Tuesday, June 25, 2013

AppSec Latam 2013 - CFP and CFT now open!

Banner Peru.png

Dear OWASP leaders,

We are pleased to announce that the OWASP Peru Chapter will host OWASP AppSec Latam 2013 conference in Lima, Perú. The event will be composed of 2 days of training (October 1-2), followed by 2 days of conference talks (October 3-4) and take place at the Universidad Tecnologica del Peru

The Global AppSec Latin America 2013 Conference will be a reunion of Information Security Latin American leaders, and will present cutting-edge ideas. OWASP events attract a worldwide audience interested in “what’s next”. The conference is expected to draw 200-250 technologists from Government, Financial Services, Media, Pharmaceuticals, Healthcare, Technology, and many other verticals.
Are you interested in delivering training or a talk at this years conference? Our CFT and CFP are now open (Deadline August 2, 2013).  Learn more and submit your information at: appseclatam.org 

Follow us on twitter to keep up with all the latest news and announcements: @AppSecLatam
Best regards,
Mateo Martinez


Es un honor poder anunciar que el OWASP Peru  Chapter será el anfitrión de la conferencia global OWASP AppSec Latam 2013 a desarrollarse en Lima, Perú. El evento está compuesto por  2 días de entrenamientos (1 y 2 de octubre), seguido de 2 días de conferencias (3 y 4 de octubre). El evento será en las salas y auditorios de la Universidad Tecnologica del Peru.

La conferencia global AppSec Latin America 2013 es un punto de encuentro de los líderes latinoamericanos de seguridad de la información presentando ideas innovadoras. Los eventos de OWASP atraen audiencia global interesada en conocer los próximos pasos en los temas de interés.

Se esperan entre 200 y 250 participantes de toda Latinoamérica y de diferentes verticales de industrias como Gobierno, Finanzas, Telecomunicaciones, Tecnología, Salud y Educación entre otros.

Si Ud. está interesado en brindar un entrenamiento o una conferencia, están abiertos los llamados de entrenamientos y conferencias -- CFT y CFP --. 
La fecha límite para presentar las propuestas es el 2 de agosto de 2013.

Por mayor información, visite: appseclatam.org 

También pueden seguir en twitter, para mantenerse actualizados de las novedades y anuncios: @AppSecLatam

Quedo a disposición ante cualquier consulta.
Muchas gracias.
Mateo Martinez

Friday, June 21, 2013

OWASP Global AppSec Conference Annoucements


There have been a lot of announcements and updates flying around from our Global AppSec Events, which serve as both outreach opportunities as well as fundraisers for the OWASP Foundation, bringing in 40% of our annual revenue.  Here is a summary of the latest news from each event!

AppSec Research 2013 - August 21-24, Hamburg Germany

AppSec Latam 2013 - October 1-4, Lima Peru

  • Call for Training and Call for Papers are now open (deadline August 2, 2013) - visit http://www.appseclatam.org to submit your training or talk!

AppSec USA 2013 - November 18-21, New York City, NY

CONGRATS to the following chapters that will be hosting our 2014 events:

AppSec APAC 2014 - March 17-20 in Tokyo Japan hosted by the OWASP Japan Chapter

AppSec Research 2014- Late June 2014 - at Anglia Ruskin University (Cambridge) hosted by the Cambridge, UK Chapter with support from the other UK chapters.

and last but not least...AppSec USA 2014, September 2014, Denver, CO - hosted by the OWASP Denver and OWASP Boulder Chapters who have put on FROC (Front Range OWASP Conference) for the past 5 years.

Thanks to all the volunteers, trainers, speakers, sponsors, attendees, and owasp community members that continue to make these events a great success for OWASP.

Do you want to get involved in one of the events listed above or have a questions about hosting an OWASP event of your own?  Contact us: http://owasp4.owasp.org/contactus.html

Black Hat USA Two Day Keynote Announced and Discount for OWASP Members

Brian Muirhead, Chief Engineer, NASA Jet Propulsion Laboratory, to give day two keynote at Black Hat USA 2013. 

OWASP members planning on attending get $200 off  by using discount promo code Uurtcw00 (case sensitive) Register here https://www.blackhat.com/us-13/registration.html

Thursday, June 20, 2013

OWASP Connector June 20, 2013

OWASP Connector June 20, 2013 

 Header Logo

Last April, it was announced that OWASP would once again be participating in Google's Summer of code.  We received 82 proposals from around the world and were granted 11 slots by Google.  Our mentors carefuly reviewed and ranked the proposals, and today we are delighted to announce the students that will work with OWASP in the coming months.

The OWASP GSOC 2013 Winners are listed below - in no particular order

OWASP ZAP - Enhanced HTTP Session Handling and users/roles

Student: Cosmin Stefan
Mentor/s: Guifre Ruiz / Simon Bennetts
Brief description: Enhancing the HTTP Session handling of ZAP in order to add the capability to set up and/or identify users and roles and in order to add a series of various views, actions and scans that are dependent on a particular user/role.

OWASP ModSecurity CRS - Port to Java
Student: Mihai Pitu
Mentor/s: Breno Silva / Ryan Barnett
Brief description: The goal of this GSOC project is to have a ModSecurity version that can be used within Java servers (e.g. Tomcat). In order to achieve this, the standalone C code will be wrapped using the JNI framework and the resulting ModSecurity Java project will be used as a module for Tomcat server. Also, we will collaborate with the OWASP WebGoat team in order to integrate ModSecurity for Java into it.

OWASP OWTF - Inbound Proxy with MiTM & Caching Capabilities
Student: Bharadwaj Machiraju
Mentor/s: Krzysztof Kotowicz / Abraham Aranguren
Brief description: This project will create an inbound proxy module in the OWASP Offensive Web Testing Framework (OWTF) so that human navigation of a website can take advantage of the functionality in OWTF plugins in an automated fashion regardless of authentication, mandatory fields, client/server side redirects or HTTP response codes that might confuse automated tools. This will ensure increased efficiency in the security testing process and also help in complete identification of the attack surface of a website by identifying and automatically analysing all application entry points as soon as the user accesses them through the proxy.

OWASP OWTF - Multiprocessing
Student: Ankush Jindal
Mentor/s: Andres Riancho / Abraham Aranguren
Brief description: In this project, we will modify OWTF to use multiprocessing while scanning multiple URLs which is presently done sequentially (one after another). This will improve efficiency while scanning multiple URLs.

OWASP OWTF - Reporting 
Student: Assem Chelli
Mentor/s: Hani Benhabiles / Abraham Aranguren 
Brief Description: A common complaint about OWASP OWTF so far has been that the report is not very shiny. The intention here is to: Move as much of the HTML away from python files into template files, apply some nice web design to the report so that it is more nice and comfortable to work with, and improve the interactive report load time. 

OWASP OWTF - Unit Test Framework
Student: Alessandro Fanio González
Mentor/s: Andrés Morales / Abraham Aranguren 
Brief Description: As OWASP OWTF grows it makes sense to build custom unit tests to automatically re-test that existing functionality remains intact. In this project we would like to create a unit testing framework so that creating OWASP OWTF unit tests is as simple as possible. The goal of this project is to create the Unit Test Framework and as many unit tests as possible to verify OWASP OWTF functionality.

OWASP PHP Security Project
Student: Rahul Chaudhary
Mentor/s: Azeddine Islam Mennouchi / Andrew van der Stock
Brief description: To make some stand-alone libraries to strengthen security in PHP and to alleviate some of the security risks as cited in the OWASP Top 10 list. Then to extend the collection of these libraries into a basic framework which would evolve in time.

OWASP ZAP - SAML 2.0 Support
Student: Pulasthi Mahawithana
Mentor/s: Prasad Shenoy / Kevin Wall
Brief description: This project will enhance the ZAP's capabilities to be able to detect and fuzz various elements and attributes of a SAML Assertion.

OWASP Hackademic: Plugin api and actions interface in challenges
Student: Daniel Kvist
Mentor/s: Spyros Gasteratos / Kostas Papapanagiotou
Brief description: This project aims to develop a plugin API for the OWASP Hackademic Challenges CMS. The API will allow third party developers to use Actions, Filters and Themes to customise the system.

OWASP ZAP - Exploring Advanced reporting using BIRT
Student: Rauf Butt
Mentor/s: Johanna Curiel / Simon Bennetts
Brief description: The proposed project is to explore the current capabilities of ZAP reporting and enhance it with the help of BIRT integration with ZAP. The proposed outcome will use the existing ZAP result outputs and generate reports for the end-users to analyse the testing results in a productive way.

Student: Abdelhadi Azouni
Mentor/s: Azeddine Islam Mennouchi / Simon Bennetts
Brief description: The Project is an Implementation of a ZAP extension to help in CMS Scanning (WordPress Joomla and Drupal as a first step)

If your proposal was not chosen, we would like to thank you for your participation. Please do not feel discouraged to participate in the OWASP community regardless of GSoC as there are plenty of opportunities to apply your knowledge.

OWASP Social Media






OWASP AppSec Research Registration NOW OPEN

Registration has just been opened!  Early Bird closes on July 1st, so hurry up!

register here




OWASP Project Workshop
Project Summit
Career Fair
3K run for Charity
Women in Security
Lockpick Village

usa 2014
The OWASP Foundation has received two great proposals for AppSec USA 2014.  We NEED your input!  The submissions are from the Denver, CO team and the Omaha, NE team.  Both proposals are posted and your input is requested.  JOIN THE DISCUSSION


SecureRome-468x60 Banner
(ISC)2 SecureRome 2013:  Security in the 21st Century - Threats and Trends - July 9, 2013
Synopsis: With an increasing dependence on the internet, understanding current and potential future threats is crucial to security and business management as threat development moves with technology development. To stay ahead, we must understand the strategies of those who are driving the threats while keeping an eye on the proliferation of cyber weaponry. Join prominent industry experts at the SecureRome Conference to explore the latest Emerging Threats & Trends to help us get ahead of the attackers. The conference arms delegates with instincts for understanding how to anticipate and pre-empt attack, assess the adequacy of defenses and strategy behind them and clarify requirements for risk analysis. Network with your peers and earn 8 CPEs.

BlackHat 2013 - July 27-Aug 1, 2013 - $200 off discount promo code for OWASP members is:  Uurtcw00 (case sensitive)

ISSA International Conference - October 9-10, 2013 - OWASP members can register and take advantage of the partner rate by using Discount code:  confOWASP62c

EC Council - July 11-16, 2013 - OWASP members can register for $99 using discount code TDCSTLOWASP

Cloud Security Alliance Congress 2013 - December 4-5, 2013 - OWASP members receive a 10% discount using discount code:  CSA13/OWASP

(ISC)2 Security Congress - Sept 24-27, 2013 - OWASP Members save 20% off conference registration with the discount code:  OWASP



The OWASP EU Tour is well underway.  There are 15 confirmed locations, 5 training sessions, and more than 30 speakers traveling around raising awareness about OWASP and application security in the European region.

Thank you to our Gold Sponsors:  7Safe and Cigital for supporting the tour.  Thank you, also to all of the universities who have provided us with a venue to host our events.

Of course, the biggest thank you is to Fabio Cerullo and all of the European Chapter leaders who are making this event such a HUGE success!

To learn more about the Tour, it's stops and how you can become a sponsor, visit the Tour page on the OWASP website.


We are currently accepting applications for a Global Event Manager.  Complete details can be found HERE.  Applications are being accepted through Friday, June 21, 2013.

We recognize Parasoft and Coverity, our newest corporate members!

Thank you to Acunteix for renewing their corporate membership!


Thank you to everyone who participated in the 2013 Q2 Membership Drive

92 individuals became new members or renewed their memberships

election 2  The Call for candidates closes on August 16, 2013, so be sure to submit your candidacy today!
 WASPY  The call for Nominees closes on August 16, 2013.  To get more information (including how to sponsor the awards), CLICK HERE

​OWASP Initiatives can help you earn your CPEs!

Volunteering with an initiative or working on an OWASP Project can often be counted towards CPEs for some organizations!  Be sure to check with your professional organization for clarification!

OWASP Global Webinar Series to begin next week!

The OWASP Global Webinars will now become a platform to present some great archived presentations and to run some live presentations as well.  These webinars will - in most cases - provide CPE credit.

Upcoming Webinars

Wednesday, June 26, 2013
Mobile applications and Proxy Shenanigans - Dan Amodio and David Linder (recorded AppSec USA 2012)

10 am EDT

9 pm EDT

Wednesday, July 10, 2013
AppSec Training, Securing the SDLC, WebGoat.NET, and the Meaning of Life - Jerry Hoff (recorded AppSec USA 2012)

10 am EDT

9 pm EDT

Wednesday, July 24, 2013
Four Axes of Evil - HD Moore (recorded AppSec USA 2012)

10 am EDT

9 pm EDT

University Challenge at the AppSec EU in Hamburg:

​OWASP AooSec Research 2013 announces the University Challenge!  The University Challenge is a competition among teams comprised of university students that will be held on August 20-21 during the training days of the conference.  There is no admission fee for the University challenge AND participation in the conference is possible at the student rate - if applicable.  During the Unversity Challenge, teams will defend a vulnerable web application while solving Capture the Flag type challenges.

This year, the OWASP University Challenge will be limited to 8 teams.  Teams will consist of 4-8 students with one team per university.  Team openings are on a first come/first served basis.  if multiple teams are received from teh same university, the second team will be put on a wait list.  All team members must be registered.  Registration for the University challenge event is free.  Food and beverages will be provided during the challenge and all participants will get an OWASP University Challenge t-shirt.  Of course, the first three winnings teams will get some awesome prizes (to be announced)

OWASP Village at OHM2013:

OWASP has a Village at OHM2013:  https://ohm2013.org/wiki/village:owasp
About OHM2013:  OHM2013 - observe, hack, make.  A five day outdoor international camping festival for hackers and makers, and tohowe with an inquisitive mind.  On 31 July 2013, 3000 of those minds will decent upon an assuming patch of land, at the Geestmerambacht festival grounds, 30KM north of Amsterdam 


Monday, June 17, 2013

OWASP AppSec Research - Registration now open

The OWASP AppSec Research 2013 (https://appsec.eu), *the* web application security conference, will take place from 20 – 23 August 2013, Tuesday – Friday in Hamburg, Germany

Registration has just been opened. Early Bird closes at July 1st, so hurry up! Register here: https://appsec.eu/registration/.

Here are the outlines of the agenda. The training will be on 20/21 August, the conference 22/23 August 2013.

Awesome Trainings

(https://appsec.eu/trainings/). Two days of pre-conference technical training with a focus on builders (PHP, Java, JavaScript), a bit of breaking and defending and satisfying the signs of time: Mobile!
And last but not least: Trainers with outstanding international reputation!

Exciting Conference program highlights (appsec.eu/program/talk-teaser/)

* David Ross (Microsoft): inventor of the XSS filter in IE8+
* Stefano Di Paola ("DOMinator"):  JavaScript libraries (in)security
* Yvan Boily (Mozilla): Application Security Manager @ Mozilla talking about the new security testing framework Minion
* Nick Nikiforakis (University Leuven): Web fingerprinting and privacy
* Taras Ivashchenko (Yandex): Content Security Policy
* Chris Eng (Veracode): Real-World Agile SDLC
* Simon Bennetts (Mozilla/OWASP): What's new in OWASP Zed Attack Proxy
* Dave Wichers (Aspect/OWASP): OWASP Top 10 – 2013
* Jim Manico (WhiteHat/OWASP): Top 10 Proactive Controls

And last but not least the HackPra AllStars track (appsec.eu/hackpra-allstars/) with prolific speakers and top-tier researchers in the field of web-security around Mario Heiderich, Gareth Heyes, Michele Orrú etc.

This surely very exciting conference will take place in the surely most exciting and most beautiful city of Germany: Hamburg (https://appsec.eu/about-hamburg/). With river and canal cruises, Europe’s second biggest harbour as part of the city, famous streets for nightlife, a vibrating cultural life, as well as a strong creative and tech industry presence, Hamburg is the ideal location to spur innovative thinking and knowledge sharing at the OWASP Appsec Research 2013 conference.

OWASP is the foremost web app security organization in the world, with thousands of members globally, including some of the biggest names in the industry. The goals of OWASP are to make web applications safe and to educate users, developers, governments, and business leaders on how to protect vulnerable information and avoid dangerous hacks that can cost millions of Euros to fix.

More information you will find at https://appsec.eu. We are looking forward to you!

For any question do not hesitate to contact us: owasp@bernskoetter.de.

Your OWASP AppSec Research Team.

P.S.: Become an OWASP member now and save up to 60 € on the admission fee (https://www.owasp.org/index.php/Membership)!

Special thanks go to our sponsors, who help making the conference possible:
Some places are left! In case of interest please send us a quick note to sponsoring@owasp.de

Platinum Sponsor: 

Gold Sponsor:

Silver Sponsor:

Bronze Sponsor:
Tele-Consulting – http://www.tele-consulting.com/

Friday, June 14, 2013

Training, Speaker Scheduled Now ONLINE

FULL Schedule Now ONLINE

Wednesday, June 12, 2013

OWASP Foundation - Membership Drive Prize Drawing

Join us for a Webinar on June 13, 2013

Live Prize Drawing for new and renewing members (do not need to be present to win):


Reserve your Webinar seat now at:

Title: OWASP Foundation - Membership Drive Prize Drawing
Date: Thursday, June 13, 2013
Time: 10:00 AM - 10:15 AM EDT

After registering you will receive a confirmation email containing information about joining the Webinar.
System Requirements
PC-based attendees
Required: Windows® 7, Vista, XP or 2003 Server
Mac®-based attendees
Required: Mac OS® X 10.6 or newer
Mobile attendees
Required: iPhone®, iPad®, Android™ phone or Android tablet

Sunday, June 9, 2013

OWASP Membership Drive Ends Tomorrow!

Be sure to join or renew your membership to be entered into a drawing for some awesome prizes!  For more information see:

Friday, June 7, 2013

OWASP 2013 Membership Drive Closes June 10, 2013

Just a reminder that the OWASP Membership Drive will close on June 10, 2013.  Make sure you renew or join before then so you will be entered into a drawing for one of the following prizes:

  • 2 OWASP Lifetime Memberships
  • 2 Full Conference Passes for OWASP AppSec USA, November 20-21, 2013 in New York City
  • 1 training class of the attendee choice + 1 full conference pass
  • 2 full conference passes
  • 1 training class of the attendee choice + 1 full conference pass
  • 2 full conference passes
  • 2 Full Conference Passes for (ISC)2 Secure Asia, Philippines - August 8-9, 2013
  • 2 Full Conference Passes for (ISC)2 Secure Brazil
More information about our  membership drive can be found here

NEW to OWASP Membership is the addition of our 2 new Individual Membership options:  purchase a two year membership for $95/USD or a lifetime membership for $500/USD.  Lifetime members not only are entitled to all the regular benefits of individual membership but will also receive a metal membership card to thank you for your contribution.

Ready to become a member or renew your membership?  Click here

Thank you for your support of the OWASP Foundation and please contact us at any time with questions:

Thursday, June 6, 2013

OWASP is Hiring a FT Event Manager - Apply NOW!

OWASP Community Members -

We are looking for a motivated professional to take on management of OWASP Events.  

Applications are being accepted until June 21, 2013 with interviews immediately following with a final decision made by July 5, 2013.

How to apply: Email a cover letter and resume with your name and the position you are applying for in the subject line to owasp.foundation@owasp.org.

Please help us spread the word about the position by posting to your chapter/project lists, adding to applicable job boards, or forwarding to any individuals that you think would be interested.

Tuesday, June 4, 2013

OWASP Connector June 4, 2013


OWASP Connector June 4, 2013

   Standard OWASP Banner



OWASP Xenotix XSS Exploit Framework Project

The OWASP Xenotix XSS Exploit Framework Project is a penetration testing tool that detects and exploits XSS vulnerabilities in Web Applications.  It is basically a payload list based XSS Scanner and XSS Exploitation kit.  The exploitation framework will help penetration testers create proof of concept attacks on vulnerable web applications.

For more information, please visit the OWASP Xenotix XSS Exploit Framework Project wiki page.


OWASP VaultDB Project

Project Leader:  Maxime Labelle

VaultDB is a secure NoSQL database management system (DBMS) for modern applications.  It supports multi-recipient encryption, table-level encryption, group encryption and comes loaded with a strong cryptosystem.

VaultDB adds automatic transparent encryption to your application's data at the table/document level.  Instead of using it's own internal storage engine, VaultDB stores the encrypted data inside your preferred DBMS for storage. 

OWASP WS-Amplification DoS Project

Project Leader:  Thomas VissersLook up in Salesforce

This project aims to explore the threat of an Amplification DoS attack that utilizes web services.  Currently, DNS servers are widely misused to amplify DoS traffic.  This is called a DNS Amplification or Reflective attack.  It appears that SOAP web services that implement WS-Addressing might be vulnerable to similar abuse, as stated in this paper.  The aim of the project is to develop tools to test this vulnerability and determine the threat magnitude on a global scale. 

OWASP Mutillidae 2 Project

Project Leader:  Jeremy DruinLook up in Salesforce

NOWASP (Mutillidae) is a free, open source, deliberately vulnerable web-application providing a target for web-security enthusiast.  NOWASP (Mutillidae) can be installed on Linux and Windows using LAMP, WAMP, and XAMMP for users who do not want to administrate a web server.  

election 2

OWASP Global Board Elections

The call for candidates is OPEN!

Do you want to host an event or propose OWASP involvement in an outreach event?  Submit your event through the OWASP Conference Management System (OCMS)

Do you have some news?  Submit your item to appear in the next connector HERE



Thank you to Ping Identity, Riverbed Technology, and Sonatype, our newest Corporate Members

Thank you to Imperva and UPS for their Corporate Membership Renewals



Now is the time to make sure your membership is current and up to date!  Join or renew between now and June 10th and be eligible to receive one of 22 Cool Prizes!
Effective June 1st, you can now join for a 2 year membership or become a LIFETIME Member
Click the icon for all the details

Apply for an Honorary Membership

Get the Details and the Link to the form


Big announcements are coming soon!  Training sessions and talk schedule will be posted by June 14th.  Be sure to visit the website often for updates on sponsorship opportunities, conference activities, and more!


Registration is opening very soon!  Thanks to all for patiently waiting!  Check the AppSec Research site for details on the training sessions, talks, and link to registration within the next couple of days.

OWASP is pleased to announce our upcoming Partner Events:

Blackhat 2013 - OWASP Members receive $200 off using discount code:  Uurtcw0

SecAppDev - OWASP members receive 10% off using discount promo code:  owasp)  This code will need to be entered in the comments box to receive the 10% discount

EC Council - Use discount code TDCSTLOWASP for $99 conference passes

Do you want to host an event or propose OWASP involvement in an outreach event?  Submit your event through the OWASP Conference Management System (OCMS)





Analyzing and Fixing Password Protection Schemes - John Steven

(Recorded at AppSec USA 2012 in Austin, TX)

June 6, 2013 at 10am EDT  


June 6, 2013 at 9pm EDT
(GMT -5)

Links to the recordings of previous meetings can be found on the Initiatives Page

WASPY 2013 WASPY (Web Application Security People of the Year) Awards

We all know someone who has made a difference in our industry.  Now is your chance to nominate them to be GLOBALLY recognized!  The 2013 categories are:

  • Best Chapter Leader
  • Best Project Leader
  • Best community supporter - contributor to chapter, project or initiative
  • Best Mission Outreach - grow the OWASP community
  • Best Innovator - willingness to try new ideas

OWASP would like to thank Qualys_Logo
for stepping up to be a Platinum Sponsor for these awards in 2013!  Additional sponsorship opportunities are available Here

OWASP Foundation