The Open Web Application Security Project (OWASP) is a 501c3 not-for-profit worldwide charitable organization focused on improving the security of application software. Our mission is to make application security visible, so that people and organizations can make informed decisions about true application security risks. Everyone is free to participate in OWASP and all of our materials are available under a free and open software license.
OWASP Passfault When setting a password, OWASP Passfault examines the password, looking for common patterns. It than measures the size of the patterns and combinations of patterns. The end result is a more academic and accurate measurement of password strength. When setting a password policy, OWASP Passfault simplifies configuration to one simple meaningful measurement: the number of passwords found in the password patterns. This measurement is made more intuitive and meaningful with an estimated time to crack. For more information, please contact the Project Leader, Cam Morris
New OWASP Projects
OWASP ISO Project The project aims to gather participants to improve the ISO standards about application security and secure coding. The ISO Project is currently seeking expert participants to create working groups that would contribute to the ISO guidances within the ISO Project. For more information, please contact the Project Leader, Sebastian Gioria. OWASP Top 10 Privacy Risks Project OWASP Top 10 Privacy Risks Project aims to develop a top 10 list for privacy risks in web applications because currently there is no such catalog available. The list will cover technological and organizational aspects like missing data encryption or the lack of transparency. For more information, please contact the Project Leader, Florian Stahl. OWASP WASC Web Hacking Instances Database Project The OWASP WASC Web Hacking Incidents Database Project is a project dedicated to maintaining a list of web applications related security incidents. WHID goal is to serve as a tool for raising awareness of the web application security problem and provide information for statistical analysis of web applications security incidents. The database is unique in tracking only media reported security incidents that can be associated with a web application security vulnerability. For more information, please contact the Project Leader, Ryan Barnett. OWASP Security Frameworks Project The OWASP Security Frameworks Project is a series of design patterns that can be used by language designers and architects to create secure frameworks for developers, thereby relieving developers of the work of implementing security themselves. The ultimate goal is to have as much security as possible built into the programming environment so that developer mistakes and omissions are less likely to lead to security vulnerabilities. For more information, please contact the Project Leader, Ari Elias-Bachrach OWASP WASC Distributed Web Honeypots Project The goal of the OWASP WASC Distributed Web Honeypots Project is to identify emerging attacks against web applications and report them to the community including automated scanning activity, probes, as well as, targeted attacks against specific web apps. The scope of this project has recently been expanded to include deployment of both standard web application honeypots and/or open proxy honeypots. For more information, please contact the Project Leader, Ryan Barnett. OWASP Click Me Project The OWASP Click Me Project is aimed at having a simple GUI which helps to create a test page for Clickjacking attacks.This is an attack which targets the clickable content on a website. OWASP Click Me tool will help you to test whether your site is vulnerable to this attack by creating a html page that will try to load your web site from a frame. For more information, please contact the Project Leader, Arun Kumar OWASP Secure TDD Project The OWASP Secure TDD Project allows organizations to integrate security into the Test Driven Development (TDD) lifecycle. The OWASP Secure TDD Project contains an open source tool written for .NET developers in order to allow generation of the most common tests out of the box and enable developers to consciously improve the project by developing additional tests or extensions. For more information, please contact the Project Leader, Arun Kumar
Coming soon, we will be unveiling the initial phases of a new, consolidated Community Platform. Gone are the days of complicated membership registration, and tedious event registrations. Imagine, being able to manage your membership, any events, donations, and update your information in ONE location! Additional Features like community resources, OWASP FAQ, and collaborative groups with community polls, are just some of the enhancements that will be released during 2014. We will be providing detailed information and instructions in the coming weeks.
Global AppSec Events in 2014
AppSec LATAM 2014 - LATAM Tour (April 21 - May 12) Registration is now open! Please refer to the tour pages for the location you want to register for. In 2014, instead of holding an AppSec LATAM Conference, we organizing a LATAM Tour which we hope will bering together LATAM community members together to spread the OWASP mission. Here are the sheduled stops for the tour:
OWASP has partnered with these great events in beginning of 2014 to grow our community and build awareness around software security. If you want to learn more about OWASP's involvement or will be attending and want to help out contact us InfoSec World Conference & Expo 2014, April 7-9, 2014. OWASP Members receive a 10% discount off the standard conference registration fee by using discount code: OS14/OWASP Cyber Security Summit, April 9-10, 2014. Prague, Czech Republic. OWASP Members receive a 20% discount off of the general event registration fee by using THIS LINK THOTCON - Chicago's Hacking Conference, April 25, 2014, Chicago IL. Tickets
Project Summit 2014 The 2014 OWASP Summit is currently in the planning process. We have managed to acquire a great space at Anglia Ruskin University thanks to the AppSec EU 2014 planning team. We are currently looking for summit track and session and ideas and would like the imput of our project leaders to help us design the 2014 Project Summit. What projects, topics, working sessions, and tracks you would like to see or participate in at this year's summit? Submit your ideas to Samantha Groves. and help us create our best Project Summit yet! OWASP Yasca Needs an Interim Leader The OWASP Yasca Project is currently in need of an interim project leader for a 2014 tools based, in-person, working session that will potentially be funded. Those interested in this opportunity should familiarize themselves with the OWASP Yasca Project: For more information about taking up the post as interim leader for the OWASP Yasca Project, please contactSamantha Groves OWASP Projects on Ohloh Recently, OWASP joined Ohloh, which is an Open Source platform that allows viewers to get more information on open source projects. The aim of this repository transition is to make it easier to track project progress and to offer better review results to leaders. We are asking that project leaders create an Ohloh account for their project, to create easy access to repositories for OWASP projects, and to better assist in project reviews. Account creation takes just a few minutes and Ohloh allows you to link as many repositories as you like, from Github, to SourceForge.
We are pleased to announce the newest member of the OWASP Staff, our new Community Manager, Genevieve (GK) Southwick. About GK: GK Southwick has been working in the Event Planning space for over 20 years. Starting with Physical Security in 1990, she eventually moved on to roles in Operations, Production, Facilities and Technical Direction, with an emphasis on personnel management. Active as a volunteer in the InfoSec space, she is Producer and President of the Board at Security BSides Las Vegas, is second in command of Physical Safety and Security at DerbyCon, afternoon Stage Manager and volunteer coordinator for DEFCON SkyTalks, and until moving to Denver in 2013, was head of Safety and Security and Volunteer coordinator at Security BSides San Francisco. She now volunteers with BSidesDenver, where she's currrently running Registration. She has also run Safety and Security for BruCon in Belgium and at BSidesATL, as well as helping out wherever necessary at SOURCEBoston. GK is excited to bring her extensive volunteer management experience to OWASP, as she takes on the role of Community Manager. She's looking forward to the challenges and opportunities ahead of her while expanding the volunteer base within the organization, and working closely with the Chapter Leaders, to help them fulfill the OWASP Mission and assist them with their operational needs. GK has a secondary diploma in Homeland Security from Bryman College, San Jose, where she graduated in 2004 With Honors. GK's Community Management Role with OWASP: GK will be helping OWASP to continue building a platform to encourage volunteer participation the OWASP community. She will also be working with the chapters to support their efforts and help them grow OWASP's presence around the world GK has a passion for this community and mission as well as invaluable experience in organizing and motivating people.
Just for Fun
We would like to congratulate Michael Conlon for submitting the first correct response to last issue's puzzle. Thank you to everyone who submitted your response. If you missed the question, you can find it on the OWASP Blog The Blue Knight, assuming that she did not drink too much to impede her ability to walk, would take 2.5 hours to make the journey between the World's End Pub and the castle on foot. This issue's challenge Mr. Slow, Mr. Medium, Mr. Fast, and Mr. Speed must cross a rickety rope bridge in 17 minutes. The bridge can carry at most two people at a time. Furthermore, it's dark, and there is only one flashlight; any single person or pair of people crossing the bridge must have the flashlight with them. (The bridge is too wide for the flashlight to be thrown; it must be carried across.) Each man walks at a different speed. A pair travelling together must walk at the rate of the slower man. Mr. Slow can cross the bridge in at most 10 minutes; Mr. Medium can cross in 5 minutes; Mr. Fast can cross in 2 minutes; Mr. Speed can cross in 1 minute. How do all four men get across in the bridge in 17 minutes? Please submit your answers HERE
OWASP Member Spotlight - Lee Cambria, Pittsburgh, PA, USA
As an organization driven by it's membership community, it's high time we dedicate some space to recognizing YOU!
Lee Cambria got involved in OWASP when she took over the defunct Pittsburgh, PA Chapter. Lee says: "I am Lee Cambria and have been in the Information Technology field for over 20 years. I have spent the last 8 years of my career focused on information security. My last two positions have been with major financial institutions where there is a heightened awareness for all aspects of security. Over the years I constantly find myself referring to the works of OWASP and promoting the value it brings to the security community. The reason I was initially drawn to OWASP years ago was the caliber of security minded people that I knew who supported and actively participated in OWASP. In addition to this OWASP is a recognized leader in application security among ethical hackers and application programmers alike. It provides a risk based approach and encourages innovated thinking and free exchange of ideas."