Tuesday, August 27, 2013

Global Connector Election Edition

 Global Connector Election Edition
 2013 Global Elections
2013 WASPY Awards
Upcoming Events

2013 OWASP International Global Board of Directors Election

The OWASP Foundation Board of Directors consists of six elected volunteers.  These unpaid volunteers dedicate themselves to the organizational mission and play a pivotal role in the software security community.  OWASP conducts democratic elections of its Board Members to enable bottom-up advancement of it's mission.

OWASP bylaws specify the board must be between 5 and 7 members.  Currently the OWASP board is 6 members.  The current board voted to extend the number to 7 members.  The 2013 election will now seat 4 spots instead of 3.  The newly elected board members will begin their terms Jan 1, 2014.  At this time we'll see the board officially expand to 7 members.

2013 Board Candidates

Please click a candidates name for their bio and "why me" statement

Abbas Naderi Afooshteh
Kelvin Arcelay
Ezendu Ariwa
Sergi Belokamen
Fabio Cerullo
Michael Coates
Bil Corry
Tobias Gondrom
Tahir Khan
Timur kHrotko
Martin Knobloch
Gregory Disney-Leugers
Jason Li
Yiannis Pavlosoglu
Ludovic Petit
Josh Sokol

Who Can Vote?

OWASP Paid Individual Members, Paid Corporate members (get one vote), and Honorary Members registered as of 30-September-2013 will all have one (1) vote per seat (there are four (4) seats up for election). 

Election Timeline

May 7 - Call for Candidates

August 11 - Call for Candidates, Reminder

August 16
- Deadline for Call for Candidates

August 22
- Candidates announced LIVE at AppSec EU 2013 as well as on all social media, in the connector and email to leaders list.

August 25
- Deadline for questions to be submitted for use during interviews:  
2013 Election Questions

September 6
- Deadline for recordings to be completed

September 30
- Paid & Honorary membership application deadline:  
Honorary Membership Self Nomination Form

October 9
- Q & A Webinar

October 14
- Voting Begins

October 25
- Voting ends

October 29
- Election result announcement

For more information, historical data, links to announcements, and membership information, please visit the 2013 Global Election Page

The Membership Deadline to participate in the 2013 Global Board Election AND the 2013 WASPY awards is September 30, 2013.  Please visit the Membership Page to get information on how to renew or how to join.

Web Application Security People of the Year Awards 2013

Every year a group of individual including researchers, developers, security professionals and others work to ensure the security of web applications.  Some of these individuals are featured in news stories or at conferences as recognized experts.  But there are many other 'unsung heroes' that work every day to improve web application security and yet are rarely recognized.

With the support of sponsors, OWASP is able to provide a platform for peer recognition.  2013 will recognize all participants and one winner in 5 different categories.  This years nominees are:

 Best Chapter Leader

David Hughes - Austin
Trenton Ivy - Milwaukee
Abbas Naderi - Iran
LA Chapeter Team - Tin Zaw, Richard Greenberg, Kelly FitzGerald, Stuary Schwartz, Edward Bonver
Jack Mannino - Northern Virginia
Jonathan Marcil - Montreal
Paul Scott - Houston
Dhruv Soi - India
John Wilander - Sweden

Best Project Leader

Simon Bennetts - ZAP
Roberto Merida (Epsylon "psy") - XSSer
Abbas Naderi - PHP Security Project
Andrew van der Stock - Developer Guide

Best Community Supporter

Fabio Cerullo
Jason Montgomery
John Montgomery

Best Mission Outreach

Fabio Cerullo
Martin Knobloch
John Wilander

Best Innovator

Tanoh Aka Marcellin
Abbas Naderi

Please Click Here to view each candidates nomination citation

WASPY award voting will be included on the Global Election Ballot in October

This recognition opportunity is completely funded by our generous sponsors.  To be part of this unique opportunity to support the community, please CLICK HERE  Projects and Chapters are also able to support this effort through donation of their chapter or project funds.  NOTE:  Sponsorship of this award will not affect the outcome.
new conf banner


Registration is now LIVE!  Click here to register and take advantage of early bird pricing.

AppSec USA 2013 - Simple Banner
OWASP AppSec USA 2013

Click Here for the full schedule of Talks and Training Classes


OWASP India Conference 2013 - Aug 30-31; New Delhi, India
Ghana Cyber Security - Sept 5-6
OWASP New Zealand Day 2013 - Sept 11-12; Auckland, New Zealand
LASCON 2013 - Oct 24-25, Austin, TX


OWASP Webinar Series


Register to participate in the OWASP Webinar Series.  This provides an opportunity to review some of the top security talks AND earn CPE credits!

 Wednesday September 11, 2013. 
LIVE - Ken Johnson
Rails Goat Project Webinar
RailsGoat project provides training for developers and security professionals - all specific to the Ruby on Rails framework

10am EDT (Live Webinar)
smaller register
at 9pm EDT (replay of the Live Webinar)
smaller register

Wednesday September 25, 2013. 
LIVE - Josh Sokol
SimpleRisk Webinar
SimpleRisk is an open source tool designed to help better manage and facilitate enterprise risk management.

10am EDT (Live Webinar)
smaller register
9pm EDT (replay of the Live Webinar)

smaller register

Wednesday October 9, 2013. 
LIVE - Global Board Candidate Question and Answers

Interactive question and answer format for the Global Foundation Board Candidates.  Facilitated by Kelly Santalucia

at 10am EDT
smaller registerand
9pm EDT
smaller register

Wednesday November 6, 2013. 
LIVE - Kiran Karnad
OWASP Top Ten & Burp
information and registration coming soon

We want to highlight projects and research!  If you have a topic that you would like to present, please submit an abstract here:  Contact us

new outreach banner

OWASP has partnered with these great events in the latter half of 2013 to grow our community and build awareness around software security.  If you want to learn more about OWASP's involvement or will be attending and want to participate, please


Friday, August 23, 2013

Nominees for the 2013 WASPY Awards have been announced. Find out who was nominated here https://www.owasp.org/index.php/WASPY_Awards_2013

Two days left to submit your questions for the 2013 Board Candidate Interviews

The deadline for questions to be submitted for use during the candidate interviews is August 25, 2013.

Be sure to submit your questions today! 2013 Election Questions

Thursday, August 22, 2013

Board Candidates Announced!

Candidates for the OWASP 2013 Board Election have been announced!!  

Tuesday, August 20, 2013

Outcomes from August, 2013 Board Off-Site

The board met for 8 hours on August 19th before AppSecEU for a board off-site. I wanted to provide a recap for those that may be interested.
  1. 30 minutes - Open session - Air any concerns
  2. OWASP Board - purpose, requirements, expectations
    1. Orientation Process
    2. Conflict of Interest Policy
    3. Attendance Expectations
    4. Board Size
  3. Financials
    1. Looking at 2012, 2013 & paths for growth
  4. Legal
    1. Europe entity board representation
  5. Corporate Involvement & Support
    1. Review feedback & proposals
    2. Draft skeleton of plan
    3. Define next steps
  6. [1 hr] [closed portion] - 3 month review of the ED role


Corporate Involvement at OWASP
First, thanks to those that provided thoughts and feedback on the governance thread regarding corporate involvement. It was great to have feedback from OWASP leaders in this complex area.

Corporate Membership - Tiered Structure
- The board voted to move to a tiered corporate membership model. This enables organizations to support OWASP at a variety of levels. We are still flushing out the final details and we'll soon update the membership matrix. However, there will be 4 tiers ($2,000, $5,000, $20,000, $50,000) with varying benefits provided to the corporate member for each level. For those interested in chapter splits for corporate supporters it will be the following:
$50,000 Corporate Membership - $8000 to local chapter - 16%
$20,000 Corporate Membership - $4000 to local chapter - 20%
$5,000 Corporate Membership - $2000 to local chapter - 40%
$2,000 Corporate Membership - $800 to local chapter - 40%

Corporate Member Logos - Moving to Acknowledgement Page - To provide a single clear page that acknowledges our corporate member supporters we will move the corporate logs from the bottom of the OWASP home page to a dedicated acknowledgement page. The home page will have clear graphics that encourage viewers to click and view the acknowledgements page.

Project Branding & Sponsorship - Project sponsorship by corporate members is a complex item with many positives and negatives to each approach. The key is to provide clarity and guidance. Without these it is not easy for corporations to engage and while many will act with the best interests of OWASP we spend unnecessary cycles debating if individual decisions are correct. The board discussed the issue at length and outlined 3 different potential programs in this area.  We hope to provide a clear plan that will allow us to engage supporters and all understand our overall process.
Next steps:
- The board has outlined 3 different potential programs for project branding and sponsor. We will clearly document each option including the positives, negatives and other considerations for each option.
- We will circulate these programs to leaders for review. At that time we will ask for any other suggested programs or additions/clarifications to the positives/negatives/considerations of each program.
- Finally, this particular item will be added to the annual vote for a decision by the OWASP members. This particular item is complex with many different potential paths. We as OWASP need to decide which option is right for us. A clear listing of options along with an informed listing of the trade-offs for each option will allow the larger OWASP membership to lead in the decision making on this item.

Board Changes
Board Orientation Documents - An official board orientation set of documents will be created that includes a stated conflict of interest policy (in addition to what we have in the bylaws), 2 required reading short books on non-profit foundations, requirement to read previous financial reports and 990, and links to our to-be created governance page. All board members will sign and acknowledge completion of the orientation by Jan 1, 2014.
Conflict of interest policies will also be extended to all employees and those in decision making roles for global conferences. We see this as a natural step to mature OWASP and better align with non-profit requirements. This is not in response to any concerns.

Board Size - OWASP bylaws specify the board must be between 5 and 7 members. Currently the OWASP board is 6 members. We voted to extend to 7 members. The 2013 election will now seat 4 spots instead of 3. The newly elected board members will begin their terms Jan 1, 2014. At this time we'll see the board officially expand to 7 members.

Quarterly Board Meetings - The board voted to move board meetings from the current schedule of monthly 1 hour meeting to quarterly 4-6 hour meetings. The schedule of meetings will be set by the board in December before the year. It is likely the the board meetings will take place on Saturdays or on a dedicated day before a large OWASP conference.  This change is a result of the success of the longer format board meeting and also a result of the Executive Director role that has enabled full time involvement and focus on OWASP operations. This will take effect in January, 2014.

OWASP Finances
Financial Audit - Every 3 years OWASP has engaged an outside firm to audit OWASP finances. We decided to move up our next audit since the organization has grown substantially over the past few years. The next audit will occur in 2013 for an audit of the 2012 filed information. All tax filings and audit information can be found here: https://www.owasp.org/index.php/OWASP_Foundation#Tax_Filings

Review of Finances
- Sarah and team are doing great work understanding OWASP finances and also mapping these into quadrants to reflect income/cost impacts and also value to mission. More information coming soon, but this type of understanding of our income and expenditures will allow us to continue to increase the value return on OWASP funds.

Michael Coates | OWASP | @_mwc

Thursday, August 15, 2013

Last Call for 2013 Election - Board of Directors Candidates Deadline Friday August 16

2013 Board ELECTION-BANNER2.jpg

OWASP Community Members -

A friendly reminder that this year there are 3 seats for the OWASP Global Board of Directors open for election.   Tomorrow, Friday August 16th is the deadline for declaring your candidacy if you are interested in running.

Individuals that are interested in running for the board are strongly encourage to read the International Board of Directors Primary Responsibilities as well as the Eligibility Requirements for Board Candidates before submitting your Candidate Submission form.

Honorary Membership is available for active project and active chapter leaders with their leadership positions on file prior to September 30. **ALL qualified individuals who wish to be granted Honorary Membership MUST apply for Honorary Membership in order to vote in this years election.** Deadline to submit your self nomination form for Honorary Membership is September 30.

For more information on this years Board Election including the Election Timeline, Call for Candidates form and the Honorary Membership form please see http://owasp.com/index.php/2013_Board_Elections.

Wednesday, August 14, 2013

Join OWASP in PERU for AppSec Latam 2013

Banner Peru.png

OWASP Community Members:

We are pleased to announce that  registration is now open for AppSec Latam 2013. Please visit the website for more information on how to register for the event. The deadline for the early bird registration discount is September 1st so REGISTER NOW to take advantage of the lowest possible rate!

The OWASP Peru chapter will host the OWASP AppSec Latam 2013 conference in Lima, Universidad Tecnologica del Peru. The event will be composed of 2 days of training (October 1-2), followed by 2 days of conference talks (October 3-4). 

We are offering the following great training courses:
  • Hacking-Hands On (2 day class in English) by Jordan M. Bonagura.
  • How to Secure the SDLC (2 day class in Spanish) by Javier Romero.
  • Scripting for Presentation Testers (2 days class in Spanish) by Walter Cuestas.

And we have announced keynotes from:
  • OWASP Foundation
  • Tony UcedaVelez from Versprite
  • Cristian Borghello from Segu-Info
Our full listing of speakers and details on the event are listed at our conference website: http://owaspappseclatam2013.sched.org/

Don't miss out on this Latam application security event!!

OWASP Global Connector August 14, 2013

 OWASP Global Connector August 13, 2013


OWASP Projects Defined:  Answers to Community Questions and Feedback
Recently, we have received many questions relating to our OWASP Projects.  Projects Manager, Samantha Groves, has put together a brief overview of OWASP Projects, and has answered some of the most comment questions we have received from the community.  Learn more about our Projects Platform by visiting the OWASP Blog 


OWASP O2 Platform

The OWASP O2 Platform is a collection of open source modules that help Web Application Security Professionals to maximize their efforts and quickly obtain high visibility into an application's security profile.  O2 is designed to automate application security knowledge and workflows, and to allow non-security experts to access and consume Security Knowledge.  Please visit o2platform.com if you would like more information on the project as most O2 content is still on the external site.  If you would like to contribute, please visit the OWASP O2 Platform Project GitHub Repository, or contact Project Leader Dinis Cruz for more information.


OWASP Unmaskme Project

The goal of this tool is to raise security awareness among web owners in order to help decrease the constant rise of compromised websites.  It can scan public resources while extracting metadata from any website (either domain name or IP address, no resource) and will explain it in a brief summary.  The extraction will be totally passive just like browsing the website, otherwise the tool couldn't be online for public use.  It's based mainly on HTTP headers and metadata.  For more information, please contact the project leader, Emilio Casbas

OWASP File Format Validation Project

This project was created to provide developers a library to help them validate formats of a file properly.  Validation is based on the official specifications (ISO, RFC, UIT-T, ...) of tested formats, and not only on signatures.  For more information, please contact the project leader, Greorges-B Michel.


OWASP OWTF Project:  0.30 Summer Storm II Released!

Abraham Aranguren, Project Leader for the OWASP OWTF Project, has just announced the release of OWASP OWTF 0.30 Summer Storm II.  The release is another very significant release which includes the continued work of a hand full of Google Summer of Code Projects.  If you want more information on the release and the OWASP OWTF Project itself, please visit the project blog or contact Abraham directly.

OWASP Webinar Opportunities for Project Leaders

Are you a project leader interested in promoting your project via one of our bi-weekly webinars?  We currently have a hand full of free time slots available for project leaders that would like to give a talk and/or demo their project.  If you are interested in taking advantage of this opportunity, please reach out to the OWASP Projects Manager, Samantha Groves.  

OWASP Women in AppSec News!

The Women in AppSec Call for Applicants is now open.  Apply if your are a female student at either the undergraduate or graduate level, an instructor, or a professional working woman who is interested in sponsorship to attend the AppSec USA 2013 Conference in New York City.  The application deadline is Monday, September 09, 2013 at 5PM GMT.  Contact Samantha Groves if you have any questions about the program.  Submit your application here:  Application Form

Marketing Collateral:  Seeking Community Input

The OWASP Ops team is happy to report that the marketing project we have been working on with Sisterworks and Design Foundry is in the final stages of delivery.  We are now at a point where we would like to seek community input on a hand full of the most critical marketing pieces we have developed with our contractors.  We have set up a wiki page to facilitate comments and votes from the community.  You can find more instructions on the process on this page.  Please visit the Marketing Community Input page to view, comment, and to vote on each marketing piece.  

 new conf banner
OWASP AppSec EU 2013 -

Last chance to register for this fantastic event happening next week!  Register Now 

The Full Conference Schedule is Online

Keynote speakers will be:  Tony Ucedavelez and Christian Borghello
Full conference schedule and training details coming soon - check the conference website for updates
Registration is now LIVE!  Click here to register and take advantage of early bird pricing.

AppSec USA 2013 - Simple Banner
OWASP AppSec USA 2013

 Early Bird pricing end on August 15th.  Register now to save $300 Click Here

Click Here for the full schedule of Talks and Training Classes

Sponsor opportunities are filling up fast - if you want to be a part of our exhibit hall or career fair, contact Contact Us ASAP!


We want ALL chapters, GLOBALLY, to share in the success of this event.  For each ticket to AppSec USA that your chapter sells between July 15 and August 15, your chapter will receive $50 USD in your chapter's account.  Be sure your referrals enter in the appropriate promotional code during registration.

AppSec USA promotional resources

List of Chapter Codes to be entered during registration


OWASP Tampa Day 2013 - Aug 19; Tampa, FL
OWASP India Conference 2013 - Aug 30-31; New Delhi, India
Ghana Cyber Security - Sept 5-6
OWASP New Zealand Day 2013 - Sept 11-12; Auckland, New Zealand
LASCON 2013 - Oct 24-25, Austin, TX

new outreach banner

OWASP has partnered with these great events in the latter half of 2013 to grow our community and build awareness around software security.  If you want to learn more about OWASP's involvement or will be attending and want to participate, please


new membership banner


Thank you to:

Cloud Flare for their NEW membership
WhiteHat Security for their renewal




AUGUST 16, 2013



September 30, 2013

Deadline to join or to renew your membership to ensure eligibility to vote in the 2013 election and WASPY awards


The WASPY awards are a way to recognize our amazing volunteers around the world.  Without the support from our sponsors, this would not be possible.  A BIG THANK YOU to Qualys - a solid supporter of the Open source community and these awards!  Contact us to learn more!



OWASP has partnered with the Irish Honeynet Project (a not for profit organization) to conduct the first ever GLOBAL CTF!

This worldwide challenge will be launched at AppSec EU in Hamburg, Germany in August and run through mid November.  The winners will be announced at AppSec USA in New York!
Preliminary information can be found here
Keep checking back for frequent updates and news! 


Register to participate in the OWASP Webinar Series.  This provides an opportunity to review some of the top security talks AND earn CPE credits!

the Next Webinar is scheduled for Wednesday August 14, 2013. 
LIVE - Jack Mannino
Jack Mannino unveils the MAJOR release for GoatDroid

Wednesday August 14

at 10am EDT (Live Webinar)

register here
at 9pm EDT (replay of the Live Webinar)

register here
We want to highlight projects and research!  If you have a topic that you would like to present, please submit an abstract here:  Contact us



OWASP Azerbaijan

Azerbaijain is located on the Caspian Sea.  This chapter will be led by Adil Aliyef, Turgut Mehdiyev, and Niyaz Abbasov.

OWASP Bloomington

Bloomington, Indiana is located in the US and is just south of Indianapolis.  This chapter will be led by Neil Weitzel.

Are you looking to start a chapter or put some energy into an inactive chapter?  Please reach out to us by completing this short information sheet.

If you do not wish to receive future emails from Kate Hartmann, click here to opt-out.
OWASP Foundation | 1200-C Agora Drive, #232 | Bel Air | MD | 21014 | US


Kate Hartmann
+1 301-275-9403

Tuesday, August 13, 2013

OWASP Projects Defined: Answers to Community Questions and Feedback

Recently, we have received many questions relating to our OWASP Projects. They range from confusion over what an OWASP Project is, project promotion choices, and questions on project quality. While we are working hard on improving OWASP Projects on an operational level, we understand that sometimes we need to shine some light on our work, and add clarity to what it means to be an OWASP Project.

This post is meant to clarify some of these points, and answer some of the questions we have received from the community about our Projects. 

What is an OWASP Project?

Projects are one of the primary methods by which OWASP strives to achieve its mission, which is to make application security more visible. OWASP provides a community based online platform that allows project leaders the opportunity to freely test ideas and theories in an open environment. Leaders are able to leverage the OWASP brand, and the help of a dedicated OWASP Projects manager to guide development.

The goal of an OWASP Project is to create a concrete deliverable - such as a document, a tool, or a code library - that furthers the OWASP mission. It is important to note that OWASP is not a commercial software development company. The aim of the OWASP Projects Platform is to give Project Leaders the space, time, and resources they need to research, create, and grow an idea into a concrete product. 

There is no obligation to create a finished product, but we certainly encourage high quality development. There are many examples of great projects, and those project leaders, as well as the team, are rewarded for their dedication and contributions to our mission and Projects infrastructure. 

Project Types

There are three different stages of an OWASP Project. They are divided into the following categories to identify the maturity level of the project.

OWASP Incubator Projects

OWASP Incubator projects represent the experimental playground where projects are still being fleshed out, ideas are still being proven, and development is still underway. Incubator projects are the first stage in a project's maturity within the OWASP Projects Infrastructure. All new projects are labeled as Incubators once they are accepted into OWASP, and there is no obligation to leave the Incubator stage. The only requirement after acceptance is to keep the project active. 

OWASP Labs Projects

OWASP Labs projects represent projects that have produced a release or a deliverable. For example, a documentation project that has developed a finished book, can apply to become a Labs Project. The Project Leader has created a deliverable, and has reached a goal set out in the Incubator stage of the project. This demonstrated dedication to OWASP, and dedication to the project itself. 

OWASP Flagship Projects

The OWASP Flagship label is given to projects that have demonstrated superior maturity, established quality, and strategic value to OWASP and application security as a whole. Flagship Project Leaders not only create a deliverable of value, they also actively promote their project, they keep up-to-date on community comments and requests, and maintain the project as active unless the project has reached completion. 

Other Project Categorizations

While OWASP Projects are primarily categorized by their maturity level, it is important to note that projects are categorized in several other ways as well. Projects are categorized by type: Tool, Documentation, Code Library. They are also categorized by Activity. Moreover, we are working on categorizing the projects by region, the OpenSAMM framework, and by Builder, Breaker, Defender types. 

Project Promotion

We try to give our OWASP Project Leaders many different opportunities to promote their work using various mediums. For example, we have speaking opportunities available at our global conferences, Leaders can also give webinars on project developments, and projects can also be showcased on our Connector newsletter. 

These opportunities are available to all of our OWASP Project Leaders, with the exception of certain areas of the Connector. We use the Connector to showcase a project of the month, to introduce new projects to the community, and share news and updates about our projects. Now, while we do realize there is sometimes very little information in the New Project pages, we feel it is very important to let the community know that there are new projects entering the infrastructure. This is one of the ways we use to promote these new projects, and encourage our new Project Leaders.  

OWASP Project Quality & Realistic Expectations

There has been quite a bit of debate over the quality of our OWASP Projects. There seems to be some confusion related to the amount of influence OWASP has over the quality, timeline, and overall product of an OWASP Project. The most important point to remember is that OWASP is a platform for ideas within the software security landscape. We provide the space, time, and resources Leaders need to research, create, and grow an idea into a concrete product. However, there is no obligation to create a high quality product, as we are not a commercial organization. This is primarily why our project quality varies so much, and the expectation of having similar quality products from all of our projects, is simply unrealistic. OWASP simply provides the space to create, and a wealth of knowledge and experience for Leaders to learn and grow. 

I realize this is a brief description of what our OWASP Projects encompass so I would like to welcome members of the community to ask me questions. You can either comment on this blog post or e-mail me directly at Samantha.Groves@owasp.org. Alternatively, you can visit the OWASP Projects page for more information. 

Lastly, the Ops Team would just like to thank everyone who is currently working to improve our project processes, everyone who contributes to project reviews, and the projects themselves. We could not have our OWASP Projects Platform without your contributions and support.