 25% of their chapters funds to pay for this initiative.

Donate $1.00 to help save a current or future software application Click Here
The Foundation shall also support this initiative with additional funding.
The goal is to accumulate a budget of $100K which shall be appointed to projects undergoing this reboot.
Can I apply for this Reboot?

You certainly can, assuming you are an OWASP member.
If you feel your project is ready or has potential you can apply for the reboot programme.

How does funding work?

Type 1: Funding can be applied for as required if travel/mini summit etc is to be expensed as part of the reboot. Development activities; payment to contributors shall be at 50% and 100% milestones.
Milestones are agreed prior to project reboot initiation.
Once the 50% milestone is reached the work done to date shall be reviewed by a member of the - GPC and also another nominated OWASP reviewer (generally an OWASP leader).

Type 2: Funding is supplied as required. Items to be funded are agreed prior to reboot initiation.
Invoices for the required services are sent directly to the foundation for payment.

How do I apply?

Send in a proposal with the following information:
  1. Project name and description. Including reboot project lead and any team members.
  2. Re boot type (Type 1 or Type 2)
  3. Goals of the reboot
  4. Timeline for the 50% milestone and the 100% milestone. Suggested milestone reviewers (Generally OWASP Leaders or other industry experts)
  5. Budget required and how you shall spend it.
Want to support this initiative or learn more? Contact Eoin Keary

Wednesday, May 9, 2012

For Better Password Policies: OWASP Passfault

OWASP Passfault is a free password policy replacement that will make passwords stronger.  It is not your conventional password strength meter.  Even with two-factor authentication, we can do better to improve the most common “what you know” factor.  Even low risk sites benefit.  You can try it here, or read about it here, or look at this presentation, or look at the code.  I’ll summarize the presentation in the next few paragraphs.


Why? Password Policies Stink.

Password policies are ineffective.  They block some strong password patterns and they let some weak password patterns fly on by.  Researchers at Carnegie Mellon did some studies on the effect of password policies on password strength.  They state that “Successfully creating a password is significantly more difficult under stricter password policies”.  They also found password length was the only significant predictor of eventual password strength.  In summary: Password Policies Stink.  They don’t work because they do not measure strength, but instead measure how well you comply with good advice.  You can follow the advice and still make terrible passwords.

Why don’t we just measure password strength?  OWASP Passfault measures password strength using the following steps:

1. Identify Patterns

These are patterns that OWASP Passfault identifies currently:
  • Dictionary Patterns (currently English and Spainish)
    • Words with mixed case
    • Words with substituted special characters
    • Words with inserted special characters
    • Misspelled Words
    • 133+ speak substitution
    • Backwords words
  • Keyboard Patterns (Currently US and Russian)
    • Horizontal sequence of keys
    • Diagonal sequence of keys
    • Repeated keys
  • Repeated Pattern
  • Date Patterns
  • Random set including international characters (currently latin and cyrillic)


2. Measure Pattern Size

How many passwords fit in a pattern? That is the measure of the pattern.  That’s it.  Nothing fancy.   This leads to a discussion of password patterns strength and a distinction between pattern security and pattern obscurity. In the security world we know that we always favor security over obscurity.  For example, using this measurement, a backwards spelled word is just as strong as a normal word.  This may bother some but this is intentional. Put another way, if a hacker knew how you created your password, would that help him hack it?


3. Find Weakest Combination

There will be more than one pattern found in a password, and some will overlap.  Passfault goes through each one and finds the weakest combination.  The number of the passwords that fit in the combination of weakest patterns is the measure of strength.  Another way to state the measurement is this: if a hacker knew what patterns are in a password, how many passwords would he have to attempt to crack the password.


4. Estimate Time to Crack

Pattern sizes get large and it is hard to see the risk.  OWASP Passfault makes the risk more tangible by presenting the time to crack.  Not only does this show password strength, it also factors in how the password is protected on the back-end.  If the password is hashed with a weak algorithm, then the time to crack is lower.  This makes it personal.   If a password can be cracked in two days, knowing that compels a user to do better.


5. Tie Policy to Strength

The password policy is now easy to configure.  Just slide the bar to the desired strength.  Even for a low-risk site, an administrator can set the setting low, knowing that passwords are strong enough considering risk.  Unlike conventional password policies, this gives the administrator confidence that a stronger policy produces stronger passwords.


What’s Next?

Overall OWASP Passfault provides a more intuitive and accurate password policy.  But there is more to do.  Here is a roadmap for OWASP Passfault.  Surely we do not have all the possible password patterns.  If there are some you use, or would like to see, please comment, or join the mailing list and let us know.  If your language is not included, you can help by adding more dictionaries.

Thursday, May 3, 2012

OWASP Membership Update

Here is an update on OWASP membership as of April, 2012.

For the month of April the stats are as follows:
  • 1658 Total Individual Members
  • 181 New Members Joined
  • 9 Renewals
  • 51 Total Corporate Members
  • 2 Renewals (UPS & Symantec)
  • 14 Total Local Chapter Supporters
  • 2 New Local Chapter Supporters (Rapid 7 & Huawei)

Our "new" membership landing page should be posted any day now.

Also, the OWASP Membership Committee has started a bio page for each corporate supporter at that will also be posted to the wiki.

Thank you for your support!