Friday, February 28, 2014

Your chance to share your work with your colleagues: do not miss the opportunity.

Call For Papers and Training are now open for AppSec Europe 2014

Share your ideas and learn plenty of new ones in Cambridge, UK, June 23rd-26th. OWASP invites you to join top security architects, developers, technology thought leaders, and executives from Fortune 500 firms to the Global AppSec Conference.

Both research papers and experience papers among with trainers pertaining to all aspects of web application security are solicited. Applications should describe new ideas, new implementations, or experiences related to web services and application security. We explicitly encourage members of the Web security community to explore leading-edge topics and ideas.

Hence this is an opportunity for you to talk about the latest research on a myriad of topics related to web security, as well as establish connections between developers, security experts, and business leaders who are all stakeholders in ensuring applications are as secure as possible.

We are looking forward to reading your submission. Apply HERE by March 21st. 

Friday, February 21, 2014

I feel so lucky to be among the crowd attending AppSec APAC 2014 in Tokyo. Are you going to miss it?

“I'm back to Tokyo tonight to refresh my sense of place, check out the post-Bubble city, professionally resharpen that handy Japanese edge. If you believe, as I do, that all cultural change is essentially technology-driven, you pay attention to Japan. There are reasons for that, and they run deep" William Gibson

Suguru Yamaguchi, the former chief information security advisor to the Japanese government is one of the many highly-wel known and highly respected speakers who are on the program for OWASP AppSec APAC 2014. The premier security event for Builders, Breakers and Defenders will be held in Tokyo, March 17th-20th  at the Solar City Conference Center.

In addition to the conference, attendees can register for five different training sessions about: Mobile Security, Secure Web Development, Penetration Testing and Web & Application Security. REGISTRATION is limited, so we encourage to secure your spot early.

Numerous attractions are also planned including Women in AppSec APAC event, a Networking party, an Exhibitors area, the AppSec Students program, Open Mic sessions and a half-day Tokyo tour during cherry blossom season.

For a complete schedule and more details, please visit:

See you soon in Tokyo.

Thursday, February 20, 2014

2014 AppSec APAC – History and Overview (Japanese and English)

I was able to have a wonderful conversation with Riotaro Okada and Robert Dracea this morning, talking about the upcoming 2014 AppSec APAC Conference in Tokyo. This interview is unique, in that we have the English and Japanese responses integrated into the conversation.
This is the first event of its kind in Japan and you can tell the locals are very excited about the possibilities, from internationally recognized speakers to showing visitors the hospitality of Japan. We begin the discussion with how the Tokyo OWASP Chapter was started and how it led to the AppSec APAC Conference.

Riotaro Okada Researcher
Born in Kobe, Hyogo Prefecture, Japan, Mr. Okada has over 20 years of experience in software development and network construction. He has been involved in network construction, software development and the implementation of information security measures at independent software development companies, the R&D divisions of manufacturing companies as well as consulting firms. Mr. Okada has also facilitated various technology-related communities such as for Linux and PHP. In 2004, he founded the Web Application Security Forum and as a member of the board became involved in the diffusion of security-related information. Moreover, he was also a researcher at the Information-technology Promotion Agency, Japan (IPA) for 8 years, and responsible for the IT strategy as well as disaster response projects at various government organizations. Mr. Okada is the co-leader of OWASP Japan since its founding, is CISA certified and holds an MBA from BBT (2009).
Robert Dracea 
Mr. Dracea is responsible for the global strategy of a Japanese internet service company. With the mission of better sharing Japan’s advanced technological power with the world, from a business perspective, he has successfully architected numerous alliances and tie-ups both domestically in Japan as well as overseas. Additionally, he has also, on a volunteer-basis, conducted the translation and interpretation at multilingual OWASP Meetings. Mr. Dracea has been since its founding a member of the OWASP Japan Advisory Board.

Tuesday, February 18, 2014

AppSec USA 2013 – Mark Arnold Talks about the Boston OWASP Chapter

Mark Arnold helps run a very successful OWASP chapter in Boston. In this extended discussion, I talk with Mark about why the chapter is doing so well, what lessons others could learn from his chapter’s success and what he would like to see happen to gain a broader audience for the group.

Listen to the Full Interview

Thursday, February 13, 2014

OWASP Global Connector

OWASP Global Connector
February 12, 2014 | | | Contact Us | Brought to you by the OWASP Foundation
owasp projects

Featured OWASP Project

OWASP OWTF, the Offensive (Web) Testing Framework, is an OWASP+PTES project focused on trying to unite great tools to make pen testing more efficient. OWASP OWTF is a project focused in the area of offensive security testing where the goal is to unite a vast set of the greatest pen-test tools, PoC code and custom tests, and to organize this information in an interactive way to make testing as efficient as possible for pen-testers.
For more information, please contact the Project Leader, Abraham Aranguren.

New OWASP Projects

OWASP Encoder Comparison Reference Project
The OWASP Encoder Comparison Reference Project is a quick reference for how ESAPI and other frameworks and native language encoding methods work against ASCII characters. It is a Web 2.0 web application that allows users to choose which encoder libraries to compare. It should compare ESAPI as well as others. Deliverable includes the source code to the web application hosted version so that users can access this tool without needing to download, install, configure, etc.
For more information, please contact the Project Leader, Stephanie Tan.
OWASP Ultimatum Project
The OWASP Ultimatum Project will be an all in one vulnerability testing tool that will automatically keep updating so that it has the latest vulnerability information on which it can work on. The product can also be used to pen-test different web server applications. It will be a web application testing tool that will be able to identify spam, malware embedded in an email attachment, or any of the pdf or doc sent over e-mail, etc.
For more information, please contact the Project Leader, Robin Nayak.
OWASP Book Project
The OWASP Book Project will b a consolidated publication with a collection of research papers that will be donated to OWASP. The Leader aims to assemble research focused on web application penetration testing into one book to give contributors an opportunity to share their knowledge and experience.
For more information, please contact the Project Leader, Ahmed Neil.
OWASP Open Cyber Security Project
The OWASP Open Cyber Security Framework Project's aim is to create a practical framework for cyber security. Currently there are some frameworks from NIST or from ISACA for example and other paid or local frameworks, but there is no open framework that any governments or organization are able to adopt.
For more information, please contact the Project Leader, Mateo Martinez.

Project Announcements

OWASP CISO Survey Report 1.0
The OWASP CISO Survey provides tactical intelligence about security risks and best practices to help CISOs manage application security programs according to their own roles, responsibilities, perspectives and needs. Project Leader, Tobias Gondrom, has released the report today.
For more information, please contact Tobias Gondrom.
OWASP Java Encoder 1.1.1 Released!
The OWASP Java Encoder is a Java 1.5 simple-to-use drop-in high-performance encoder class with no dependencies and little baggage. This project will help Java web developers defend against Cross Site Scripting!
A huge thank you to Jeremy Long and Jeff Ichnowski for their gracious volunteer time and expertise in working on this project. Happy Encoding from the OWASP Java Encoder Team: Jim Manico, Jeff Ichnowski, and Jeremy Long - OWASP Java Encoder Project
OWASP iGoat Project looking for help!

Are you an objective C programmer? The short-term need for OWASP iGoat is basic code maintenance. There are a couple of deprecated (in iOS 7) methods that are used in OWASP iGoat. We need a developer to read through those (2 instances) and decide how to replace them. The project is also looking for a developer to help implement a couple new exercises.
If you are able to help, please contact Ken van Wyk.
Project Review Assistance Required!
We would like to ask the OWASP Project user community to take a bit of time to fill in a short survey that we will use to assess the Usability and Value of our projects. We are currently focusing on the following projects. If you are a user, please fill out the survey below. Thank you, Leaders.
OWASP Cheat Sheets Project
OWASP Java HTML Sanitizer Project
OWASP Xenotix XSS Exploit Framework Project
OWASP Cornucopia Project
OWASP Java Encoder Project
You can find the assessment survey here: Project Usability and Value Assessment. For more detailed instructions on how to submit your comments, please contact Samantha Groves.

Global AppSec Events in 2014

AppSec APAC 2014 (March 17 - 20, Tokyo Japan)
English Website
Japanese Website
Training March 17-18, Conference March 19-20
Full Schedule of conference training and talks is now available
Sponsorship opportunities are still available

  • Training March 17-18, Conference March 19-20
  • Conference Training and Talks have been posted
  • Early Registration deadline is February 1
AppSec LATAM 2014 - LATAM Tour (April 21 - May 12)
In 2014, instead of holding an AppSec LATAM Conference, we organizing a LATAM Tour which we hope will bering together LATAM community members together to spread the OWASP mission. Here are the sheduled stops for the tour:

  • April 21-22, Costa Rica (San Jose)
  • April 22-23, Chile (Santiago)
  • April 23-24 Ecuador (Quito & Guayaquil)
  • April 25-26 Peru (Lima)
  • April 28-29 Panama (Panama)
  • April 29-30 Uruguay (Montevideo)
  • May 5-6 Venezuela (Caracas)
  • May 6-7 Colombia (Bogota)
  • May 8-9 Argentina (Buenos Aires)
Sponsorship Opportunities are available as well. Please find further information on the Tour Wiki Page.
AppSec EU 2014 (June 23 - 26, Cambridge, UK)

AppSec USA 2014 (September 16 - 19, Denver, CO)

  • Training - September 16-17, Conference - September 18-19
  • Sponsorship packages are now available.
  • More information on the call for papers and training - Coming Soon

Upcoming Regional Events

OWASP is offering a FREE Developer Bootcamp in San Francisco on Monday, Feb 24, 2014. Register now to secure your seat!
LASCON 2014 (October 21 - 24, Austin, TX)

Partner and Promotional Events

OWASP has partnered with these great events in beginning of 2014 to grow our community and build awareness around software security. If you want to learn more about OWASP's involvement or will be attending and want to help out contact us
Nullcon (February 12 - 15, Goa, India)OWASP Members receive a 20% discount off of the general event registration fee by using
Confoo 2014 - Montreal, Canada (February 24-28)
Security, Management, Audit Forum 2014 (February 19 - 20, Poland)
InfoSec World Conference & Expo 2014, April 7-9, 2014. OWASP Members receive a 10% discount off the standard conference registration fee by using discount code: OS14/OWASP
Cyber Security Summit, April 9-10, 2014. Prague, Czech Republic. OWASP Members receive a 20% discount off of the general event registration fee by using THIS LINK
THOTCON - Chicago's Hacking Conference, April 25, 2014, Chicago IL. Tickets

OWASP Quarterly Journal Initiative

The OWASP community contains many of the most brilliant minds in software security. One of the challenges we face is that, despite our global scope, there are many concepts, research, tools, and techniques that are often not circulated as broadly as they should be.
A suggestion was made by several to create a quarterly publication that would further meet the needs of the software security professional, and help spread our mission and our resources beyond current limitations.
Through the initiatives, a task force has formed to work on accomplishing this. The team, in their wisdom, has asked that the community provide input on what we feel is missing from other industry publications, and what direction this team should take.
Please take a few seconds to provide your input to the team. Submit your comments HERE

Thank you to our newest Corporate Members: OneConsult GmbH and BCC Risk Advisory

Thank you to Oracle for their renewal!


OWASP is Hiring!

OWASP is looking for a talented professional to fill each of the following positions:
OWASP Community Manager; Full Time; Salaried
The OWASP Community Manager is responsible for coordination and oversight of volunteer opportunities and initiatives for the OWASP community. Furthermore, this position will focus on providing operational support to OWASP Chapters globally and is responsible overseeing and disseminating the organization’s policies, objectives, and initiatives as they relate to OWASP Chapters.
Details about the position
Graphic Designer; Part time; hourly; contractor

The Graphic Designer is responsible for oversight and development of company promotional materials both for print and for the web. The OWASP Graphic Designer will be responsible for the visual identity and visual brand consistency of all materials and graphic content created and used by the OWASP Foundation.
Details about the position
Complete information on the hiring process, including application deadlines, please visit the complete Blog Post

Just for Fun

We would like to congratulate David Smolikhagen for submitting the first correct response to last issue's puzzle. Here is the question followed by David's response. Thank you to everyone who submitted your response. If you missed the question, you can find it on the OWASP Blog
Alice still won the race. Alice would have caught up to Bob at the 95 yd mark and since she is running a little bit faster than Bob, she would have covered the remaining 5 yds faster than Bob (unless he's some super macho guy who wasn't gonna be beat by a girl twice, and he dug deep and poured on something extra for those last 5 yards! ;-D ).
This issue's challenge
The Blue Knight usually rides to the World’s End Pub after a long day, and walks back to the castle. It takes her an hour and a half. When she rides both ways it takes 30 minutes. How long would it take her to make the round trip on foot?
Please submit your answers HERE

OWASP Member Spotlight - Oana Cornea, Bucharest, Romania

As an organization driven by it's membership community, it's high time we dedicate some space to recognizing YOU!

Oana Cornea got involved in OWASP in January2013 when she wrote an iOS Cheat Sheet for the Cheat Sheet series. It's been full steam ahead since then for Oana and the team in Romania.
Oana says: "I am working as an application security analyst at Electronic Arts, in Bucharest, Romania. I am a Computer Science graduate with a Master in Information Technology Security and I have been working in the field of IT security for almost 4 years.
I've learned a lot from the Owasp docummentation available on the website so, I've decided to give something back and get involved. I've decided to be active in this community, to learn more and to promote software security.
The first Owasp event in Romania was part of the Europe Tour (May 2013). Since then, I organized another one day conference event in October 2013 and we started to have regular chapter meetings.
Over the past months we evolved and I've managed to get more people involved in the local Owasp Chapter to promote software security. Many people volunteered, together with the board members Dan Vasile and Ionel Chirita, and helped organizing these events and meetings.
It is a great experience and I am very happy to be part of the Owasp community!"

Tuesday, February 11, 2014

OWASP is Hiring!

OWASP is looking for a talented professional to fill each of the the following positions:

OWASP Community Manager

Full time, Salaried

The OWASP Community Manager is responsible for coordination and oversight of volunteer opportunities and initiatives for the OWASP community. Furthermore, this position will focus on providing operational support to OWASP Chapters globally and is responsible overseeing and disseminating the organization’s policies, objectives, and initiatives as they relate to OWASP Chapters.

Details about the position: 

Graphic Designer
Part time, hourly, contractor

The Graphic Designer is responsible for oversight and development of company promotional materials both for print and for the web. The OWASP Graphic Designer will be responsible for the visual identity and visual brand consistency of all materials and graphic content created and used by the OWASP Foundation.

Applications for both positions are being accepted until February 25, 2014 with interviews immediately following with a final decision made by March 4, 2014.

How to apply: Email a cover letter and resume with your name and the position you are applying for in the subject line to

Please help us spread the word about the position by posting to your chapter/project lists, adding to applicable job boards, or forwarding to any individuals that you think would be interested.

Friday, February 7, 2014

AppSec Europe 2014. 

Call for Papers, Call for Presentations, Call for Training 

is OPEN! 

Important Dates:

CFP/CFT Open: Feb 1st
CFP/CFT Closes: March 21st
Acceptance Notification: April 25th
Conference Schedule Publication: May 16th

We invite all practitioners of application security and those who work or interact with all facets of application security to submit speaker and trainer proposals.
For more information, read the appropriate document:
All submissions should be sent via EasyChair. Please select the appropriate track once you have registered.

Thank you BCC Risk Advisory  for supporting OWASP as a Corporate Member!

Wednesday, February 5, 2014

Women in AppSec: Apply for a chance to attend AppSec APAC 2014 in Tokyo, Japan!

To start off the global conference season, AppSec APAC will be hosting the Women in Application Security Program for the first time. The OWASP Foundation, in recognition of value to both organizations and society, is working to support and enhance programs that increase the participation of women in the field of application security. As part of this effort, OWASP will be sponsoring one applicant from the Asia Pacific region to attend OWASP AppSec APAC to be held in Tokyo, Japan in March 2014.

Attendance for one woman to the OWASP AppSec APAC 2014 conference, and at least one in-depth training session, will be the award for this year’s winner. The winner will also be required to give a 30-minute talk while at the conference. The full award will cover the conference fee, training fee, travel and accommodation for the successful applicant.

If you are a woman traveling from the Asia Pacific region, then we encourage you to apply for a chance to win an opportunity to attend the conference. The winner will be announced February 28, 2014, and she will participate at AppSec APAC in Tokyo March 17-20, 2014.

For more information, please contact Samantha Groves ( 

Tuesday, February 4, 2014

Please welcome OWASP's newest Corporate Member OneConsult (  Thank you OneConsult for supporting OWASP!

Monday, February 3, 2014

OWASP ESAPI Hackathon Winners!

Hello Leaders,

I am happy to inform you that our judges have finished choosing the winning candidates for the OWASP ESAPI Hackathon. If you recall, the aim of the ESAPI Hackathon was to encourage contributors to implement modular security controls, fix existing bugs, provide reference implementations, and improve user documentation for the OWASP ESAPI Project. I would like to thank our Hackathon judges for their work in reviewing and selecting the winning contributions. Thank you, Kevin Wall, Chris Schmidt, Jim Manico, Jeff Williams, and John Melton. 

Now, without further delay, here are the winners:

ESAPI Hackathon Winners:

    1st place:    Daniel Amodio    
    2nd place:   Eric Kobrin   
    3rd place:    Eric Citaire    
    4th place:    Eamonn Washington 

On behalf of OWASP Projects, I would like to say congratulations to Daniel, Eric K., Eric C., and Eamonn.