Sunday, July 28, 2013

Welcome to our new Event Manager: Laura Grau

Please join me in giving a warm welcome to OWASP's new Event Manager, Laura Grau!  And, Laura, we are thrilled to have you on board!

About Laura:

Laura Grau worked as an Events Manager for the past 6 years in an international research center in Barcelona. During these years she gained a solid background organizing a wide variety of events from seminars, workshops, outreach activities, open house events to international conferences. Her responsibilities in each project ranged from the conceptual to the closure phase.  Laura has a Bachelor of Arts in Business Tourism from ESADE Business School and a Master's degree in Project Management from the University of Barcelona. She is a native Spanish speaker, and also speaks English, basic French and Italian. In her spare time she can be found biking around San Francisco, watching foreign films, tasting new delicacies, or practicing yoga.

Laura is committed to organizing OWASP AppSec conferences all over the world and making them the best gathering spot to discuss the state of the art in application security.

I think Laura has a wealth of experience with event management as well as proven track record working with people to achieve successful events that will help take our global, regional, and local conferences to the next level.  Additionally, I see Laura as a great addition to the team as we are trying to accommodate a global population - we will all surely have things to learn from her!

Laura will be starting tomorrow - Monday (July 29) and working to quickly get up to speed with the global events we have in the works as well as the OWASP processes and workflows (she will certainly be creating new ones of her own as well).  

Connect with Laura on linked in:
Or email Laura at:

Process: Hiring an Event Manager for the OWASP Foundation

OWASP Community Members –

Before I share with you the outcome of our candidate search for a new Event Manager (yes, we have hired someone), I wanted to share some information about the hiring process and candidate pool.

The Event Manager job description was drafted by me and reviewed by the OWASP staff before posting.  The job description was posted to the wiki along with background requirements, desired skills, and starting salary. The job was promoted through OWASP channels: OWASP Blog, OWASP Leader’s List, OWASP Foundation Linkedin Group, @OWASP Twitter Account, OWASP Group on Facebook, and OWASP Community Page on Google+. Externally, the job was also posted to Indeed, Smart Recruiters, Philanthropy News Digest, Learn4Good, and Zip Recruiters.

The Event Manager job was posted on June 6, 2013 and applications were accepted via email through June 21, 2013 (15 days).  We received 90 applications and here is a breakdown of the sources of the applications as well as by geographic region where the applicants resided:

From the 90 applications received, we offered first interviews to 30 candidates (1/3) and second interviews to 5 candidates.  The interviews were offered to the most qualified candidates based on required background and desired skills posted in the job description. 

Final Selection
Our final candidate went through 3 interviews, including one in her native language (Spanish) and an in- person interview with me since she is located in the Bay Area.  We were thrilled with both the number and quality of applications we received for this position.  Additionally, we are confident that the individual we selected for the position will be a great fit for the position as well as encourage the growth of OWASP events globally.

Without further ado... see the next post for an introduction of out new Event Manager!

Wednesday, July 24, 2013

Do not miss AppSec Research 2013!

The OWASP AppSec Research 2013 (, *the* web application security conference, will take place from 20-23 August (Tuesday -Friday) in Hamburg, Germany.

Register here:

Here are the outlines of the agenda. The training will be on 20/21 August, the conference 22/23 August 2013.

Awesome trainings (
Two days of pre-conference technical training with a focus on builders (PHP, Java, JavaScript), a bit of breaking and defending and satisfying the signs of time: Mobile!
And last but not least: Trainers with outstanding international reputation!

Exciting Conference program highlights (
* David Ross (Microsoft): inventor of the XSS filter in IE8+
* Stefano Di Paola ("DOMinator"):  JavaScript libraries (in)security
* Yvan Boily (Mozilla): Application Security Manager @ Mozilla talking about the new security testing framework Minion
* Nick Nikiforakis (University Leuven): Web fingerprinting and privacy
* Taras Ivashchenko (Yandex): Content Security Policy
* Chris Eng (Veracode): Real-World Agile SDLC
* Simon Bennetts (Mozilla/OWASP): What's new in OWASP Zed Attack Proxy
* Dave Wichers (Aspect/OWASP): OWASP Top 10 – 2013
* Jim Manico (WhiteHat/OWASP): Top 10 Proactive Controls

And last but not leat the HackPra AllStars track ( with prolific speakers and top-tier researchers in the field of web-security around Mario Heiderich, Gareth Heyes, Michele Orrú etc.

Wait, there's even more: The Opensource Showcase! (
Ever wanted to chat with the developers of
* sqlmap  Would you like to inject some SQL? The tool for serious pentests! (Miroslav Stampar)
* WebSensors  Honeynetting the web with community collectors running mod_security! (Christian Bockermann)
* ThreadFix  simplify the vulnerability management with an Open Source software vulnerability management platform (Dan Cornell)
* WS-Attacker Don’t know how to test web services? This is for you! Presented by renown security researchers Juraj Somorovsky, Christian Mainka
* OWASP O2 Platform: a paradigm for performing, documenting and distributing web application security reviews. (Dinis Cruz)
* OWASP Hackademic Challenges  helps you test your knowledge on web application security.  (Konstantinos Papapanagiotou)
* OWASP OWTF  OWTF Summer Storm: A new tool for automated security assessment (Abraham Aranguren)
* Eccenctric Authentication / Make cryptography trivial by rearranging the tools (Guido Witmond)

Register now:!

This surely very exciting conference will take place in the surely most exciting and most beautiful city of Germany: Hamburg ( With river and canal cruises, Europe’s second biggest harbour as part of the city, famous streets for nightlife, a vibrating cultural life, as well as a strong creative and tech industry presence, Hamburg is the ideal location to spur innovative thinking and knowledge sharing at the OWASP Appsec Research 2013 conference.

OWASP is the foremost web app security organization in the world, with thousands of members globally, including some of the biggest names in the industry. The goals of OWASP are to make web applications safe and to educate users, developers, governments, and business leaders on how to protect vulnerable information and avoid dangerous hacks that can cost millions of Euros to fix.

More information you will find at We are looking forward to you!

Your OWASP AppSec Research Team.

P.S.: Become an OWASP member now and save up to 60 € on the admission fee (!

Special thanks go to our sponsors, who help making the conference possible:
Some places are left! In case of interest please send us a quick note to

Platin Sponsor: Riverbed -

Gold Sponsor:
Hewlett Packard –
Imperva –

Silver Sponsor:
Barracuda –
SecureNet –
Checkmarx –
Acunetix –
DenyAll -
Security Innovation -

Bronze Sponsor:
Schutzwerk –
Tele-Consulting –
Trustwave –
Microsoft -
Ergon Informatik -

Tuesday, July 23, 2013

Message from James Landis: Project Leader of the OWASP Periodic Table of Vulnerabilities

Would you like to eliminate web application vulnerabilities forever? The OWASP Periodic Table project is designed to help do just that! The project is currently in the open comment phase. We need your help to make sure we have prescribed the right mix of solutions and the project meets the high standards of quality you have come to expect from OWASP. 

Please use the survey link below to guide you through the project materials and collect your feedback. $100 gift cards will be awarded at random to those who complete the survey (one card will be awarded for every 100 people who respond). And remember, OWASP is a charitable organization; if you try to hack or game the survey process, you're a bad person and you should feel bad about yourself. 

Thanks in advance for your help!

Message from Eric Sheridan: Project Leader of the OWASP CSRFGuard Project.

Attention folks!

Interested in leading up the efforts on a high visibility open source project at OWASP? How about co-leading the OWASP CSRFGuard Project! This project is used by organizations big and small and is often considered a reference implementation for mitigating CSRF vulnerabilities in web applications. Step up and help us out!

Snazzy marketing speak aside... I simply don't have the time to write the large amount of code for this project these days and am in need of a co-leader to help drive it along. Is there anyone interested in being a co-leader for this project? The role would entail:

1) addressing a handful of outstanding issues (ex: browser support, fixing bugs in javascript code, etc)

2) design/implement/maintain new functionality to facilitate adoption

3) help others address issues on mailing lists, etc.

This is a high visibility project and would give you a lot of exposure.
Any takers? Please contact Eric at

Help Wanted - CareerFair

 Participating CareerFair Companies

sponsors-mozilla  sponsors-twitterADP  

Are you an application security specialist looking for a new challenge? One of the highlights of OWASP AppSec USA 2013 will be a Career Fair featuring security officers and recruiters from leading Software Security employers. This is your chance to avoid the frustrations of applying online and meet directly with decision-makers in a quiet interview setting.

Looking for Career?

Have a Career? 

OWASP Summit 2013

Project Summit Picture2  IMG_5415

What is the OWASP Project Summit?

The OWASP Project Summit is a smaller version of the much larger OWASP Summits. This event activity gives our project leaders the opportunity to showcase their project progress, and have attendees sit down and work on project tasks during the event. It is an excellent opportunity to engage the event attendees, and it gives project leaders the chance to move forward on their project milestones while meeting new potential volunteers that can assist with future milestones.

What OWASP Projects will be at the Summit this year?

Visit :  for more information

AppSecUSA 2013

Open Web Application Security Project (OWASP) is an open-source, not-for-profit application security organization made up of corporations, educational organizations, and individuals from around the world. Providing free, vendor-neutral, practical, cost-effective application security guidance, the organization is the de-facto standards body for web application security used by developers and organizations globally.

Join 2,500+ attendees. Executives from the Fortune 500, thought leaders, security architects and developers, gather to share cutting-edge ideas, initiatives and technology advancements.
  • Two days of training and two day conference
  • Four tracks focusing on the core OWASP mission (Builder, Breaker, Defender)
  • Keynote addresses by world renowned Industry experts
  • Exhibit area offering solutions to your application security challenges
  • Global Reach: OWASP supports 30,000+ individual participants, more than 65 organizational and 60 academic supporters via 200 local chapters in 75+ countries across 6 continents.

Visiting NYC

Important to all Industries: Access to key representatives and decision-makers from major Financial Services, Insurance, e-Commerce, Retail, Pharmaceutical, and Government sectors
World renowned speakers

OWASP AppSec 2013 provides sponsors exclusive access to its audience in New York City through a limited number of exhibit spaces.

OWASP events attract a worldwide audience interested in “what’s next?” — As an OWASP Conference sponsor, your brand will be included as an answer.

Sponsorship opportunities feature significant discounts for OWASP members, providing year-round access to web application security’s top thinkers and the use of OWASP materials in product and service delivery. All proceeds support the conference and the mission of the OWASP Foundation (501c3 Not-For-Profit), driving funding for research grants, tools and documents, local chapters, and more. 

For more information visit

Monday, July 22, 2013

Grants and Fundraising Internship Opportunity with OWASP

The Application Period is now closed. (August 26, 2013)

Grants & Fundraising Intern

The OWASP Foundation is currently seeking an Intern to help with the Fundraising and Grant Writing activities planned for the remainder of 2013. This is an excellent opportunity for an individual seeking to gain more experience in grant research, writing, and planning activities for a global non-profit organization. Applicants from around the globe are encouraged to apply as this role will be managed as a telecommute position.

The responsibilities and tasks of the Grants and Fundraising intern include but are not limited to:
  • Managing communications from the OWASP Community including assisting with campaigns, donor/member solicitation/acknowledgements, and tracking contact information and conversations.
  • Participate in grant writing initiatives, and facilitate OWASP Community contributions to our Grants Program.
  • Managing the grants mailing list, and the Salesforce grant accounts.
  • Ongoing maintenance and development of social networking presence in relation to grants, including Twitter, Facebook, YouTube, etc.
  • Participation in staff meetings on planning, processes, and coordination.
  • Administrative support as needed to the OWASP Projects Manager.
  • Have 20 hours per week to dedicate to this internship opportunity.

Qualifications: the successful candidate will:
  • Be an undergraduate or graduate student studying public or non-profit management, and have a demonstrated interest in strategic organizational issues as well as software security.
  • Have an entrepreneurial spirit and enjoy working in a highly autonomous environment.
  • Be skilled at internet research, and be able to digest large amounts of information into clear points.
  • Be a good communicator and team player.
  • Be able to multi-task, be extremely organized and have a meticulous attention to detail.
  • Have strong oral and written communication skills.
  • Balance a desire to learn, take initiative, and suggest better practices with a willingness to take constructive feedback and guidance.
  • Demonstrate personal computer skills, including basic troubleshooting.
  • Have Word, Excel and PowerPoint experience, and have the willingness to learn other software tools.
  • Demonstrated use and comfort navigating Web 2.0 sites and tools, including blogs, social networks, video and photo sharing, etc.
  • Familiarity with for Nonprofits is highly desirable.

Recruitment and Internship Timeline
  • Application Deadline: Monday August 26 2013 5PM GMT
  • Interviews Scheduled: First Week of September
  • Selection Announcement: Monday, September 09th 2013
  • Start Date: Monday, September 16th 2013
  • Internship End Date: Monday, January 13th 2014

How to Apply
To submit your application for the Grants and Fundraising Internship opportunity, please e-mail the following items to the OWASP Projects Manager, Samantha Groves.
  • A cover letter outlining your interest in the role, and why you are the best candidate for the internship.
  • A copy of your resumé.
  • In your e-mail, please be sure to note down what university/college program you are currently enrolled in.
Please e-mail the items above to, and title your e-mail "Grants and Fundraising Internship Application".

The Open Web Application Security Project (OWASP) is a 501(c)(3) worldwide not-for-profit charitable organization focused on improving the security of software. Our mission is to make software security visible, so that individuals and organizations worldwide can make informed decisions about true software security risks. Everyone is free to participate in OWASP and all of our materials are available under a free and open software license.

For more information on this role, please contact the OWASP Projects Manager:

Message from Andrew Muller: OWASP Testing Guide Project Co-Leader

Hello OWASP Leaders,

Its no secret that many of our projects are not progressing as well as we'd like. One of these is the Testing Guide. The Testing Guide is one of the most visible OWASP products and used by testers all over the world. So Mat and I are giving a three fingered salute to the Testing Guide and getting it back on track. We've cataloged all of the articles that require writing, how much effort is required and started a list of contributors to each of these articles ( drop us a line if you'd like to read it). 

Many of the main tasks required for release are now complete, so now we're focused on a sprint to release. For this we need your help. We're asking OWASP leaders to help us find and revive contributors with the time, expertise and [most importantly] commitment to complete the writing of Testing Guide articles. We'll be conducting a set of sprints to get the revision wrapped up and released by the end of 2013.
One of the key tasks we're seeking to achieve is alignment between the Testing Guide and other OWASP products, chiefly the Dev Guide. Finding vulnerabilities is only the halfway point to fixing them. Again, we've cataloged the Test Guide test cases and aligned them with their equivalents in the Dev and Code Review Guides. The list is incomplete, but we're making progress ( again, let us know if you want to read it). 

So if you've worked on the Dev or Code Review Guide, we could also use your help. Sam G will be helping us wrangle the contributors (including Mat and myself) so if you hear from her, please don't ignore her. Even two words in an email will let everyone know how you're progressing.
Thanks for your help.regards,
Andrew Muller
Testing Guide Project co-leader
Canberra, Australia chapter leader

Sunday, July 21, 2013

OWASP in Vegas: Black Hat USA and Def Con 21

OWASP Community Members -

Many of you will surely be in Las Vegas next week for one or more of the conference events going on: Black Hat USA, B-Sides Las Vegas, and Def Con 21.  I wanted to give you an update on where to find OWASP while you are there!

Are you going to Vegas and want to help us promote OWASP? Or are you presenting on OWASP and we missed you in this call out? Or do you want to schedule some face time with OWASP staff members (Sarah Baso, Kelly Santalucia, or Samantha Groves)?  Contact us  with updates and requests.

OWASP will have a booth (table top E3) at Black Hat in the foyer area outside the Emperor's Ballroom. Stop by and visit with OWASP staff, volunteers, board members and pick up a Las Vegas "emergency kit"!

OWASP Projects giving demos at the Black Hat Arsenal

presented by Ajin Abraham: 
Xenotix XSS Exploit Framework is a penetration testing tool to detect and exploit XSS vulnerabilities in Web Applications. It is basically a payload list based XSS Scanner and XSS Exploitation kit and has has the world's second largest XSS Payload list. It provides a penetration tester the ability to test all the XSS payloads available in the payload list against a web application to test for XSS vulnerabilities. The tool supports both manual mode and automated time sharing based test modes. The exploitation framework in the tool includes a XSS encoder, a victim side XSS keystroke logger, an Executable Drive-by downloader and a XSS Reverse Shell. These exploitation tools will help the penetration tester to create proof of concept attacks on vulnerable web applications during the creation of a penetration test report.

OWASPBROKEN WEB APPLICATIONS VM,  presented by Chuck Willis:

The Open Web Application Security Project (OWASP) Broken Web Applications project provides a free and open source virtual machine loaded with web applications containing security vulnerabilities. This session will showcase the project VM and exhibit how it can be used for training, testing, and experimentation by people in a variety of roles. Demonstrations will cover how the project can be used by penetration testers who discover and exploit web application vulnerabilities, by developers and others who prevent and defend against web application attacks, and by individuals who respond to web application incidents. New features and applications in the recently released version 1.1 of the VM will also be highlighted.

Jeremy Long

presented by Jeremy Long:
Does your application have dependencies on 3rd party libraries? Do you know if those same libraries have published CVEs? Dependency-Check, an OWASP project, can help by providing identification and monitoring of application dependencies. The core engine can scan the libraries and will create an inventory of all the dependent libraries and whether or not there are any published CVEs. Dependency-Check's new build plugins will be demonstrated as well as how the tool can be used to perform continuous monitoring of your applications and their dependencies.

def con 21 logo

No official booth but many OWASPers will be floating around the conference, volunteering as goons at swag, and participating in talks.

Are you ready to party?

OWASPAppSec USA is sponsoring "Def Con Parties" on Friday night at the Rio Hotel. This party is open to anyone with a Def Con badge.

Tuesday, July 16, 2013

OWASP Connector July 16, 2013

 OWASP Connector July 16, 2013
 Header Logo



OWASP OpenSAMM Project

The Software Assurance Maturity Model (SAMM) is an open framework to help organizations formulate and implement a strategy for software security that is tailored to the specific risks facing the organization.  SAMM was defined with flexibility in mind such that it can be utilized by small, medium, and large organizations using any style of development.  Additionally, this model can be applied organization-wide, for a single line-of-business, or even for an individual project.  For more information, please visit the OWASP OpenSAMM Project wiki page.


OWASP Wordpress Security Checklist Project

While there are several good articles on how to secure a Wordpress installation, there is no project on this topic that people can discuss and contribute to that is a definitive and homogeneous checklist.  This project aims to solve this need.  For more information, please contact the project leader, Dan Vasile.

OWASP Windows Binary Executable Files Security Checks Project

The "Windows Binary Executable Files Security Checks" documentation project aims to provide a security check-list and the tools necessary to assess the security of Windows executable files.  For more information, please contact the project leader Dan Vasile.

OWASP Supporting Legacy Web Applications in the Current Environment Project

Legacy web applications are a reality in life.  Even now, there are several out there, some of them supporting sensitive business areas like banking, insurance, marketing, and idea generation.  As these applications get outsourced for maintenance, security becomes a crucial aspect both from a perspective of outsourcing and the inherent vulnerabilities of the web app.  I would like to highlight these challenges and bring forth the critical security points in legacy web apps.  For more information, please contact the project leader Shruti Kulkarni.

OWASP SeraphimDroid Project

SeraphimDroid is an educational application for android devices that helps users learn about risks and threats coming from other android applications.  SeraphimDroid scans your devices and teaches you about risks and threats coming from application permissions.  For more information, please contact the project leader Nikola Milosevic.


OWASP Project Summit:  AppSec USA

The OWASP Project Summit is a smaller version of the much larger OWASP summits.  This event activity gives our project leaders the opportunity to showcase their project progress, and have attendees sit down and work on project tasks during the event.  It is an excellent opportunity to engage the event attendees, and it gives project leaders the chance to move forward on their project milestones while meeting new potential volunteers that can assist with future milestones.  Register for AppSec USA and don't miss out on this great opportunity to work on an OWASP Project.

OWASP Project Leader Workshop:  AppSec USA

The Project Leader Workshop is a 45 minute event activity that brings together current and potential OWASP project leaders to discuss project related issues and topics.  Register for AppSec USA and don't miss out on this great opportunity to learn more about how to lead an OWASP Project.

OWASP Women in AppSec News!

The Women in AppSec Call for Applicants is now open.  Apply now if you are a female student at either the undergraduate or graduate level, an instructor, or a professional working woman who is interested in sponsorship to attend the AppSec USA 2013 conference in New York City.  Apply here:  Application Form.

 new conf banner
OWASP AppSec EU 2013

The Full Conference Schedule is Online

Pre-conference training classes are filling up fast

A limited number of sponsorship opportunities are still available, contact us to reserve your spot

Call for Training and Call for Papers are now open (Deadline is August 2, 2013) - Click Here to submit your training or your talk

AppSec USA 2013 - Simple Banner
OWASP AppSec USA 2013
Click Here for the full schedule of Talks and Training Classes

Contact Us to secure your sponsorship opportunity for the exhibit hall or for the career fair

Click Here to find out about all the awesome activities planned for the conference (Lockpick Village, Career Fair, OWASP Project Summit, Project and Chapter Workshops, 3K for Charity, and more ...)


We want ALL chapters, GLOBALLY, to share in the success of this event.  For each ticket to AppSec USA that your chapter sells between July 15 and August 15, your chapter will receive $50 USD in your chapter's account.  Be sure your referrals enter in the appropriate promotional code during registration.

AppSec USA promotional resources

List of Chapter Codes to be entered during registration


OWASP China 2013 Forum - July 12-22;
Bejing, Shanghai, and Guangzhou -

OWASP India Conference 2013 - Aug 30-31; New Delhi, India

Ghana Cyber Security - September 5-6; This event is looking for speakers to help grow the OWASP presence in Africa!  Contact Theodore Sagoe for details

OWASP New Zealand Day 2013 - Sept 11-12; Auckland, New Zealand - Call for Presentations, Training, and Sponsorship is OPEN!

LASCON 2013 - Oct 24-25, Austin, TX
Call for proposals is open until July 31 - Submit your proposal!

new outreach banner

OWASP has partnered with these great events in the latter half of 2013 to grow our community and build awareness around software security.  If you want to learn more about OWASP's involvement or will be attending and want to participate, please


 new membership banner


We would like to thank
eLearn Security
for their new membership and
Gotham Digital Science
for their renewal


The deadline to submit your candidacy is August 16, 2013.

We would like the community to submit interview questions.  These questions will be posed to the candidates during the pre election interviews.

Voting is limited to paid/honorary members who are in good standing as of September 30, 2013.  Be sure to join or renew your membership


The WASPY (Web Application Security Person of the Year) Awards were started in 2012 with the assistance and sponsorship of Qualys and Trustwave.  This year, the awards will recognize 5 different individuals in 5 different categories.

Take advantage of this opportunity to help OWASP globally recognize members of our community for their efforts to drive awareness of software security through leadership, outreach, and innovation.



Register to participate in the OWASP Webinar Series.  This provides an opportunity to review some of the top security talks AND earn CPE credits!

the Next Webinar is scheduled for Wednesday July 24, 2013.  The talk title is:  "Four Axes of Evil" by  HD Moore.  This is a showing of Jerry's AppSec USA 2012 presentation.

Wednesday July 24
Four Axes of Evil:  HD Moore

at 10am EDT
register here
at 9pm EDT

register here

Wednesday, August 14
Jack Mannino unveils the MAJOR release for GoatDroid

at 10am EDT (Live Webinar)

register here
at 9pm EDT (replay of the Live Webinar)

register here

If you are interested in giving a live presentation during the webinar series, please contact us.


active chapters by region


Kate Hartmann
+1 301-275-9403