|Global OWASP Connector - October 9, 2013|
Featured OWASP Project
OWASP CSRFGuard Project
OWASP CSRFGurard is a library that implements a variant of the synchronizer token pattern to mitigate the risk of Cross-Site Request Forgery (CSRF) attacks. The OWASP CSRFGuard library is integrated through the use of JavaEE Filter, and exposes various automated and manual ways to integrate per-session or pseudo-per-request tokens into HTML. When a user interacts with this HTML, CSRF prevention tokens (i.e. cryptrgraphically random synchronizer tokens) are submitted with the corresponding HTTP request. It is the responsibility of OWASP CSRFGuard to ensure the token is present and is valid for the current HTTP request. For more information on the CSRFGuard project, please contact the project leander, Eric Sheridan.
NEW OWASP Projects
OWASP Node.js Goat Project
Node.js is a widely adopted platform for developing web applications. This project provides an environment to learn how OWASP Top 10 security risks apply to web applications developed using Node.js, and how to effectively address them. For more information, please contact the project leader, Chetan Karande.
OWASP Pygoat Project
The Pygoat Project is similar to the WebGoat or RailsGoat projects in that it is an application specifically designed to be insecure in hopes of teaching others about code flaws in web applications. In this specific context, it will focus mainly on Python and Django code libraries. For more information, please contact the project leader, Kyle Rippee.
OWASP Python Security Project
Python Security is a free, open source project that aims at creating a hardened version of python that makes it easier for security professionals and developers to write applications more resilient to attacks and manipulations.
The project is designed to explore how web applications can be developed in python by approaching the problem from three different angles: Security in python: white-box analysis, structural and functional analysis, Security in python: black box analysis, identify and address security-related issues, Security with python: develop security hardened python suitable for high-risk and high-security environments. For more information, please contact the project leader, Enrico Branca.
3 New Project Releases!
OWASP Broken Web Applications Version 1.1.1 Released
From Chuck Willis, project leader: I'm proud to announce the release of version 1.1.1 of the OWASP BWA VM. This release is relatively minor, but there were a couple of items that I wanted to address:
Fixed issue with Tomcat not starting in some circumstances. Thanks to the individuals who reported this issue (that I did not experience) and confirmed the fix.
Updated Mutillidae and transitioned to use its new Git repository.
VM is now available for download in .ova format, which should make it easier to use in virtualization packages other than VMware products.
OWASP Java HTML Sanitizer Project v209 Released
The OWASP Java HTML Sanitizer project is a fast and easy to configure HTML Sanitizer written in Java. This project is a secure coding library that lets you include HTML authored by third-parties in your web application while protecting against XSS. The OWASP Java HTML Sanitizer was authored by and is actively maintained by Mike Samuel from the Google application security team.
Version 209 was recently released. Change-log information can be found here. If you have questions about this project, please join the project mailing list.
OWASP Zed Attack Proxy 2.2.0 Released
Zap 2.2.0 is now available HERE.
This includes support for scripts embedded in ZAP components like the active and passive scanners as well as support for Zest - a new security focused scripting language from the Mozilla security team. It also supports Mozilla Plun-n-Hack, locailization in 20 languages, various minor enhancements and lots of bug fixes. For more details see the release notes.
Additionally, if you use ZAP, then please fill in the ZAP user questionnaire linked off the ZAP homepage. This will help us prioritize features for future releases. For more information, please contact the project leader, Simon Bennetts.
Message from Project Leader, Shruti Kulkarni: Seeking Contributors
Legacy applications are a reality. I would like to present vulnerabilities and threats of legacy web applications, and the countermeasures for the same, in my project. I have listed down a few. I would like contributions in these areas, and also pointers on anything else assiciated with legacy web applications. The project is the OWASP Supporting Legacy Web Applications in the Current Environment Project. For more information, please contact the project leader, Shruti Kulkarni.
New Support email is now available. To reach a staff member, email: firstname.lastname@example.org
OWASP AppSec USA 2013
The *draft* schedule is now published
OWASP Project and Leader Summit
Local and Regional Events
OWASP China 2013 Forum - July 12 - Dec 31, Bejing, Shanghai, and Guangzhou
LASCON 2013 - Oct 24-25, Austin, TX
Houston November Mini-Con - Nov 15, Houston, TX
OWASP BeNeLux - Nov 28-Nov 29, Netherlands
BASC 2013 - Dec 14, Cambridge, MA
AppSec California 2014 - Jan 27-Jan 28, Santa Monica, CA
Partner and Promotional Events
Hack in the Box - October 14-17; Discount code for OWASP Members: OWASP2013
Nullcon - India, Feb 12-15, 2014. Call for papers is OPEN
Thank you to our Newest Corporate Member
Bank of NY Mellon
Thank you to our Renewed Corporate Members
OWASP Webinar Series
Wednesday, October 9, 2013
Live - Global Board Candidate Question and Answers
Interactive question and answer format for the Global Foundation Board Candidates. Facilitated by Kelly Santalucia.
Wednesday, October 23, 2013
Live - Jason Johnson, Project leader - OWASP Hive Project: Welcome to the Grid
Jason will walk us through the OWASP Hive Project - the HIVE project started out as an idea for a learning platform created by using some small, capable pc to do our bidding - now look at the progress!
10 am EDT
9 pm EDT
Wednesday November 6, 2013
Live - Kiran Karnan, Project Leader - OWASP Top Ten & BURP
Kiran will demonstrate the Top Ten using BURP
10 am EDT
9 pm EDT
Wednesday December 4, 2013
Live - Abbas Naderi, Project leader - OWASP PHP Security Project
Abbas will demonstrate the existing and planned features of his project
10 am EDT
9 pm EDT
The Global Webinar Series wants to feature your Project. Please contact Kate Hartmann or Samantha Groves to schedule your project webinar.
Women in AppSec Selection Finalized
After careful consideration, the Women in AppSec selection team chose two winners this year for the Woman in AppSec fund. They will each receive a free conference pass to AppSec USA 2013, a seat in the training class of their choice along with travel and accommodations to attend. Please join in our congratulations to this year's winners, Nancy Lornston and Carrie Schaper.
THE ELECTION PAGE
Be sure to review the available materials and become an informed voter.
October 9 - Q&A Webinar
October 14 - Voting Begins
October 25 - Voting Ends
October 29 - Election Result Announced
The Web Application Security Persons of the Year (WASPY) award nominees are POSTED
Show your support for the community by becoming a Sponsor of the awards.
Corporate sponsors AND Chapter sponsors are encouraged to participate
FULL SPONSORSHIP INFORMATION CAN BE FOUND HERE
In case you missed it ...
The Global CTF was an outstanding success. Initiatlly the honeynet had capacity for 200 active players, however, the potential to scale up was quicly recognized. With the assistance of the Instutute of Technology Blanchardstown, who provided additional servers and bandwidth, we ere able to extend the CTF capacity by and additional 25% with active players from all over the world from a variety of time zones. Although everyone who took part, including teh organizers, learned lots and had fun - there can only be one winner ...
Top 10 Places & Scores
Global Initiatives Metrics
504 unique volunteers
Volunteer Sign ups over Time
Leadership Status of New Volunteers
OWASP Ghana recognized in the fight against cyber crime!
Theo Sagoe and the OWASP Ghana team was recently recognized on national television news. The spot highlights the need in the African Region for increased villigance and attention to cyber security. Watch the youtube segment