Call for Comment: OWASP Corporate Sponsorship Model

Community Members - 

As a follow up to the  in-person Board Meeting in Hamburg, Germany on August 19, 2013 the board agree that OWASP should move to a tiered structure Corporate Membership - The board voted to move to a tiered corporate membership model. This enables organizations to support OWASP at a variety of levels. We are still flushing out the final details and we'll soon update the membership matrix. However, there will be 4 tiers ($2,000, $5,000, $20,000, $50,000) with varying benefits provided to the corporate member for each level.

Additionally, the Board determined that corporate member logos should move to an Acknowledgement Page - To provide a single clear page that acknowledges our corporate member supporters we will move the corporate logs from the bottom of the OWASP home page to a dedicated acknowledgement page. The home page will have clear graphics that encourage viewers to click and view the acknowledgements page.

Subsequent to this board discussion, the staff put together a draft of what this tiered structure would look like. Our goal is to collect community feedback and finalize by a Board Vote by December 1, 2013. The transition would start January 1, 2014 with banner ads and logos being removed from the home page by February 1, 2014.

I am also sending out this request for feedback to the governance list/leader's list/ and social media and Kelly Santalucia will be looking for input from our current corporate supporters.  Please help us in sharing your thoughts and encouraging others to do the same!

https://owasp.org/index.php/Governance/CorporateSponsorship

If you are looking for info on our current membership models: https://www.owasp.org/index.php/Membership

Thanks in advance!

Sarah Baso

OWASP Global Connector Election Edition

Global OWASP Connector - ELECTION RESULTS
The 2014 Global Foundation Board of Directors will be: Michael Coates (reelected) Tobias Gondrom (newly elected) Josh Sokol (newly elected) Fabio Cerullo (newly elected) Tom Brennan Jim Manico Eoin Keary This year's election boasts the largest number of candidates and the largest % voter turnout of any election. Thank you to all the candidates and to all the members who took the time to review the information and cast their vote. Details on the elected board members, the transition plan, documentation on the process, as well as statistics on voting as available, can be found at:  THE ELECTION PAGE Special Referendum This year, there was an included community refforandum to assist the foundation in defining our approach to handling corporate sponsorhip. The three options posted were: 1 - Project Leaders Decide All 2 - Standardized across projects & allowing project sponsorship/logos 3 - Standardized across projects and NOT allowing project sponsorship/logos The community has chosen #2 as their preferred choice. The Foundation Board will work with the Operations team and the Project Leaders to create and document guidelines in this direction. Details on all three options can be found on the Governance/Project Sponsorship page		The 2013 WASPY (Web Application Security People of the Year) We were very excited about the number of nominations in each of the categories for this year's awards.  Although there can only be one winner in each category, we would like to again congratulate all those who were nominated. All of the nomination information, as well as more information on the Awards can be found on the 2013 WASPY page. Winner - Best Chapter Leader - LA Chapter - Tin Zaw, Richard Greenberg, Kelly FitzGerald, Stuart Schwartz, Edward Bonver Nominees Jack Mannino - NOVA John Wilander - Sweden Paul Scott - Houston Jonathan Marcil - Montreal Abbas Naderi - Iran Trenton Ivey - Milwaukee David Hughes - Austin Dhruv Soi - India Winner - Best Project Leader - Simon Bennetts - ZAP Nominees Abbas Naderi - PHP Security Andrew van der Stock - Developer Guide Epsylon "psy" - XSSer Winner - Best Community Supporter - Fabio Cerullo Nominees Jason Montgomery John Wilander Winner - Best Mission Outreach - Martin Knobloch Nominees Fabio Cerullo John Wilander Winner - Best Innovator - Abbas Naderi Nominees Tanoh Aka Marcellin

New OWASP Marketing Resources Page

We are pleased to announce the launch of our new OWASP Marketing Resources page. The OWASP staff have worked diligently with a design firm to solidify OWASPs visual identity, and create several design pieces for community use.

On this page, we have everything from logos and business cards to banner stand and brochure designs all ready for download. Most of the files found on this page are in a PDF, EPS, or JPEG format; however, some pieces have the original Creative Suite files zipped in a toolbox. We recommend using the PDF, EPS, and JPEG files first as they are the easiest to use. If you need to edit a design piece, then you are more than welcome to download the Creative Suite files if you have access to Adobe In-Design, Photoshop, and Illustrator. If you require an edit to a design, and you do not have access to Adobe Creative Suite, then please let us know by using the OWASP Contact Us form.

We will like to stress that before you use any of the marketing materials on the new marketing resources page, please be sure to read the Brand Usage Rules and Guidelines. You can find them listed under the "Brand Guidelines" tab. It is important to understand how we expect contributors to use these materials as well as what is acceptable and what it not when it comes to usage of our brand and visual Identity.

If you have any questions, please reach out to us using the OWASP Contact Us form.

OWASP Election Ends TODAY!

Only hours left! Cast your vote now for the OWASP Global Board of Directors 2013 Election. Learn more about the Board candidates here: http://ow.ly/q8JcO.

OWASP 2013 BOARD ELECTIONS END TOMORROW

Cast your vote now! For information on the candidates please visit http://goo.gl/3eHgZx

OWASP Global Connector October 22, 2013

Global OWASP Connector - October 22, 2013
2013 Project Summit On November 18-21, OWASP will be hosting the 2013 Project Summit in tandem with this year's AppSec USA in New York City.  This 4 day, hands on experience is open to all conference attendees.  Project Leaders will be showcasing their projects and collaborating with attendees on enhancements and tasks.  While the sessions are open to all, registration is requested. Sessions begin Monday, November 18 and will run through Thursday, November 21.  A complete schedule of sessions, topics, and activities as well as links to sign up to participate can be found on the conference schedule site. NEW OWASP Projects OWASP Vulnerable Web Applications Directory Project The OWASP Vulnerable Web Applications Directory (VWAD) Project is a comprehensive and well maintained registry of all known vulnerable web applications currently available.  These vulnerable web applications can be used by web developers, security auditors, and penetration testers to put in practice their knowledge and skills during training sessions (and especially afterwards), as well as to test at any time the multiple hacking tools and offensive techniques available, in preparation for their next real-world engagement.For more information, please contact the project leaders, Simon Bennetts and Raul Siles. New Project Releases OWASP Mantra-OS, released their "Cannon" beta.  The virtual-core now creates a complete sandbox.  It contains lxc, libvirt, kvm, libxen, libmacho, and vzctl.  Additionally, the leaders are happy to report that further development made with libdispatch, liblightning, and libjit, makes it extreamly fast. Download Here For more information, please contact the project leader, Gregory Disney.   Message from Project Leader, Jim Manico:  Authentication Cheating I'm in the process of doing an edit-pass of the OWASP Cheat Sheet series.  I'd like to start with authentication.  A lot has changed since we first authored the Cheat Sheets.  Would anyone like to take a stab at refreshing and updating this page?  If you are interested in helping out, please contact Jim Manico. New Support email is now available.  To reach a staff member, email:  support@owasp.org	OWASP AppSec USA 2013 www.appsecusa.org/2013/ Full Schedule of Keynotes, Panels, Conference Talks and Classes Amazing line up of activities including:  OWASP Project Summit, Lockpick Village, 2 CTFs, 3k for Charity, and Open Mic Sessions Sponsor opportunities - Table sponsorships are FULL, but if you want to get involved, there are still a few options available.  Pleace contact us ASAP! Save the Date ... 2014 Global Conference Schedule: AppSec APAC 2014 - March 17-20, Tokyo, Japan AppSec EU - June 23-26, Cambridge, UK AppSec USA - September 15-18, Denver, CO Local and Regional Events LASCON 2013 - Oct 24-25, Austin, TX Houston November Mini-Con - Nov 15, Houston, TX OWASP BeNeLux - Nov 28-Nov 29, Netherlands BASC 2013 - Dec 14, Cambridge, MA AppSec California 2014 - Jan 27-Jan 28, Santa Monica, CA - CFP Open until November 15, 2013 - Submit your talk! Partner and Promotional Events RSA Conference Europe 2013 - Amsterdam, Netherlands, October 29-31 BSidesDFW 2013 - Dallas, TX, November 2 Atak i Obrona (attack & Defense) 2013 - Poland, November 26 Cloud Security Alliance Congress 2013 - Orlando, FL, December 4-5 - OWASP Members receive a 10% discount by using discount code:  CSA13/OWASP Thank you to our Newest Corporate Member Software Assurance Marketplace Thank you to our Renewed Corporate Members Gemalto Media Partner Information Security Buzz	THE ELECTION PAGE The Voting Process is now underway.  All eligible voters would have already received their ballot via email.  Voting is OPEN until October 25, 2013 The WASPY (web application security persons of the year) Awards are funded soley by our sponsors.  Thank you to Qualys for generously supporting the 2013 awards as a Platinum Sponsor.  If you are interested in sponsoring the awards, please contact us. Corporate sponsors AND Chapter sponsors are encouraged to participate Voting is underway NOW FULL SPONSORSHIP INFORMATION CAN BE FOUND HERE OWASP Webinar Series Wednesday, October 23, 2013 Live - Jason Johnson, Project leader - OWASP Hive Project:  Welcome to the Grid Jason will walk us through the OWASP Hive Project - the HIVE project started out as an idea for a learning platform created by using some small, capable pc to do our bidding - now look at the progress! 10 am EDT 9 pm EDT Wednesday November 6, 2013 Live - Kiran Karnan, Project Leader - OWASP Top Ten & BURP Kiran will demonstrate the Top Ten using BURP 10 am EDT 9 pm EDT Wednesday December 4, 2013 Live - Abbas Naderi, Project leader - OWASP PHP Security Project Abbas will demonstrate the existing and planned features of his project 10 am EDT 9 pm EDT The Global Webinar Series wants to feature your Project.  Please contact Kate Hartmann or Samantha Groves to schedule your project webinar.

AppSec USA OWASP Project Talks: Sign up now!

AppSec USA is just a few short weeks away, and now it's time to start looking at the conference schedule to get an idea of what sessions and trainings you would like to attend. If you are interested in OWASP Projects, then you should attend the OWASP Project Talks. The OWASP Project Talks give project leaders an opportunity to showcase the progress on their project, as well as a space to announce new project activities. This year ten OWASP projects are participating in the Project Talks over two days at AppSec USA. The talk schedule, with links to :

Wednesday, November 20th

• OWASP Project Leader Workshop
• OWASP Enterprise API Project Talk
• OWASP OpenSAMM Project

• OWASP Education Projects

• OWASP Security Principles Project

Thursday, November 21st

• OWASP O2 Project
• OWASP Development Guide

• OWASP AppSensor

• OWASP Code Review Guide
• OWASP Testing Guide

The Project Talks allow for an insider view of what's happening within each OWASP Project, which is why the they are open to the community to attend and participate. Full AppSec USA conference passes are not needed to attend any of the Project Talks. There is still time to register for an Expo and Career Fair Only Pass for AppSec USA, which you can do for free on the AppSec USA website using the discount code NYC13_SUMMIT. Visit the AppSec USA website to register. 

For more information on the 2013 Project Talks, please contact Samantha Groves (Samantha.Groves@owasp.org), or visit the AppSec USA webpage.

OWASP 2013 Project Summit Announcement

On November 18th - 21st, OWASP will be hosting the 2013 Project Summit in tandem with this year's AppSec USA in New York City.  The Project Summit is a smaller version of the larger OWASP Summits and it allows project leaders the opportunity to not only showcase their project progress, but to also have attendees of the summit sit down and contribute to project tasks. The venue for this year's Project Summit is the Sky Lounge of the Marriott Marquis located in Times Square. We currently have 15 sessions scheduled. The list includes:
 
   Monday: Nov 18th

1. OWASP Projects Review Session
2. ESAPI Hackathon Session
3. Bug Bounty Hack Session

Tuesday: Nov. 19th

1. OWASP Training Development Session
2. OWASP Academies Development Session
3. Mobile Security Session
4. ESAPI Hackathon Session
5. Bug Bounty Hack Session

Wednesday: Nov. 20th

1. Writing and Documentation Review Session
2. ESAPI Hackathon Session
3. Bug Bounty Hack Session

Thursday: Nov. 21st

1. ZAP Hackathon Session
2. Open SAMM Session
3. ESAPI Hackathon Session
4. Bug Bounty Hack Session

The Project Summit is the perfect opportunity for project advancement and for attendee interaction. The various sessions allow attendees to develop standards and guidelines for projects, and in general, give feedback for improving projects. For example, in the Projects Review Session, attendees will be participating in the reviews of the participating projects. 

All are welcome to attend the Projects Summit and to contribute at the various sessions. Attendees are encouraged to attend sessions in which they can contribute. 

For more information on the 2013 Project Summit, please contact Samantha Groves (Samantha.Groves@owasp.org), or visit the Project Summit wiki page.

Bug Bounty Hacking

BUG BOUNTY – GROUP HACK

Attention #BREAKERS

Microsoft, Facebook, OWASP, Google and Paypal crowdsource their security with Bug Bounty programs, join the OWASP Foundation on a “community group hack” at AppSecUSA.

• Leverage methodologies and tools from the OWASP Projects.
• Meet fellow “hackers”
• Win Cash and Kudos for being the first to uncover security issues in LIVE PRODUCTION WEBSITES

Just some of the targets to pick from: https://bugcrowd.com/list-of-bug-bounty-programs/

When: Monday & Tuesday Night 8pm – 11:59pm
Where: 16th Floor Skylobby

When: Wednesday Night 8pm – 11:59pm
Where: 5th Floor Ballroom

Coordinated by:

OWASP Global Connector October 9, 2013

Global OWASP Connector - October 9, 2013
Featured OWASP Project OWASP CSRFGuard Project OWASP CSRFGurard is a library that implements a variant of the synchronizer token pattern to mitigate the risk of Cross-Site Request Forgery (CSRF) attacks.  The OWASP CSRFGuard library is integrated through the use of JavaEE Filter, and exposes various automated and manual ways to integrate per-session or pseudo-per-request tokens into HTML.  When a user interacts with this HTML, CSRF prevention tokens (i.e. cryptrgraphically random synchronizer tokens) are submitted with the corresponding HTTP request.  It is the responsibility of OWASP CSRFGuard to ensure the token is present and is valid for the current HTTP request.  For more information on the CSRFGuard project, please contact the project leander, Eric Sheridan. NEW OWASP Projects OWASP Node.js Goat Project Node.js is a widely adopted platform for developing web applications.  This project provides an environment to learn how OWASP Top 10 security risks apply to web applications developed using Node.js, and how to effectively address them. For more information, please contact the project leader, Chetan Karande. OWASP Pygoat Project The Pygoat Project is similar to the WebGoat or RailsGoat projects in that it is an application specifically designed to be insecure in hopes of teaching others about code flaws in web applications.  In this specific context, it will focus mainly on Python and Django code libraries.  For more information, please contact the project leader, Kyle Rippee. OWASP Python Security Project Python Security is a free, open source project that aims at creating a hardened version of python that makes it easier for security professionals and developers to write applications more resilient to attacks and manipulations. The project is designed to explore how web applications can be developed in python by approaching the problem from three different angles:  Security in python:  white-box analysis, structural and functional analysis, Security in python:  black box analysis, identify and address security-related issues, Security with python:  develop security hardened python suitable for high-risk and high-security environments.  For more information, please contact the project leader, Enrico Branca. 3 New Project Releases! OWASP Broken Web Applications Version 1.1.1 Released From Chuck Willis, project leader:  I'm proud to announce the release of version 1.1.1 of the OWASP BWA VM.  This release is relatively minor, but there were a couple of items that I wanted to address: Fixed issue with Tomcat not starting in some circumstances.  Thanks to the individuals who reported this issue (that I did not experience) and confirmed the fix. Updated Mutillidae and transitioned to use its new Git repository. VM is now available for download in .ova format, which should make it easier to use in virtualization packages other than VMware products. OWASP Java HTML Sanitizer Project v209 Released The OWASP Java HTML Sanitizer project is a fast and easy to configure HTML Sanitizer written in Java.  This project is a secure coding library that lets you include HTML authored by third-parties in your web application while protecting against XSS.  The OWASP Java HTML Sanitizer was authored by and is actively maintained by Mike Samuel from the Google application security team. Version 209 was recently released.  Change-log information can be found here.  If you have questions about this project, please join the project mailing list. OWASP Zed Attack Proxy 2.2.0 Released Zap 2.2.0 is now available HERE. This includes support for scripts embedded in ZAP components like the active and passive scanners as well as support for Zest - a new security focused scripting language from the Mozilla security team.  It also supports Mozilla Plun-n-Hack, locailization in 20 languages, various minor enhancements and lots of bug fixes.  For more details see the release notes. Additionally, if you use ZAP, then please fill in the ZAP user questionnaire linked off the ZAP homepage.  This will help us prioritize features for future releases.  For more information, please contact the project leader, Simon Bennetts. Message from Project Leader, Shruti Kulkarni:  Seeking Contributors Legacy applications are a reality.  I would like to present vulnerabilities and threats of legacy web applications, and the countermeasures for the same, in my project.  I have listed down a few.  I would like contributions in these areas, and also pointers on anything else assiciated with legacy web applications.  The project is the OWASP Supporting Legacy Web Applications in the Current Environment Project.  For more information, please contact the project leader, Shruti Kulkarni. New Support email is now available.  To reach a staff member, email:  support@owasp.org	OWASP AppSec USA 2013 www.appsecusa.org/2013/ The *draft* schedule is now published OWASP Project and Leader Summit Press Releases Local and Regional Events OWASP China 2013 Forum - July 12 - Dec 31, Bejing, Shanghai, and Guangzhou LASCON 2013 - Oct 24-25, Austin, TX Houston November Mini-Con - Nov 15, Houston, TX OWASP BeNeLux - Nov 28-Nov 29, Netherlands BASC 2013 - Dec 14, Cambridge, MA AppSec California 2014 - Jan 27-Jan 28, Santa Monica, CA Partner and Promotional Events Hack in the Box - October 14-17;  Discount code for OWASP Members:  OWASP2013 Nullcon - India, Feb 12-15, 2014.  Call for papers is OPEN Thank you to our Newest Corporate Member Bank of NY Mellon Thank you to our Renewed Corporate Members ADP FICO OWASP Webinar Series Wednesday, October 9, 2013 Live - Global Board Candidate Question and Answers Interactive question and answer format for the Global Foundation Board Candidates.  Facilitated by Kelly Santalucia. 9pm EDT Wednesday, October 23, 2013 Live - Jason Johnson, Project leader - OWASP Hive Project:  Welcome to the Grid Jason will walk us through the OWASP Hive Project - the HIVE project started out as an idea for a learning platform created by using some small, capable pc to do our bidding - now look at the progress! 10 am EDT 9 pm EDT Wednesday November 6, 2013 Live - Kiran Karnan, Project Leader - OWASP Top Ten & BURP Kiran will demonstrate the Top Ten using BURP 10 am EDT 9 pm EDT Wednesday December 4, 2013 Live - Abbas Naderi, Project leader - OWASP PHP Security Project Abbas will demonstrate the existing and planned features of his project 10 am EDT 9 pm EDT The Global Webinar Series wants to feature your Project.  Please contact Kate Hartmann or Samantha Groves to schedule your project webinar. Women in AppSec Selection Finalized After careful consideration, the Women in AppSec selection team chose two winners this year for the Woman in AppSec fund.  They will each receive a free conference pass to AppSec USA 2013, a seat in the training class of their choice along with travel and accommodations to attend.  Please join in our congratulations to this year's winners, Nancy Lornston and Carrie Schaper.	THE ELECTION PAGE Be sure to review the available materials and become an informed voter. Upcoming Dates October 9 - Q&A Webinar October 14 - Voting Begins October 25 - Voting Ends October 29 - Election Result Announced The Web Application Security Persons of the Year (WASPY) award nominees are POSTED Show your support for the community by becoming a Sponsor of the awards. Corporate sponsors AND Chapter sponsors are encouraged to participate FULL SPONSORSHIP INFORMATION CAN BE FOUND HERE In case you missed it ... The Global CTF was an outstanding success.  Initiatlly the honeynet had capacity for 200 active players, however,  the potential to scale up was quicly recognized.  With the assistance of the Instutute of Technology Blanchardstown, who provided additional servers and bandwidth, we ere able to extend the CTF capacity by and additional 25% with active players from all over the world from a variety of time zones.  Although everyone who took part, including teh organizers, learned lots and had fun - there can only be one winner ... Top 10 Places & Scores aaaaaa [1665] reaver2121991 [1640 Orbiter [1539] y0y0Hon3ySinghJ1 [1524] ietians [1302] cybercruiser [1290] Mutantinmate [1284] bannedXD [1278] ntyeil [1277] cia403 [1274] Global Initiatives Metrics 504 unique volunteers Volunteer Sign ups over Time Leadership Status of New Volunteers OWASP Ghana recognized in the fight against cyber crime! Theo Sagoe and the OWASP Ghana team was recently recognized on national television news.  The spot highlights the need in the African Region for increased villigance and attention to cyber security.  Watch the youtube segment

CTF over the internet for AppSecUSA Ticket

On behalf of: Sumit Siddharth

Appsec USA is around the corner and assist with promotion NotSoSecure is hosting a Capture the Flag Event from October 25^th to 27^th. 

You can win a FULL BADGE to AppSecUSA a $995 value and other cool prizes

The CTF is FREE to play

Please use the link below to enroll; then information will be mailed to you to start the hacking

http://ctf.notsosecure.com/

NotSoSecure is also conducting a training at Appsec USA. For the list of all trainings available at Appsec USA please see the link: http://appsecusa.org/2013/training/.   All (2) day trainings classes are filling up fast and there are only a handful of seats left, register today for one of the classes before they sell out.

Good Luck with CTF and enjoy AppSecUSA!

Sumit Siddharth