Wednesday, October 30, 2013

Call for Comment: OWASP Corporate Sponsorship Model

MEMBERSHIP BANNER.jpg

Community Members - 

As a follow up to the  in-person Board Meeting in Hamburg, Germany on August 19, 2013 the board agree that OWASP should move to a tiered structure Corporate Membership - The board voted to move to a tiered corporate membership model. This enables organizations to support OWASP at a variety of levels. We are still flushing out the final details and we'll soon update the membership matrix. However, there will be 4 tiers ($2,000, $5,000, $20,000, $50,000) with varying benefits provided to the corporate member for each level.

Additionally, the Board determined that corporate member logos should move to an Acknowledgement Page - To provide a single clear page that acknowledges our corporate member supporters we will move the corporate logs from the bottom of the OWASP home page to a dedicated acknowledgement page. The home page will have clear graphics that encourage viewers to click and view the acknowledgements page.

Subsequent to this board discussion, the staff put together a draft of what this tiered structure would look like. Our goal is to collect community feedback and finalize by a Board Vote by December 1, 2013. The transition would start January 1, 2014 with banner ads and logos being removed from the home page by February 1, 2014.

I am also sending out this request for feedback to the governance list/leader's list/ and social media and Kelly Santalucia will be looking for input from our current corporate supporters.  Please help us in sharing your thoughts and encouraging others to do the same!

If you are looking for info on our current membership models: https://www.owasp.org/index.php/Membership

Thanks in advance!
Sarah Baso

Tuesday, October 29, 2013

OWASP Global Connector Election Edition



OWASP_CONNECTOR_BANNER_TOP%202
Global OWASP Connector - ELECTION RESULTS

2013_Board_ELECTION-BANNER2_SHORT

The 2014 Global Foundation Board of Directors will be:


Michael Coates (reelected)
Tobias Gondrom (newly elected)
Josh Sokol (newly elected)
Fabio Cerullo (newly elected)
Tom Brennan
Jim Manico
Eoin Keary


This year's election boasts the largest number of candidates and the largest % voter turnout of any election.

Thank you to all the candidates and to all the members who took the time to review the information and cast their vote.

Details on the elected board members, the transition plan, documentation on the process, as well as statistics on voting as available, can be found at: 


THE ELECTION PAGE


Special Referendum


This year, there was an included community refforandum to assist the foundation in defining our approach to handling corporate sponsorhip.

The three options posted were:

1 - Project Leaders Decide All

2 - Standardized across projects & allowing project sponsorship/logos

3 - Standardized across projects and NOT allowing project sponsorship/logos

The community has chosen #2 as their preferred choice.

The Foundation Board will work with the Operations team and the Project Leaders to create and document guidelines in this direction.

Details on all three options can be found on the Governance/Project Sponsorship page

WASPY-BANNER_SHORT

The 2013 WASPY (Web Application Security People of the Year)


We were very excited about the number of nominations in each of the categories for this year's awards.  Although there can only be one winner in each category, we would like to again congratulate all those who were nominated.

All of the nomination information, as well as more information on the Awards can be found on the 2013 WASPY page.


Winner - Best Chapter Leader - LA Chapter - Tin Zaw, Richard Greenberg, Kelly FitzGerald, Stuart Schwartz, Edward Bonver

Nominees

Jack Mannino - NOVA
John Wilander - Sweden
Paul Scott - Houston
Jonathan Marcil - Montreal
Abbas Naderi - Iran
Trenton Ivey - Milwaukee
David Hughes - Austin
Dhruv Soi - India

Winner - Best Project Leader - Simon Bennetts - ZAP

Nominees

Abbas Naderi - PHP Security
Andrew van der Stock - Developer Guide
Epsylon "psy" - XSSer

Winner - Best Community Supporter - Fabio Cerullo

Nominees

Jason Montgomery
John Wilander

Winner - Best Mission Outreach - Martin Knobloch

Nominees

Fabio Cerullo
John Wilander

Winner - Best Innovator - Abbas Naderi

Nominees

Tanoh Aka Marcellin
OWASP_CONNECTOR_BANNER_BOTTOM


New OWASP Marketing Resources Page










We are pleased to announce the launch of our new OWASP Marketing Resources page. The OWASP staff have worked diligently with a design firm to solidify OWASPs visual identity, and create several design pieces for community use.

On this page, we have everything from logos and business cards to banner stand and brochure designs all ready for download. Most of the files found on this page are in a PDF, EPS, or JPEG format; however, some pieces have the original Creative Suite files zipped in a toolbox. We recommend using the PDF, EPS, and JPEG files first as they are the easiest to use. If you need to edit a design piece, then you are more than welcome to download the Creative Suite files if you have access to Adobe In-Design, Photoshop, and Illustrator. If you require an edit to a design, and you do not have access to Adobe Creative Suite, then please let us know by using the OWASP Contact Us form.

We will like to stress that before you use any of the marketing materials on the new marketing resources page, please be sure to read the Brand Usage Rules and Guidelines. You can find them listed under the "Brand Guidelines" tab. It is important to understand how we expect contributors to use these materials as well as what is acceptable and what it not when it comes to usage of our brand and visual Identity.

If you have any questions, please reach out to us using the OWASP Contact Us form.

Friday, October 25, 2013

OWASP Election Ends TODAY!

Only hours left! Cast your vote now for the OWASP Global Board of Directors 2013 Election. Learn more about the Board candidates here:

Thursday, October 24, 2013

OWASP 2013 BOARD ELECTIONS END TOMORROW

Cast your vote now! For information on the candidates please visit

Tuesday, October 22, 2013

OWASP Global Connector October 22, 2013



OWASP_CONNECTOR_BANNER_TOP%202
Global OWASP Connector - October 22, 2013
PROJECT_SHORT_BANNER CON_SHORT_BANNER 2013_Board_ELECTION-BANNER2_SHORT

2013 Project Summit

On November 18-21, OWASP will be hosting the 2013 Project Summit in tandem with this year's AppSec USA in New York City.  This 4 day, hands on experience is open to all conference attendees.  Project Leaders will be showcasing their projects and collaborating with attendees on enhancements and tasks.  While the sessions are open to all, registration is requested.

Sessions begin Monday, November 18 and will run through Thursday, November 21.  A complete schedule of sessions, topics, and activities as well as links to sign up to participate can be found on the conference schedule site.

NEW OWASP Projects

OWASP Vulnerable Web Applications Directory Project

The OWASP Vulnerable Web Applications Directory (VWAD) Project is a comprehensive and well maintained registry of all known vulnerable web applications currently available.  These vulnerable web applications can be used by web developers, security auditors, and penetration testers to put in practice their knowledge and skills during training sessions (and especially afterwards), as well as to test at any time the multiple hacking tools and offensive techniques available, in preparation for their next real-world engagement.For more information, please contact the project leaders, Simon Bennetts and Raul Siles.

New Project Releases

OWASP Mantra-OS, released their "Cannon" beta.  The virtual-core now creates a complete sandbox.  It contains lxc, libvirt, kvm, libxen, libmacho, and vzctl.  Additionally, the leaders are happy to report that further development made with libdispatch, liblightning, and libjit, makes it extreamly fast.

Download Here

For more information, please contact the project leader, Gregory Disney.  




Message from Project Leader, Jim Manico:  Authentication Cheating

I'm in the process of doing an edit-pass of the OWASP Cheat Sheet series.  I'd like to start with authentication.  A lot has changed since we first authored the Cheat Sheets.  Would anyone like to take a stab at refreshing and updating this page?  If you are interested in helping out, please contact Jim Manico.




New Support email is now available.  To reach a staff member, email:  support@owasp.org

appsec-horizontal-logo 3

OWASP AppSec USA 2013
www.appsecusa.org/2013/


Full Schedule of Keynotes, Panels, Conference Talks and Classes

Amazing line up of activities including:  OWASP Project Summit, Lockpick Village, 2 CTFs, 3k for Charity, and Open Mic Sessions

Sponsor opportunities - Table sponsorships are FULL, but if you want to get involved, there are still a few options available.  Pleace contact us ASAP!


Save the Date ...

2014 Global Conference Schedule:

AppSec APAC 2014 - March 17-20, Tokyo, Japan
AppSec EU - June 23-26, Cambridge, UK
AppSec USA - September 15-18, Denver, CO


Local and Regional Events

LASCON 2013 - Oct 24-25, Austin, TX

Houston November Mini-Con - Nov 15, Houston, TX

OWASP BeNeLux - Nov 28-Nov 29, Netherlands

BASC 2013 - Dec 14, Cambridge, MA

AppSec California 2014 - Jan 27-Jan 28, Santa Monica, CA - CFP Open until November 15, 2013 - Submit your talk!


OUTREACH_SHORT_BANNER
Partner and Promotional Events

RSA Conference Europe 2013 - Amsterdam, Netherlands, October 29-31
BSidesDFW 2013 - Dallas, TX, November 2
Atak i Obrona (attack & Defense) 2013 - Poland, November 26
Cloud Security Alliance Congress 2013 - Orlando, FL, December 4-5 - OWASP Members receive a 10% discount by using discount code:  CSA13/OWASP



MEM_SHORT_BANNER 2

Thank you to our Newest Corporate Member


Software Assurance Marketplace

Thank you to our Renewed Corporate Members

Gemalto

Media Partner

Information Security Buzz



THE ELECTION PAGE

The Voting Process is now underway.  All eligible voters would have already received their ballot via email.  Voting is OPEN until October 25, 2013



WASPY-BANNER_SHORT

The WASPY (web application security persons of the year) Awards are funded soley by our sponsors.  Thank you to Qualys for generously supporting the 2013 awards as a Platinum Sponsor.  If you are interested in sponsoring the awards, please contact us.

Corporate sponsors AND Chapter sponsors are encouraged to participate

Voting is underway NOW

FULL SPONSORSHIP INFORMATION CAN BE FOUND HERE




globe

OWASP Webinar Series


Wednesday, October 23, 2013

Live - Jason Johnson, Project leader - OWASP Hive Project:  Welcome to the Grid

Jason will walk us through the OWASP Hive Project - the HIVE project started out as an idea for a learning platform created by using some small, capable pc to do our bidding - now look at the progress!

10 am EDT


smaller register 8

9 pm EDT


smaller register 8

Wednesday November 6, 2013

Live - Kiran Karnan, Project Leader - OWASP Top Ten & BURP

Kiran will demonstrate the Top Ten using BURP

10 am EDT

smaller register 8

9 pm EDT


smaller register 8

Wednesday December 4, 2013

Live - Abbas Naderi, Project leader - OWASP PHP Security Project

Abbas will demonstrate the existing and planned features of his project

10 am EDT


smaller register 8

9 pm EDT


smaller register 8

The Global Webinar Series wants to feature your Project.  Please contact Kate Hartmann or Samantha Groves to schedule your project webinar.
OWASP_CONNECTOR_BANNER_BOTTOM


Monday, October 21, 2013

AppSec USA OWASP Project Talks: Sign up now!










AppSec USA is just a few short weeks away, and now it's time to start looking at the conference schedule to get an idea of what sessions and trainings you would like to attend. If you are interested in OWASP Projects, then you should attend the OWASP Project Talks. The OWASP Project Talks give project leaders an opportunity to showcase the progress on their project, as well as a space to announce new project activities. This year ten OWASP projects are participating in the Project Talks over two days at AppSec USA. The talk schedule, with links to :

Wednesday, November 20th
OWASP Security Principles Project

Thursday, November 21st
OWASP Code Review Guide
OWASP Testing Guide

The Project Talks allow for an insider view of what's happening within each OWASP Project, which is why the they are open to the community to attend and participate. Full AppSec USA conference passes are not needed to attend any of the Project Talks. There is still time to register for an Expo and Career Fair Only Pass for AppSec USA, which you can do for free on the AppSec USA website using the discount code NYC13_SUMMIT. Visit the AppSec USA website to register

For more information on the 2013 Project Talks, please contact Samantha Groves (Samantha.Groves@owasp.org), or visit the AppSec USA webpage.

Friday, October 18, 2013

OWASP 2013 Project Summit Announcement




On November 18th - 21st, OWASP will be hosting the 2013 Project Summit in tandem with this year's AppSec USA in New York City.  The Project Summit is a smaller version of the larger OWASP Summits and it allows project leaders the opportunity to not only showcase their project progress, but to also have attendees of the summit sit down and contribute to project tasks. The venue for this year's Project Summit is the Sky Lounge of the Marriott Marquis located in Times Square. We currently have 15 sessions scheduled. The list includes:
 
   Monday: Nov 18th

  1. OWASP Projects Review Session
  2. ESAPI Hackathon Session
  3. Bug Bounty Hack Session
Tuesday: Nov. 19th
  1. OWASP Training Development Session
  2. OWASP Academies Development Session
  3. Mobile Security Session
  4. ESAPI Hackathon Session
  5. Bug Bounty Hack Session
Wednesday: Nov. 20th
  1. Writing and Documentation Review Session
  2. ESAPI Hackathon Session
  3. Bug Bounty Hack Session
Thursday: Nov. 21st
  1. ZAP Hackathon Session
  2. Open SAMM Session
  3. ESAPI Hackathon Session
  4. Bug Bounty Hack Session

The Project Summit is the perfect opportunity for project advancement and for attendee interaction. The various sessions allow attendees to develop standards and guidelines for projects, and in general, give feedback for improving projects. For example, in the Projects Review Session, attendees will be participating in the reviews of the participating projects. 

All are welcome to attend the Projects Summit and to contribute at the various sessions. Attendees are encouraged to attend sessions in which they can contribute. 


For more information on the 2013 Project Summit, please contact Samantha Groves (Samantha.Groves@owasp.org), or visit the Project Summit wiki page.

Friday, October 11, 2013

Bug Bounty Hacking

BUG BOUNTY – GROUP HACK

Attention #BREAKERS

Microsoft, Facebook, OWASP, Google and Paypal crowdsource their security with Bug Bounty programs, join the OWASP Foundation on a “community group hack” at AppSecUSA.
  • Leverage methodologies and tools from the OWASP Projects.
  • Meet fellow “hackers”
  • Win Cash and Kudos for being the first to uncover security issues in LIVE PRODUCTION WEBSITES
Just some of the targets to pick from: https://bugcrowd.com/list-of-bug-bounty-programs/
When: Monday & Tuesday Night 8pm – 11:59pm
Where: 16th Floor Skylobby
When: Wednesday Night 8pm – 11:59pm
Where: 5th Floor Ballroom

Coordinated by:

bugcrowd logo
owasp_logo

Thursday, October 10, 2013

OWASP Global Connector October 9, 2013


OWASP_CONNECTOR_BANNER_TOP%202
Global OWASP Connector - October 9, 2013
PROJECT_SHORT_BANNER CON_SHORT_BANNER 2013_Board_ELECTION-BANNER2_SHORT

Featured OWASP Project

OWASP CSRFGuard Project

OWASP CSRFGurard is a library that implements a variant of the synchronizer token pattern to mitigate the risk of Cross-Site Request Forgery (CSRF) attacks.  The OWASP CSRFGuard library is integrated through the use of JavaEE Filter, and exposes various automated and manual ways to integrate per-session or pseudo-per-request tokens into HTML.  When a user interacts with this HTML, CSRF prevention tokens (i.e. cryptrgraphically random synchronizer tokens) are submitted with the corresponding HTTP request.  It is the responsibility of OWASP CSRFGuard to ensure the token is present and is valid for the current HTTP request.  For more information on the CSRFGuard project, please contact the project leander, Eric Sheridan.

NEW OWASP Projects

OWASP Node.js Goat Project

Node.js is a widely adopted platform for developing web applications.  This project provides an environment to learn how OWASP Top 10 security risks apply to web applications developed using Node.js, and how to effectively address them. For more information, please contact the project leader, Chetan Karande.

OWASP Pygoat Project

The Pygoat Project is similar to the WebGoat or RailsGoat projects in that it is an application specifically designed to be insecure in hopes of teaching others about code flaws in web applications.  In this specific context, it will focus mainly on Python and Django code libraries.  For more information, please contact the project leader, Kyle Rippee.

OWASP Python Security Project

Python Security is a free, open source project that aims at creating a hardened version of python that makes it easier for security professionals and developers to write applications more resilient to attacks and manipulations.

The project is designed to explore how web applications can be developed in python by approaching the problem from three different angles:  Security in python:  white-box analysis, structural and functional analysis, Security in python:  black box analysis, identify and address security-related issues, Security with python:  develop security hardened python suitable for high-risk and high-security environments.  For more information, please contact the project leader, Enrico Branca.

3 New Project Releases!

OWASP Broken Web Applications Version 1.1.1 Released

From Chuck Willis, project leader:  I'm proud to announce the release of version 1.1.1 of the OWASP BWA VM.  This release is relatively minor, but there were a couple of items that I wanted to address:

Fixed issue with Tomcat not starting in some circumstances.  Thanks to the individuals who reported this issue (that I did not experience) and confirmed the fix.
Updated Mutillidae and transitioned to use its new Git repository.
VM is now available for download in .ova format, which should make it easier to use in virtualization packages other than VMware products.


OWASP Java HTML Sanitizer Project v209 Released

The OWASP Java HTML Sanitizer project is a fast and easy to configure HTML Sanitizer written in Java.  This project is a secure coding library that lets you include HTML authored by third-parties in your web application while protecting against XSS.  The OWASP Java HTML Sanitizer was authored by and is actively maintained by Mike Samuel from the Google application security team.
Version 209 was recently released.  Change-log information can be found here.  If you have questions about this project, please join the project mailing list.


OWASP Zed Attack Proxy 2.2.0 Released

Zap 2.2.0 is now available HERE.

This includes support for scripts embedded in ZAP components like the active and passive scanners as well as support for Zest - a new security focused scripting language from the Mozilla security team.  It also supports Mozilla Plun-n-Hack, locailization in 20 languages, various minor enhancements and lots of bug fixes.  For more details see the release notes.
Additionally, if you use ZAP, then please fill in the ZAP user questionnaire linked off the ZAP homepage.  This will help us prioritize features for future releases.  For more information, please contact the project leader, Simon Bennetts.



Message from Project Leader, Shruti Kulkarni:  Seeking Contributors

Legacy applications are a reality.  I would like to present vulnerabilities and threats of legacy web applications, and the countermeasures for the same, in my project.  I have listed down a few.  I would like contributions in these areas, and also pointers on anything else assiciated with legacy web applications.  The project is the OWASP Supporting Legacy Web Applications in the Current Environment Project.  For more information, please contact the project leader, Shruti Kulkarni.

New Support email is now available.  To reach a staff member, email:  support@owasp.org

appsec-horizontal-logo 3

OWASP AppSec USA 2013
www.appsecusa.org/2013/


The *draft* schedule is now published
OWASP Project and Leader Summit
Press Releases

Local and Regional Events

OWASP China 2013 Forum - July 12 - Dec 31, Bejing, Shanghai, and Guangzhou

LASCON 2013 - Oct 24-25, Austin, TX

Houston November Mini-Con - Nov 15, Houston, TX

OWASP BeNeLux - Nov 28-Nov 29, Netherlands

BASC 2013 - Dec 14, Cambridge, MA

AppSec California 2014 - Jan 27-Jan 28, Santa Monica, CA

Partner and Promotional Events

Hack in the Box - October 14-17;  Discount code for OWASP Members:  OWASP2013
Nullcon - India, Feb 12-15, 2014.  Call for papers is OPEN

MEM_SHORT_BANNER 2

Thank you to our Newest Corporate Member

Bank of NY Mellon


Thank you to our Renewed Corporate Members

ADP
FICO

globe

OWASP Webinar Series

Wednesday, October 9, 2013
Live - Global Board Candidate Question and Answers

Interactive question and answer format for the Global Foundation Board Candidates.  Facilitated by Kelly Santalucia.

9pm EDT

smaller register 8


Wednesday, October 23, 2013

Live - Jason Johnson, Project leader - OWASP Hive Project:  Welcome to the Grid

Jason will walk us through the OWASP Hive Project - the HIVE project started out as an idea for a learning platform created by using some small, capable pc to do our bidding - now look at the progress!

10 am EDT


smaller register 8

9 pm EDT


smaller register 8

Wednesday November 6, 2013

Live - Kiran Karnan, Project Leader - OWASP Top Ten & BURP

Kiran will demonstrate the Top Ten using BURP

10 am EDT

smaller register 8

9 pm EDT


smaller register 8

Wednesday December 4, 2013

Live - Abbas Naderi, Project leader - OWASP PHP Security Project

Abbas will demonstrate the existing and planned features of his project

10 am EDT


smaller register 8

9 pm EDT


smaller register 8

The Global Webinar Series wants to feature your Project.  Please contact Kate Hartmann or Samantha Groves to schedule your project webinar.


Women in AppSec Selection Finalized

After careful consideration, the Women in AppSec selection team chose two winners this year for the Woman in AppSec fund.  They will each receive a free conference pass to AppSec USA 2013, a seat in the training class of their choice along with travel and accommodations to attend.  Please join in our congratulations to this year's winners, Nancy Lornston and Carrie Schaper.


THE ELECTION PAGE

Be sure to review the available materials and become an informed voter.


Upcoming Dates

October 9 - Q&A Webinar
October 14 - Voting Begins
October 25 - Voting Ends
October 29 - Election Result Announced

WASPY-BANNER_SHORT

The Web Application Security Persons of the Year (WASPY) award nominees are POSTED

Show your support for the community by becoming a Sponsor of the awards.

Corporate sponsors AND Chapter sponsors are encouraged to participate

FULL SPONSORSHIP INFORMATION CAN BE FOUND HERE

In case you missed it ...


ctf

The Global CTF was an outstanding success.  Initiatlly the honeynet had capacity for 200 active players, however,  the potential to scale up was quicly recognized.  With the assistance of the Instutute of Technology Blanchardstown, who provided additional servers and bandwidth, we ere able to extend the CTF capacity by and additional 25% with active players from all over the world from a variety of time zones.  Although everyone who took part, including teh organizers, learned lots and had fun - there can only be one winner ...

Top 10 Places & Scores

aaaaaa [1665]
reaver2121991 [1640
Orbiter [1539]
y0y0Hon3ySinghJ1 [1524]
ietians [1302]
cybercruiser [1290]
Mutantinmate [1284]
bannedXD [1278]
ntyeil [1277]
cia403 [1274]



INI_SHORT_BANNER

Global Initiatives Metrics

504 unique volunteers

Volunteer Sign ups over Time



overtime

Leadership Status of New Volunteers

leaders

by canpaign



OUTREACH_SHORT_BANNER

OWASP Ghana recognized in the fight against cyber crime!

Theo Sagoe and the OWASP Ghana team was recently recognized on national television news.  The spot highlights the need in the African Region for increased villigance and attention to cyber security.  Watch the youtube segment

OWASP_CONNECTOR_BANNER_BOTTOM

Wednesday, October 9, 2013

CTF over the internet for AppSecUSA Ticket


On behalf of: Sumit Siddharth

Appsec USA is around the corner and assist with promotion NotSoSecure is hosting a Capture the Flag Event from October 25th to 27th

You can win a FULL BADGE to AppSecUSA a $995 value and other cool prizes

The CTF is FREE to play
Please use the link below to enroll; then information will be mailed to you to start the hacking

NotSoSecure is also conducting a training at Appsec USA. For the list of all trainings available at Appsec USA please see the link: http://appsecusa.org/2013/training/.   All (2) day trainings classes are filling up fast and there are only a handful of seats left, register today for one of the classes before they sell out.


Good Luck with CTF and enjoy AppSecUSA!

Sumit Siddharth