Tuesday, November 26, 2013

OWASP Global Connector November 26, 2013

Global OWASP Connector - November 26, 2013

2013 Project Summit

I just wanted to take some time to thank all of the OWASP Project Leaders that participated in last week's project talks, and the OWASP Project Summit at AppSec USA in New York.  Both activities were great successes.  They could not have been as terrific without your hard work, dedication, and contributions.  I hope to see you again next year! Samantha Groves 

Project Announcements

OWASP Media Project

Jonathan Marcil, project leader, was at AppSec USA this past week recording our attending Project Leader's presentations during the Summit.  We now have an excellent collection of talks on our OWASP YouTube channel.  If you want to watch, please visit our official You Tube channel 


Thank you to our Newest Corporate Member

Micro Trend

Thank you to our Renewed Corporate Members

Best Buy

Proposed Change to Corporate Membership Model

Comment Period Open

The board voted to move to a tiered corporate membership model.  This enables organizations to support OWASP at a variety of levels.  We are still working on the details of the updated membership matrix.  We are seeking the input and feed back from current and potential corporate supporters on the proposed model.

Please take a few minutes to review the proposal and provide us with your feedback.  You can email us at support@owasp.org

New Membership Model Proposal

appsec-horizontal-logo 3

Thank EVERYONE who helped out with the OWASP Foundation AppSec USA 2013 event.  In total we raised over $250,000.00 for OWASP Foundation and just a few media hits that mention the event inline with our mission of raising awareness.  The videos will be online line here:  Global OWASP YouTube Channel.

2014 Global Conference Schedule:  

AppSec APAC 2014 - March 17-20, Tokyo, Japan  CALL FOR PAPERS/TRAINING IS NOW OPEN
AppSec EU - June 23-26, Cambridge, UK
AppSec USA - September 16-19, Denver, CO

Local and Regional Events

OWASP BeNeLux - Nov 28-Nov 29, Netherlands

AppSec California 2014 - Jan 27-Jan 28, Santa Monica, CA 

Partner and Promotional Events

OWASP has partnered with these great events in the latter half of 2013 to grow our community and build awareness around software security.  If you want to learn more about OWASP's involvement or will be attending and ant to help out contact us

Atak i Obrona (attack & Defense) 2013 - Poland, November 26

Cloud Security Alliance Congress 2013 - Orlando, FL, December 4-5 - OWASP Members receive a 10% discount by using discount code:  CSA13/OWASP

Winter Hacker Festival 2013 presented by HackMiami - Miami, Fl, December 5-7

Nullcon - Goa, India, Feb 12-15, 2014  Call for papers is open.  Submit here

Security Management Audit Forum 2014, Poland, February 19-20
Congratulations to the 2014 Foundation Board of Directors

Board Chair
Michael Coates

Vice Chair
Tom Brennan

Josh Sokol - NEW

Tobias Gondrom - NEW

Members at Large
Fabio Cerullo - NEW
Eoin Keary
Jim Manico

Also, many thanks to Sebastien Deleersnyder and Dave Wichers for their many years of service on the OWASP board.  While their involvement on the board will be coming to a close at the end of 2013, we fully expect we will continue seeing them at many AppSec and other OWASP events.

More information on the election and the candidates can be found on


globe 2

Global Webinar Series

December 4th
Abbas Naderi
PHP Security Project

Abbas will walk us through the PHP framework and demonstrate proper usage of the tools and libraries.

10am EST - LIVE

smaller register

9pm EST - Recorded Session

smaller register 3

Updated OWASP Brand Resources

OA comprehensive library of OWASP images, logos, avatars, and other marketing resources - as well as the research used to create these new logos - is now available on the wiki.  Please use these images and brand guidelines when editing and creating content on behalf of OWASP.



Monday, November 25, 2013

AppSec APAC 2014. Call for papers and training open until December 15, 2013

 AppSecAPAC 2014.JPG

The OWASP Japan Chapter is accepting papers and training submissions for AppSec APAC 2014March 17-20, Tokyo.

We're accepting sessions in the following topics:
  • Security aspects of new web technologies (HTML5, CSP, etc.)
  • New Attack and Defense
  • Mobile security
  • Cloud security
  • SDL
  • Automated security testing
  • Security awareness and education
  • Threat modeling
  • Secure coding and code review
  • OWASP Projects
  • Case Studies
  • Legacy system and maintenance
    If you want to present a session in Tokyo, now is the time to send an e-mail to the selection committee at appsec-apac2014@owaspjapan.org providing them with:
    • Title of your presentation or training session.
    • Presentation type (talk or training).
    • Language: Please note that all proposals and presentations must be in English or Japanese.
    • Short description: A summary of the main idea of your proposal. Absolute limit of 30 words.
    • Abstract: A concise description of the purpose, methods, and implications of your presentation. Length 150-200 words.
    • Previous speaking experience (or references).
    • Your bio.
    • Your e-mail.
    Important Dates
    * The call for papers and training ends December 15, 2013 at 11:59PM JST.
    * Notification of acceptance: January 5, 2014
    For more information please visit AppSec APAC 2014 Call for Papers and Trainings.

    We are looking forward to seeing you in Tokyo!

    AppSecUSA 2013 Wrap Up

    I wanted to take a moment to thank EVERYONE who helped out with the OWASP Foundation AppSecUSA 2013 event.

    In total we raised over $250,000.00 for OWASP Foundation and below I have included just a few media hits that mention the event inline with our mission of raising awareness.  If you have additional items that I missed, please add them in the comments.

    A FAQ has been the videos - we have them coming online here:  http://www.youtube.com/user/OWASPGLOBAL

    Semper Fi,

    Tom Brennan

    AppSec USA Hits:

    Study: Most Application Developers Don't Know Security, But Can Learn
    Dark Reading

    Hack-a-thon Finds 220 Bugs in Facebook, Google, Etsy

    How Facebook reveals your friends list even when it’s set to private

    Going Back to the Future in the Name of Good Security

    Moving from Do Not Track to Can Not Track

    "Let's Do Security That Matters"

    Information Security: We Still Have a Long Way to Go

    Where Developers are Dropping the Ball – OWASP AppSecUSA
    Information Security Buzz

    If you are running your business on a mobile device you may be putting your customers at risk

    iOS Point-of-Sale Devices Pose Security Risk
    eSecurity Planet

    Wait, wait… don’t pwn me! – Game show on security news
    Trusted Software Alliance

    OWASP Foundation: New York Times CTO; Senior Executives from HP, Oracle, Bloomberg LP Among Confirmed Speakers For AppSec USA
    Dark Reading

    Security: I think we can win

    The perilous future of browser sercurity

    Training developers at appsecusa

    Build but don't break

    HTML 5: Risky Business of Security Tool Chest?

    What could go wrong – thinking differently about security at app sec usa

    Java and Oracle on security at app sec usa

    DevOps and Portfolios

    Accidental Abyss: Data Leakage

    Introduction to the newest addition to OWASP Top 10

    Everything we know about Web security is wrong

    Not All CSRF Defenses are created Equal

    AppSensor at AppSec USA in New York
    Web Security, Usability and Design

    AppSec USA 2013

    Bombshell Tech
    AppSec USA 2013

    AppSec USA, November 18-21, NYC
    Software Developers' Journal

    OWASP Foundation Presents: AppSecUSA 2013
    Gary's Guide

    OWASP AppSec USA 2013
    Government Security News

    OWASP AppSec USA 2013
    Homeland Security Today

    At @appsecusa hearing @joshcorman & @c7five discuss hacking cars, pacemakers & insulin pumps. Scary, sobering stuff.

    Had an eye-opening experience at @appsecusa.

    AppSecUSA Photos and comments from the show floor

    Did we MISS SOMETHING?  Add it to the comments.

    Monday, November 18, 2013

    The Great OWASP Bug Bash of 2013

    OWASPers -

    CALLING ALL SECURITY NINJAS… Whether you’re attending Appsec in person or in spirit, you’re invited to join Bugcrowd and the OWASP team as we unite hackers across the world for the first ever Internet-wide bug bash.
    This collaborative hack-a-thon will feature testers and providers of public bug bounty programs finding bugs in the world’s largest Internet companies! Companies contributing to bounty programs, including Prezi, Facebook, Google and Yandex will be present to meet and greet those responsible for improving global application and internet security. No need to worry about protecting your identity, masks will be provided!
    The Inaugural Wall of Bugz
    , music, drinks, hacking contests, special prizes, the world’s largest gummy bug and more!
    Bug Bounty programs have been getting a lot of press lately, and for good reason. They work. Bugcrowd will be running this event live from 8-12 every night during Appsec USA 2013 and we actively encourage OWASP members around the world to participate.
    Just some of the targets to pick from: https://bugcrowd.com/list-of-bug-bounty-programs/
    To participate, join us at the event:
    When: Monday & Tuesday Night 8pm – 11:59pm
    Where: 16th Floor Skylobby
    When: Wednesday Night 8pm – 11:59pm
    Where: 5th Floor Ballroom
    For the global ninjas who wish to participate remotely click this link to play https://www.bugcrowd.com/owasp/
    Want to participate in Team OWASP and work together to find vulnerabilities with the proceeds benefiting OWASP?

    Here is our disclosure agreement (download)
    Team OWASP - Bug Bounty Program Agreement

    I agree to participate on Team OWASP, and share information amongst the team for purposes of collaborating on finding and disclosing security vulnerabilities in the authorized bug bounty programs listed below.  

    I will respect and follow the guidelines for responsible disclosure set forth by the authorized bug bounty programs. If you have questions about the details of these guidelines, please read the information provided on the links below.

    For example, here are are the first two items on LinkedIn’s responsible disclosure policy:
    I agree that any awarded bounties for vulnerabilities found by Team OWASP, will be paid directly to the OWASP Foundation.

    With mobile app
    Web related apps:
    Open source:

    Name Printed

    _________________________________                   _______________________
    Name Signed Date

    Friday, November 15, 2013

    ESAPI Hackathon at AppSecUSA

    The ESAPI Hackathon Sessions will be going on throughout the Project Summit in New York.

    Details and agenda available on: http://sched.co/1gFni6y.

    TIming: Monday, Tuesday, Thursday, November 18, 19, 21, 2013, 10:30am- 5:00pm 
    Wednesday, November 20, 2013 12:00pm - 5:00pm

    Location: Sky Lounge (16th Floor) (NY Marriott Marquis)

    In this hackathon we will focus on building modular security controls that can be plugged in to the brand new ESAPI 3.0 framework allowing developers to quickly and easily integrate the security controls they need into their projects. During the hackathon, the ESAPI leaders will be on-site to get the effort kicked off, join in the coding fun, and to present awards for submitted components on the final day! Join us to leave your mark on one of the most visible OWASP Code Projects in our arsenal, and help make tomorrow's applications more secure!

    Take part in building the next generation of the Enterprise Security API.

    To participate in the ESAPI Hackathon, add the session to your schedule on: http://sched.co/1gFni6y.

    See you in New York!

    Friday, November 8, 2013

    2013 Project Summit: Academies and Training Invitation to the Community

    Education and training is an important part of OWASP's mission as it helps not only in increasing the awareness around application security but also in actually improving the security of applications.

    The OWASP Academies program aims to bring together academic institutions from all over the world in order to collaborate towards increasing awareness on application security. The OWASP Academy Portal is the actual deliverable of this process: a portal that will provide various types of content (presentations, labs, etc.) to students and faculty who wish to learn or teach application security.

    We would like to invite you to join us in the OWASP 2013 Projects Summit which is organized during OWASP AppSec USA 2013, in New York City from November 18th to November 21st.

    During the Projects Summit we intend to kick start the Academy Portal, complete the initial design and add some actual content. The OWASP Academy Portal will then serve as the meeting point for application security in academia. Moreover, we will discuss various training models and the experience we have gained over the past years in order to build a model that will be subsequently used to train developers and anyone involved in securing applications.

    The OWASP 2013 Projects Summit will serve as a meeting point for several members of the educational and academic community and a unique opportunity to network, collaborate, exchange ideas and experience.

    The OWASP Project Summit is a smaller version of the much larger OWASP Summits. This year’s summit aims to give our project leaders the opportunity to have attendees sit down and work on project related activities during AppSec USA. It is an excellent opportunity to engage with active OWASP Project Leaders, and it gives project leaders the chance to move forward on their project milestones while meeting new potential volunteers that can assist with future milestones.

    To participate in the Projects Summit Register for FREE for the “Expo and Career Fair Only Pass” and use the following discount code at checkout: NYC13_SUMMIT.

    Looking forward to working with you during the OWASP 2013 Projects Summit,

    Dr. Kostas Papapanagiotou
    Martin Knobloch

    Samantha Groves

    Thursday, November 7, 2013

    AppSecUSA Update

    AppSecUSA is 10 Days away are you READY?

    What to expect? Listen to the interview
    With a SOLD OUT expo, (5) hard-core, (2) day training classes and over (150) speakers, panel and summit members this will be the LARGEST OWASP APPSEC EVENT.
    The local chapter team and staff has been working for many many months to bring together the most amazing content focused on SOFTWARE SECURITY. 
    Direct link to mobile schedule: http://appsecusa2013.sched.org/
    BASIC BADGE -  $50 use code "NYCOWASP!" to "bypass" that <grin> everyone must register
    FULL BADGE - to attend ALL briefings sessions and receptions you will need a full badge. We can offer a (5) pack for only $2,475 a 50% discount at only $495 each. So nows the time to make a friend, grab your office peers and contact us or pick up individual badges at the now current and full price see website: http://appsecusa.org/2013/register/
    a) Want to LIVE HACK the largest commercial companies in the world and NOT GET ARRESTED join us for the bug bounty LIVE HACKING on the 18th, 19th on the overlooking NYC Skyline and 20th in the main salon
    b) Special Thank you to our sponsors, without them this event would have never been possible in TIME SQUARE, NYC.  Come have a BLOODY or BEER and than them all for supporting this community of builders, breakers and defenders  http://appsecusa.org/2013/sponsors/
    c)  Are you a tweeter?  Follow the LIVE updates @appsecusa and add hashtag #appsecusa and also come by say hello to TWITTER during the career-fair they are hiring you know...
    d) Do YOU want to lead the NYC Chapter or New Jersey chapter in 2014?  Attend this session and join the local team  http://appsecusa.org/2013/activities/chapter-leader-workshop-sessions/

    Semper Fi,
    Tom Brennan