Thursday, February 28, 2013

AppSec APAC 2013

We would like to thank the South Korea chapter for putting on an excellent conference last week. Guests traveled from all parts of the globe to attend the AppSec APAC 2013 conference that took place on Jeju Island. Below are a few images taken by a handfull of our guests. To view the rest of our images for this conference, please visit our OWASP Photo Gallery Page

Tuesday, February 26, 2013

OWASP iGoat Project:

Thanks to iGoat lead developer, Sean Eidemiller, it gives me great pleasure to announce the immediate release of OWASP iGoat version 2.0! See the project web site at:    

for more information, or go directly to the source repository to download at:

The OWASP iGoat tool is a stand-alone iOS app (distributed solely in source code) designed to introduce iOS developers to many of the security pitfalls that plague poorly-written apps. Like its namesake, OWASP's WebGoat tool, iGoat is intended to teach software developers about these issues by stepping them through a series of exercises, each of which focuses on a single aspect of iOS security.

OWASP iGoat is an ideal tool to use in a classroom setting to teach iOS developers (and technically minded IT Security staff with at least some exposure to object oriented programming).

Exercises include many typical problem issues (and their solutions) including:
- Securing sensitive data in transit
- Securing sensitive data at rest
- Securely connecting to back-end authentication services
- Side channel data leakage (e.g., system screen shots, cut-and-paste, and keystroke logging via the autocorrection feature)
- Making use of the system keychain to store small amounts of consumer-grade sensitive data

New to version 2.0:

- iGoat is now a true Universal app, so it builds and runs on iPhones, iPod Touches, as well as iPads. Full screen views are supported on all of these devices. (It also runs on the iPhone simulator included with XCode, of course -- which is ideal for a classroom environment.)

- A few "behind the scenes" improvements were made to the iGoat platform itself, making it easier to work with and develop new exercises. These include:
  o Storyboards for main screen navigation.
  o ARC support for object memory management.

- General code clean-ups.


To build and run iGoat, you'll need a Mac running OS X (real or virtual machine), with XCode installed. iGoat was built for Mountain Lion, but should run fine on any OS X newer than Snow Leopard. We recommend the latest XCode and built iGoat using XCode version 4.6. Similarly, iGoat was built on iOS 6.1, but should be backwards compatible with at least version 5.x. 

We invite the OWASP community to download and try iGoat, and we welcome your suggestions for improvements. We're always looking for willing participants to contribute to the project as well!


Ken van Wyk
OWASP iGoat Project Leader

Monday, February 25, 2013

Security: Looking Forward - Protecting Critical Applications with OWASP

Headed to RSA?

Michael Coates - OWASP Global Board Chair & Director of Security Assurance at Mozilla, Mozilla
Session DescriptionTop 10 application security risks, free online security training, advanced application security testing tools, guidance on secure development lifecycle – these are all free resources produced by the OWASP open source community. Join this session and find out how to support and leverage the OWASP organization to help the fight for secure applications!

Security: Looking Forward - Protecting Critical Applications with OWASP

Wednesday, February 20, 2013

AppSecUSA 2013 Sponsorship Registration is NOW OPEN

OWASP AppSecUSA 2013 Sponsorship Registration is 

AppSecUSA 2013 is being held November 18th - 21st in New York City at the NY Marriott Marquis located in the heart of Times Square!

Conference sponsors will have access to over 2000 attendees exclusively focused on Software Security. 
Space is limited, so don't wait!  Complete the form now to be part of the action in the Big Apple.

Want to save on the price of your conference sponsorship? Become a Corporate Member today and take advantage of the Discounted Sponsorship Rates for OWASP Corporate Members!

Press Release

Tuesday, February 19, 2013

OWASP Connector February 19, 2013


OWASP Connector February 19, 2013

   Standard OWASP Banner


AppSensor Writers - We are writing v2 of the AppSensor book and need help from the software community.  Can anyone help identify or tell us about real-world examples of AppSensor (application-integrated attack detection and response) or AppSensor-like functionality in any type of software application?  Please sign up via the initiatives page if interested.  

MediaWiki Ninja:  Development Guide 2013 Project Assistance Needed - The OWASP Development Guide 2013 would like to have the different versions of the Guide available via a drop down menu similar to MSDN (say compare the different versions of ASP.NET API) or Technet (say compare the versions of Windows), so that we can develop and translate the OWASP Development Guide 2013 here at OWASP without disturbing existing content.  MediaWiki experience is essential!!!!!

AppSensor Cover Photographer - we are writing v2 of the AppSensor project book and need a photograph for the front cover ... somewhat like those used on the Testing Guide or Developer's Guide of an insect in color.  No photo library images, or images taken from other places without permission please.

Help Wanted for OWASP ZAP project - various roles - the OWASP ZAP project is currently recruiting for various volunteer roles to help support the current development team with their project milestones.  We have many different roles available ranging from developer roles to graphic design and marketing.  This is an excellent opportunity to work on a high profile OWASP project, while working in a supportive environment where help is readily available.  Check out the Get Involved section of the Zap project page

OWASP Foundation



SecAppDev - Leuven 2013 is the 9th annual presentation of a week long Secure Application Development immersion course by, a non-profit dedicated to raising the bar in secure software engineering.  The course is run from March 4th - 8th in the Faculty Club, Leuven, Belgium.  Register Here

Canadian Cloud Council is hosting an exciting event "Cloud Matters" that will challenge how Canada views the cloud.  Visit the event page for a list of the dynamic speaker lineup.  OWASP members receive a $100 discount with the code:  cccOWASP.

Information Security Summit - Cleveland, OH, USA - ISS is joining with NEOSA and COSE to present the Spring IT Summit during Tech Week.  OWASP, the ISC2 Cleveland Chapter, IT ThinkTank, and the Cleveland Chapter of CSA have collaborated to produce an exciting agenda.  Pre-conference training is scheduled for April 17th and the event will be held on April 18th.  CPEs will be awarded for attendance.  
The finalized agenda and event information can be found here.


This year's North American AppSec Conference will be held in New York City November 18th-21st at the Marriott Marquis in the heart of Times Square.  We have a fantastic event shaping up and sponsorships are selling fast.  If you are interested in sponsoring, please complete this request for information

OWASP Social Media


February 28, 2013 at 10am EST
(GMT -5)


February 28, 2013 at 9pm EST
(GMT -5)

Links to the recordings of previous meetings can be found on the Initiatives Page


We would like to extend a big THANK YOU and Welcome to the newest Corporate Members:

Architect Group and Twitter

Also, Thank you to the following Companies who have renewed their memberships in 2013:  

Accuvant Labs, DBAPP Security, Denim Group, FishNet, Mozilla, Oracle, Qualys, and VeraCode

Do you have some news?  Submit your item to appear in the next connector HERE

Thursday, February 14, 2013

Moving to Global Initiatives Program & Retiring Committee Structure

OWASP has grown significantly over our 10+ years of existence. As we’ve grown the community has adapted and changed in many ways. Nearly five years ago at the first OWASP Summit we created the global committees. This structure created new channels where interested OWASP’ers could help shape and grow the OWASP organization. Over those five years we’ve seen many great results from the committees and many people have contributed countless hours to further OWASP.

As we’ve continued growing it is now time to make another pivot. The committee structure provided many successes but now there is a better structure that will accommodate a growing population of interested OWASP volunteers. 

At this time we are retiring the committee structure and completely moving to the Global Initiatives Program ( The Global Initiatives program will be the new way for any interested individual to find and volunteer to assist with OWASP activities.  The Global Initiatives program is a single place where individuals can post new ideas to rally a team or can look for other activities that are in need of assistance.

This transition will allow for further involvement within OWASP by:
  • Creating smaller, task focused objectives for OWASP’ers to volunteer
  • Minimize barriers and red tape for OWASP’ers
  • Create projects with natural end dates so OWASP’ers aren’t required to make multi-year commitments just to get involved
  • Provides tasks that are short or long term commitments – OWASP’ers can match their availability and desired commitment with the best initiative in need of resources
  • Enables easier recognition for all the great contributions from our OWASP’ers 

The efforts put forth in the committees was truly valued. While the structure may be changing, we encourage and welcome all of the great volunteers from the former committees to continue growing OWASP through the Global Initiatives program.

We’re all excited about this new transition and hope to see many more OWASP’ers contributing and spreading application security.

Want to talk more about the OWASP global initiatives program? Join the monthly call. Next meeting is February 14th

Michael Coates | OWASP | @_mwc

Wednesday, February 13, 2013

OWASP HR Information

OWASP Community Members,

I wanted to take a minute and share the OWASP hiring process for the IT Support Position.  Although we need to work on our timing a bit, I'm comfortable that the process is fair and impartial.

In early November, two positions were posted on the OWASP jobs board and included in the OWASP Connector, and applications were submitted via the contact us form.  The IT candidates information was forwarded to the Board for review.  

Actual interviews were not conducted until late January and early February.  During the delay, several additional candidates submitted their resumes for consideration.

I interviewed the candidates for their non-technical skills:  management, interpersonal and communication skills, areas of interest, and general knowledge and passion for OWASP.  Jim Manico interviewed the candidates for their technical ability and reported that to Sarah Baso and me.

The candidates were evaluated on all factors and a decision was promptly made.  Those candidates who interviewed were notified of the decision prior to the announcement.

Kate Hartmann
OWASP Foundation

Tuesday, February 5, 2013

OWASP Connector February 5, 2013

OWASP Connector February 5, 2013

Standard OWASP Banner                                                                         



OWASP Embedded Application Security Project - There are many challenges in the embedded field including limited memory, a small stack and the challenge of pushing firmware updates.  The goal of this project is to identify the risks in embedded hardware applications, create a list of best practices and draw on the resources OWASP already has and bring that to the embedded world.  Please contact Aaron Weaver if you wish to contribute to the project.

OWASP OpenStack Security Project - The OWASP OpenStack Security Project is an effort to provide security testing techniques and tools to assess the security of the OpenStack code base.  Generally speaking, the OpenStack community is primarily developers of OpenStack and companies which are implementing all or parts of OpenStack.  This project provides a bridge between the OpenStack community and the OWASP community of security professionals.  The project leader is also a member of OpenStack and is a member of the OpenStack Security Group.  OpenStack has the desire to be the Linux of Cloud infrastructure, and OWASP can be the community that ensures the security of that Cloud.  Please contact Matt Tesauro if you wish to contribute to the project


OWASP ZAP 2.0.0 is now available for Download

Simon Bennetts, OWASP Zap's Project Leader, is planning to host a Google hangout demonstrating many of these features at 17:00 UTC on Friday 8th Feb.  Details to be announced via twitter

For more information on Zap 2.0 new features, please visit the OWASP Official Blog

OWASP AntiSamy Version 1.5 is finally released!

AntiSamy V1.5 promises to be significantly faster than previous releases;  your mileage will vary anything from just some percent to a full 5 times faster, depending on use cases.  A lot of attention has been put to typical "server" validation cases in this release.  This version requires java 1.5.

For more information on this initiative, please visit the OWASP AntiSamy Project Page

OWASP Foundation



OWASP & Black Hat EU - 
OWASP is proud to once again partner with Black Hat Europe in 2013.  Join us in Amsterdam, March 12-15, 2013 for the premiere conference on information security.  Take advantage of an exclusive 15% discount off Black Hat Europe Briefings.  OWASP members may simply enter the following code:  15OwaSpBHeu13 when completing the registration process. Click Here to Register 

OWASP & RSA Conference 2013 - New for this year, OWASP has partnered with the RSA conference taking place February 25-March 1, 2013.  Register today to access the industry's most in-depth intelligence over five information packed days in San Francisco.  Use the following code to receive an additional $100 off the current registration price:  1213OWASPDL100.

While attending the conference, come check out our talk on Friday, March 1 in the Association Track "Security:  Looking Forward - Protecting critical applications with OWASP" presented by Michael Coates, Chairman of the OWASP Global Board of Directors

Call for 2014 Global AppSec Conference Proposals

We are currently solicitating proposals for our four OWASP Global AppSec conferences in 2014.  Conferences will be selected to facilitate on Global AppSec conference in each quarter of the year.  Conferences will be held in North America, South America, Europe, and the Asia Pacific regions.  New for 2014, we will be moving the North American event to Q2!

  • Global AppSec Asia Pacific - Q1 (Applications due by March 1, 2013)
  • Global AppSec North America - Q2 (Applications due by April 1, 2013)
  • Global AppSec Europe - Q3 (Applications due by July 1, 2013)
  • Global AppSec Latin America - Q4 (Applications due by September 1, 2013)
Those interested in submitting a proposal, should learn more about the recommended planning steps here and submit your application to the OWASP Event Management System

If you have any questions or need assistance with your application, do not hesitate to contact Sarah Baso or the Global Conferences Committee


February 14, 2013 at 10am EST
(GMT -5)


February 14, 2013 at 10pm EST
(GMT -5)


Please add your recommendations for discussion to the meeting agenda

Links to the recordings of January's meetings can be found on the Initiatives Page
Global Initiatives - Chapter

LATAM 2013
The 2013 OWASP LATAM Tour is being scheduled for March/April 2013.  Each location will host a day of training and a day of talks.  If you are interested in submitting a training proposal, or are interested in sponsoring this event, please visit the LATAM 2013 web page.

NEW CITATION:  The new document from PCI SSC references OWASP -
Information supplement:  PCI DSS E-commerce Guidelines

Other Citations of National & International Legislation, Standards, Guidelines, Committees and Industry Codes of Practice


OWASP had a great presence this year at FOSDEM 2013 held in Brussels, Belgium. Dedicated members from Amsterdam, Belgium, and the United Kingdom attended on behalf of OWASP. Simon Bennetts spoke about OWASP ZAP at the event, and helped share our mission with Sebastien Deleersnyder and Martin Knobloch. Thank you for your dedication and support, gentlemen. 

FOSDEM is a community driven event whose goal is to provide Free Software and Open Source developers a place to get together and share ideas. FOSDEM is a non-commercial, two-day event organized by volunteers to promote the widespread use of Open Source software. 

Image via FOSDEM 2013

Monday, February 4, 2013

2014 Call for Global AppSec Conference Proposals

OWASP Leaders -

Are you interested in hosting a Global AppSec Conference for 2014? Now is the time to submit your proposal!

Each year OWASP hosts four international AppSec conferences that are aimed at raising money for the Foundation while fulfilling our mission of improving the security of software through awareness and education. OWASP Global AppSec Conferences include 2 days of pre-conference training, followed by 2 days of conference talks.  For more information about Global AppSec conferences, see the How to Host a conference page (

We are currently soliciting proposals for four Global AppSec conferences in 2014. Conferences will be selected to facilitate one Global AppSec conference in each quarter of the year with conferences held in North America, South America, Europe and the Asia Pacific regions. New for 2014, we will be moving the North American event to Q2!

·  Global AppSec Asia Pacific - Q1 (Applications due by March 1st 2013)
·  Global AppSec North America – Q2 (Applications due by April 1st 2013)
·  Global AppSec Europe - Q3 (Applications due by July 1st 2013)
·  Global AppSec Latin America - Q4 (Applications due by September 1st 2013)

Putting on a Global AppSec conference is a rewarding experience, but also a tremendous amount of work. Having a team of volunteers (or at least a core group of individuals) willing to lead the event planning efforts, with experience with a local or regional event is strongly recommended. 

Some things to consider before sending in an application:

·  First, review the How to Host a conference page (  This page hosts a variety of information about planning an OWASP event, as well as various requirements and policies that have been put in place by the foundation to govern Global AppSec Conferences.
·  Gather a small team together who are interested in working the event.  Trust us, you can’t do it all yourself.
·  Work with your local planning team to acquire some basic information (location, tentative dates, possible venues, costs, theme, etc) about your event.  
·  Prepare a rough budget plan using the OWASP Budget Planning Tool (  We understand that you may not have quotes and good estimates for all of the budget items but please put forward the best information you have.
·  Some events have chosen to put together a short presentation describing the organizing committee, previous conference experience, existing local supporting organizations, local attractions, access to transportation, local culture and more. In general, these are presentations to 'pitch' your city to the committee. Examples of successful presentations and
·  Submit your application at

We really appreciate every proposal we receive. Just by submitting an application, you are demonstrating your commitment to OWASP by offering to host one of its best public outreach initiatives.  Please keep in mind that there are many factors that go into selecting Global AppSec Conference locations and not every proposal will be approved. We also realize that this could be very early in your planning process, and therefore challenging for you to provide detailed information, just provide the best available information.
If you have any questions or need assistance with your application, do not hesitate to contact Sarah Baso ( or the Global Conferences Committee (

We look forward to your proposals!