Monday, December 23, 2013

OWASP Media Project after AppSecUSA 2013

At last AppSecUSA, OWASP Media Project has put 43 videos online for 32 hours for the talks, and also 6 videos from the Project Summit for 2.5 hours of content. All of that was online live for the summit and less than 24 hours after for the first talks, then the rest was published in one week just after the conference.

Now for some stats, covering from November 17th 2013 to December 19th 2013.

We are at 11,289 views and 79,874 of estimated watched minutes.

Let me remind you that before that, we where at 245 views for 1,312 minutes, mainly from the OWASP Global Meetup live hangouts.

As for the subscribers, we are at 438 and we gained 442 of them with AppSecUSA efforts. We lost 4 hence the numbers.

The average view duration is 7:04 minutes, so 16% of the total times of videos. Since we have mostly one hour long videos, this is normal and in fact is probably a great number for YouTube.

Notables popular videos are:
OWASP Zed Attack Proxy - Simon Bennetts
2,126 views 17,712 minutes watched 8:19 avg

Top Ten Proactive Controls - Jim Manico
845 views 8,293 minutes watched 9:48 avg

What You Didn't Know About XML External Entities Attacks - Timothy Morgan
790 views 5,857 minutes wathced 7:24 avg

Finally, the countries with the top viewership:
United States37%
Canada 12%
United Kingdom4.0%

I must point out that we were watched in 114 countries in total. That's amazing and shows the power of OWASP worldwide.

With that big first step done, we will continue with our Roadmap and the next thing on the table is to present a Webinar on how to use Google Hangout with live YouTube streaming. We will also shake things with the Chapters by inciting them to use Hangout and YouTube in order to get more into the Global Chapter Meetings Project. This has great potential but is not really used right now for helping smaller chapters to get contents.

And and last, but not least, we are officially on the home page and we can control what is shown without having to edit the Wiki.

One thing that is sure, is that we need more people in OWASP Media project. The good news is, unlike most other OWASP projects, you don't need to be an application security specialist to be really useful, you just need to be motivated to share knowledge with the world. If you want to join us, contact Jonathan Marcil the project leader.

Thanks to all who contributed and helped with OWASP Media Project!

Visit us and subscribe:


Thursday, December 19, 2013

OWASP Annual Report RFP

OWASP Annual Report RFP


The Open Web Application Security Project (OWASP) is planning to develop a new design and formal execution of an online Annual Report.  The report will contain content and highlights to help tell the OWASP story for 2013 and also act as a representative source of financial in membership information for all visitors seeking to learn more about the organization and it’s programs and activities.

Content of the Annual report:

Items and areas to be considered:

  • Mission and purpose
  • Achievement Stories
  • Financial Report (s)
  • Milestones and Highlights
  • Conferences and Outreach
  • Charity Aspects of the Organization
  • Membership and chapters reports
  • Project Reports (releases, summit, awards, content)

All items will include a combination of text and graphics.


Annual Report Book Design
Website Design

Additional Requirements:

Establish and develop an overall theme statement and content outline that unites the online communications of the project with the goals and mission of the organization

OWASP Foundation will provide copy writing, style guide, data, editing, and community graphics

OWASP will own the rights to the website as well as an editable file of the print version


  • Deadline for submissions for quotes is January 15, 2014
  • Project will be awarded January 20, 2014
  • The finished report will be delivered by February 28, 2014

Submit your quote along with 3 examples of a similar project completed to

ESAPI Hackathon / Bug Bash Contest

Our very own OWASP ESAPI Project Leaders, Chris Schmidt and Kevin Wall, are hosting the OWASP ESAPI Hackathon starting on Friday, December 20th 2013 and ending on Monday, January 20th 2014. The aim of the ESAPI Hackathon is to encourage contributors to Implement modular security controls, fix existing bugs, provide reference implementations, and improve user documentation. 

Each participant will be evaluated by four judges, and prizes will be awarded to those who provide the most valuable contribution to the project. Here are the list of prizes:

First place: Apple iPad Mini and an ESAPI T-shirt

Second place: $30.00 (USD) Amazon Gift Card and an ESAPI T-shirt

Third place: $20.00 (USD) Amazon Gift Card and an ESAPI T-shirt

Fourth place: An ESAPI T-shirt

We encourage all those who can participate to contribute to the OWASP ESAPI Project. Please view the contributing guidelines wiki page for more detailed information on participant expectations. If you still require more assistance, please contact either, Kevin Wall ( or Chris Schmidt (

Download a pdf version of the guidelines here. 

Friday, December 13, 2013

OWASP Global Connector

OWASP Global Connector
December 13, 2013 | | | Contact Us | Brought to you by the OWASP Foundation
owasp projects

Featured OWASP Project

OWASP Application Security Guide For CISOs Project
Among application security stakeholders, Chief Information Security Officers (CISOs manage application security programs according to their own roles, responsibilities, perspectives and needs. Application security best practices and OWASP resources are referenced throughout the guide.

New OWASP Projects

OWASP Security Labeling System Project
The purpose of this project is creating a transnational and market wise software security labeling system. Security is invisible, so the OWASP labeling system will help to make it visible. The system consists of different kinds of OWASP security labels for Web applications and Software.

OWASP Financial Information Exchange Security Project
This project focuses on the FIX protocol with the aim of developing a java client to be used during security assessments of custom FIX implementations. The project will also produce best practice guidance for FIX protocol security. More to come soon ...

OWASP Reverse Engineering and Code Modification Prevention Project
The purpose of this project is to educate application security experts about the risks and appropriate mitigation techniques that organizations should implement to prevent an adversary from reverse engineering or modifying the developer's code within untrustworthy environments. More to come soon ...

Project Announcements

OWASP Code Review Guide Project
Message from Project Leader,Larry Conklin.
I am in need of authors to sign up to finish some chapters of the Code Review Guide V 2.0. I am hoping we can get twelve articles done by the first of the year.

Authors, if you want to write other content, please do so. We have a lot of work already completed. We need to finish this book. Please do not sign up for more than one article at a time. You can do more than one article, but lets concentrate on one thing at a time.
Remember - write in the wiki, write often, HAVE FUN.

For a comprehensive list of the sections needing an author, visit the Project Blog Post

Thank you to Dropbox, our newest Corporate Member


AppSec USA 2013 Conference Presentations are now available

Presentation Videos Available Here
Presentations (ppt and pdf) are available here

Global AppSec Events in 2014

AppSec APAC 2014 (March 17 - 20, Tokyo Japan) Call for papers/training open until December 15
AppSec LATAM 2014 - LATAM Tour (April 21 - May 12)
AppSec EU 2014 (June 23 - 26, Cambridge, UK)
AppSec USA 2014 (September 16 - 19, Denver, CO)

Upcoming Regional Events

AppSec California 2014 (January 27 - 28, Santa Monica, CA)
LASCON 2014 (October 21 - 24, Austin, TX)

Partner and Promotional Events

OWASP has partnered with these great events in beginning of 2014 to grow our community and build awareness around software security. If you want to learn more about OWASP's involvement or will be attending and want to help out contact us

Nullcon (February 12 - 15, Goa, India)
Security, Management, Audit Forum 2014 (February 19 - 20, Poland)

Support the OWASP Foundation while finishing your Holiday Shopping

The OWASP Foundation is enrolled with Amazon Smile. When you shop at Amazon by clicking the logo below, OWASP will receive 0.5% in donations.
Thank you for your continued support!
Amazon Smile

Got Questions?

The OWASP Foundation is a community of security professionals. Tap into the collective knowledge by submitting your security questions to the Security 101 mailing list. Subscribe to the list
webinar globe


The Cavalry Is US: Protecting the Public Good - Nicholas Percoco and Joshua Corman
(Recorded at AppSec USA 2013 in New York, NY)
This session will both frame the plans to engage in Legislative, Judicial, Professional, and Media (hearts & minds) channels and to organize and initiate our constitutional congress working sessions. The time is now. It will not be easy, but it is necessary, and we are up for the challenge.

December 18, 2013 at 10am EDT
Register Here
December 18, 2013 at 9pm EDT
Register Here
Links to the recordings of previous meetings can be found on the Initiatives Page
The Board of Directors have recently approved three new OWASP Project related policy and guideline documents. They outline the rules of engagement for grant spending, project spending, and project sponsorship.

The Grant Funding and Spending Policy lists the ways in which grant awarded funds are to be managed and spent.

The Project Spending Policy outlines how project junks can be spent, and what appropriate project expenses are.

The Project Sponsorship Operational Guidelines aims to provide clear expectations of how sponsors and projects are expected to interact when sponsorship funds are given to a project.
To view the documents, please click on the corresponding link.
Social Media

OWASP Foundation Social Media

Google +

Thursday, December 12, 2013

12 Days of Christmas w/ Hacker Claus

Ok builders, breakers and defenders.... gather around the FIREwire and sing with me;

On the 1st day of Christmas a malicious hacker faxed to Johnny <pause> poof of SQLi in his production website (database using SELECT * FROM members WHERE username = 'admin'--' AND password = 'password') with a username list

On the 2nd of Christmas the hackers gave to Johnny Cross Site Scripting vuln in his high risk web application <IMG SRC="javascript:alert('XSS');"> that his automated scanner missed and a link to OWASP Cheat Sheets and Core Rule Set  suggestions for monitoring and potentially blocking the input, output, or system service calls. 

On the 3rd day of Christmas the hackers gave to Johnny Insecure Direct Object Reference on a critical system that provided full admin access to the application because....  Johnny made a mistake and forget to add a rule to deny any to a obscure management port

On the 4th day of Christmas the hackers gave to Johnny.... A FREE .PDF Book on how to find application security flaws and the NEW video series from AppSecUSA 2013 (43) Videos and 32 hrs of content

On the 5th day of Christmas the malicious hackers parked in front of Johnnies favorite coffee shop and conducted a man-in-the-middle hot-spot honeypot -- then proved to Johnny that "Password1" is not a good password and how quickly a hash can be cracked

On the 6th day of Christmas the hackers gave to Johnny code snips of critical system code on the new secret internal project that they picked up from PasteBin

On the 7th day of Christmas a hacker breached Johnnies door using a "9999" cut bump key on door #1, a shim on the padlock that secured important information and placed a "boom" sign inside my top right desk draw that was locked to prove a point about my lame physical security... --- seems they also drank his 18 year old scotch too!

On the 8th day of Christmas the hackers returned to Johnny a bag of dumpster diving treasure to point out lack of cross-cut shreder  that included bills from trusted vendors with account info, credit card carbons, internal printed emails, customer data and more...

On the 9th day of Christmas hackers hacked Johnny via an email aimed at his wife concerning a refund of a holiday purchase with targeted malware using a custom packer that bypassed my installed and updated corporate AV investment.  After getting a remote shell they then popped Johnnies work laptop that was also connected to my home network that was unpatched due to the holiday freeze then exported the cert on the VPN client installed a keystroke logger on the computer that I use for business to capture the password....  ouch..

On the 10th day of Christmas the hackers gave to Johnnie a FREE audio blog to help educate him

On the 11th day of Christmas the hackers knocked down my e-commerce website during the busy online shopping season with a Denial of Service Tool 

On the 12th day of Christmas hackers mailed a link... Johnny noticed his company was on the list of incidents involving the breach of personally identifying information (PII) and his information may have been in a dump of over 2M users due to his machine was infected with malware from Day #1

...... as a result he reached out to the LOCAL OWASP Chapter and started to ask questions, review the OWASP Foundation website and intresting projects including the  Enterprise Security API (ESAPI), Free Videos, Guidance on Mobile Security, Jobs Postings from around the world and over 100+ other projects:

May all your Christmases be 

Labels: , , , , , ,

Monday, December 9, 2013

Code Review Guide Project: Message from Project Leader Larry Conklin

I am need for authors to sign up for the following….
  1. Manual Review - Pros and Cons (
  2. 360 Review: Coupling source code review and Testing / Hybrid Reviews (
  3. Code Review Approach ( I am not sure about this subject. It seems to me it would be covered in the above section under Code Review Introduction.
  4. Application Threat Modeling ( Update this section. I am going to take this one.
  5. Understanding Code layout/Design/Architecture (
  6. SDLC Integration ( Update this section
  7. Secure Deployment Configuration (
  8. Metrics and Code Review ( Update this section
  9. Source and sink reviews (
  10. Code Review Coverage ( Update this section
  11. Risk based approach to Code Review (  I am not sure about this subject. It seems to me it would be covered in the above section under Coder Review Introduction.
  12. Code Review and Compliance (  Update this section
I am hoping we can get these twelve articles done by the first of the year. Hey its christmas time of the year for some of us so 12 articles and 12 days of christmas kinda go together. :-) 

Authors if you want to write other content please do so. We have a lot of work already completed In trying to get the holes filled in for the for the first two sections this way we can get reviewers to begging on the first two sections and make some changes to the structure of the content so it is more in book form. 

I have taken off names of authors who have not contributed any work. If your name was talked off and you wish to contribute to this project you can. You have not been kicked off the project. I need to make sure content gets created and we have great technical content. Your name hanging out there with no contribution may discourage another author in helping with the subject.  

All, We need to finish this book. Please do not sign up for more then one article at a time. You can do more than one article but lets concentrate on one thing at a time.

Remember…Write in the Wiki, Write often, Have fun.

Larry Conklin, CISSP