Thursday, October 10, 2013

OWASP Global Connector October 9, 2013

Global OWASP Connector - October 9, 2013

Featured OWASP Project

OWASP CSRFGuard Project

OWASP CSRFGurard is a library that implements a variant of the synchronizer token pattern to mitigate the risk of Cross-Site Request Forgery (CSRF) attacks.  The OWASP CSRFGuard library is integrated through the use of JavaEE Filter, and exposes various automated and manual ways to integrate per-session or pseudo-per-request tokens into HTML.  When a user interacts with this HTML, CSRF prevention tokens (i.e. cryptrgraphically random synchronizer tokens) are submitted with the corresponding HTTP request.  It is the responsibility of OWASP CSRFGuard to ensure the token is present and is valid for the current HTTP request.  For more information on the CSRFGuard project, please contact the project leander, Eric Sheridan.

NEW OWASP Projects

OWASP Node.js Goat Project

Node.js is a widely adopted platform for developing web applications.  This project provides an environment to learn how OWASP Top 10 security risks apply to web applications developed using Node.js, and how to effectively address them. For more information, please contact the project leader, Chetan Karande.

OWASP Pygoat Project

The Pygoat Project is similar to the WebGoat or RailsGoat projects in that it is an application specifically designed to be insecure in hopes of teaching others about code flaws in web applications.  In this specific context, it will focus mainly on Python and Django code libraries.  For more information, please contact the project leader, Kyle Rippee.

OWASP Python Security Project

Python Security is a free, open source project that aims at creating a hardened version of python that makes it easier for security professionals and developers to write applications more resilient to attacks and manipulations.

The project is designed to explore how web applications can be developed in python by approaching the problem from three different angles:  Security in python:  white-box analysis, structural and functional analysis, Security in python:  black box analysis, identify and address security-related issues, Security with python:  develop security hardened python suitable for high-risk and high-security environments.  For more information, please contact the project leader, Enrico Branca.

3 New Project Releases!

OWASP Broken Web Applications Version 1.1.1 Released

From Chuck Willis, project leader:  I'm proud to announce the release of version 1.1.1 of the OWASP BWA VM.  This release is relatively minor, but there were a couple of items that I wanted to address:

Fixed issue with Tomcat not starting in some circumstances.  Thanks to the individuals who reported this issue (that I did not experience) and confirmed the fix.
Updated Mutillidae and transitioned to use its new Git repository.
VM is now available for download in .ova format, which should make it easier to use in virtualization packages other than VMware products.

OWASP Java HTML Sanitizer Project v209 Released

The OWASP Java HTML Sanitizer project is a fast and easy to configure HTML Sanitizer written in Java.  This project is a secure coding library that lets you include HTML authored by third-parties in your web application while protecting against XSS.  The OWASP Java HTML Sanitizer was authored by and is actively maintained by Mike Samuel from the Google application security team.
Version 209 was recently released.  Change-log information can be found here.  If you have questions about this project, please join the project mailing list.

OWASP Zed Attack Proxy 2.2.0 Released

Zap 2.2.0 is now available HERE.

This includes support for scripts embedded in ZAP components like the active and passive scanners as well as support for Zest - a new security focused scripting language from the Mozilla security team.  It also supports Mozilla Plun-n-Hack, locailization in 20 languages, various minor enhancements and lots of bug fixes.  For more details see the release notes.
Additionally, if you use ZAP, then please fill in the ZAP user questionnaire linked off the ZAP homepage.  This will help us prioritize features for future releases.  For more information, please contact the project leader, Simon Bennetts.

Message from Project Leader, Shruti Kulkarni:  Seeking Contributors

Legacy applications are a reality.  I would like to present vulnerabilities and threats of legacy web applications, and the countermeasures for the same, in my project.  I have listed down a few.  I would like contributions in these areas, and also pointers on anything else assiciated with legacy web applications.  The project is the OWASP Supporting Legacy Web Applications in the Current Environment Project.  For more information, please contact the project leader, Shruti Kulkarni.

New Support email is now available.  To reach a staff member, email:

appsec-horizontal-logo 3

OWASP AppSec USA 2013

The *draft* schedule is now published
OWASP Project and Leader Summit
Press Releases

Local and Regional Events

OWASP China 2013 Forum - July 12 - Dec 31, Bejing, Shanghai, and Guangzhou

LASCON 2013 - Oct 24-25, Austin, TX

Houston November Mini-Con - Nov 15, Houston, TX

OWASP BeNeLux - Nov 28-Nov 29, Netherlands

BASC 2013 - Dec 14, Cambridge, MA

AppSec California 2014 - Jan 27-Jan 28, Santa Monica, CA

Partner and Promotional Events

Hack in the Box - October 14-17;  Discount code for OWASP Members:  OWASP2013
Nullcon - India, Feb 12-15, 2014.  Call for papers is OPEN


Thank you to our Newest Corporate Member

Bank of NY Mellon

Thank you to our Renewed Corporate Members



OWASP Webinar Series

Wednesday, October 9, 2013
Live - Global Board Candidate Question and Answers

Interactive question and answer format for the Global Foundation Board Candidates.  Facilitated by Kelly Santalucia.

9pm EDT

smaller register 8

Wednesday, October 23, 2013

Live - Jason Johnson, Project leader - OWASP Hive Project:  Welcome to the Grid

Jason will walk us through the OWASP Hive Project - the HIVE project started out as an idea for a learning platform created by using some small, capable pc to do our bidding - now look at the progress!

10 am EDT

smaller register 8

9 pm EDT

smaller register 8

Wednesday November 6, 2013

Live - Kiran Karnan, Project Leader - OWASP Top Ten & BURP

Kiran will demonstrate the Top Ten using BURP

10 am EDT

smaller register 8

9 pm EDT

smaller register 8

Wednesday December 4, 2013

Live - Abbas Naderi, Project leader - OWASP PHP Security Project

Abbas will demonstrate the existing and planned features of his project

10 am EDT

smaller register 8

9 pm EDT

smaller register 8

The Global Webinar Series wants to feature your Project.  Please contact Kate Hartmann or Samantha Groves to schedule your project webinar.

Women in AppSec Selection Finalized

After careful consideration, the Women in AppSec selection team chose two winners this year for the Woman in AppSec fund.  They will each receive a free conference pass to AppSec USA 2013, a seat in the training class of their choice along with travel and accommodations to attend.  Please join in our congratulations to this year's winners, Nancy Lornston and Carrie Schaper.


Be sure to review the available materials and become an informed voter.

Upcoming Dates

October 9 - Q&A Webinar
October 14 - Voting Begins
October 25 - Voting Ends
October 29 - Election Result Announced


The Web Application Security Persons of the Year (WASPY) award nominees are POSTED

Show your support for the community by becoming a Sponsor of the awards.

Corporate sponsors AND Chapter sponsors are encouraged to participate


In case you missed it ...


The Global CTF was an outstanding success.  Initiatlly the honeynet had capacity for 200 active players, however,  the potential to scale up was quicly recognized.  With the assistance of the Instutute of Technology Blanchardstown, who provided additional servers and bandwidth, we ere able to extend the CTF capacity by and additional 25% with active players from all over the world from a variety of time zones.  Although everyone who took part, including teh organizers, learned lots and had fun - there can only be one winner ...

Top 10 Places & Scores

aaaaaa [1665]
reaver2121991 [1640
Orbiter [1539]
y0y0Hon3ySinghJ1 [1524]
ietians [1302]
cybercruiser [1290]
Mutantinmate [1284]
bannedXD [1278]
ntyeil [1277]
cia403 [1274]


Global Initiatives Metrics

504 unique volunteers

Volunteer Sign ups over Time


Leadership Status of New Volunteers


by canpaign


OWASP Ghana recognized in the fight against cyber crime!

Theo Sagoe and the OWASP Ghana team was recently recognized on national television news.  The spot highlights the need in the African Region for increased villigance and attention to cyber security.  Watch the youtube segment


No comments: