OWASP May 28 Connector

May 28, 2014 | | www.owasp.org | Contact Us | Brought to you by the OWASP Foundation Featured OWASP Projects OWASP STING Game Project The OWASP STING Game Project is a card game in downloadable format or if funded, printed and distributed at OWASP events. STING is a combative card game in the style of Magic the Gathering designed to teach application security attack and defense. Players will simultaneously attack other players apps while defending their own and supporting game business objectives. For more information, please contact the Project Leader, Tony Turner OWASP GoatDroid OWASP GoatDroid is a fully functional and self-contained training environment for educating developers and testers on Android security. GoatDroid requires minimal dependencies and is ideal for both Android beginners as well as more advanced users. The project currently includes two applications: FourGoats, a location-based social network, and Herd Financial, a mobile banking application. There are also several feature that greatly simplify usage within a training environment or for absolute beginners who want a good introduction to working with the Android platform. For more information, please contact the Project Leader, Jack Mannino New OWASP Projects OWASP PHP Security Training Project The goal of this project is to create an interactive training system, consisting of several units, for PHP developers. Every unit is divided in an attack and a defense part. For more information, please contact the Project Leader, Timo Pagel. OWASP Hardened Phalcon Project The Phalcon Framework is the world's fastest PHP Framework, however, like most frameworks it is not 'hardened' by default. OWASP Hardened Phalcon aims to help developers harden their Phalcon applications in-line with the published OWASP guidelines. For more information, please contact the Project Leader, Rhodry Korb. Project Announcements Project Summit We are just a little over a month away from AppSec EU and the 2014 Project Summit. So far we have some great projects signed up to participate, but we need more projects participating. The Project Summit is a fantastic opportunity to workshop your project and gather new volunteers for your project. The Project Summit will be taking place June 23-24 Anglia Ruskin University in Cambridge, UK and is free and open to the Community. You do not need a conference pass to attend the Project Summit. Don't have a project? No problem, we can still use your help at the Project Summit. Sign up to participate in the Project Summit by contacting Samantha Groves or Kait Disney-Leugers. Check out the current lineup of projects and add your project to the list. This page will be updating regularly until the start of the Project Summit: Project Summit Home Page. Webinar Opportunities There are still plenty of open dates available to record your webinar. We are changing the format of our webinars, and now we are giving Leaders an opportunity to reach out to us and let us know when they are available. The Ops Team will then work to accomodate your schedule. The final webinar will be posted on our official YouTube channel. Please reach out to Samantha Groves if you are interested in giving a 45 minute webinar on your OWASP Project. Join us at AppSec EU in Support of Projects There are many event activities directly aimed at promoting our OWASP Projects taking place at AppSec EU 2014 in Cambridge UK. We are having the 2014 Project Summit taking place on Monday, June 23rd and Tuesday, June 24th from 9am to 6pm on both days. Here, our project leaders will have an opportunity to work on participating projects. On Wednesday, June 25th we will be having the Open Source Showcase where participating projects will demo their work to conference attendees. On Thursday, June 26th we will be having the Project Leader Workshop lead by Simon Bennetts, OWASP ZAP Project Leader. Join us and support our OWASP Project Leaders at AppSec EU 2014. To register, please visit the AppSec EU 2014 registration page. Thank you to our recently renewed Corporate Members: Acunetix Astech Consulting Sonatype, and UPS Honorary Membership applications now being accepted. Be sure to review the requirements for Honorary Membership before you submit your form. Deadline for Honorary Membership is September 30, 2014 **Please note: Chapters and Projects MUST be active. Your leadership position MUST be on file prior to September 30, 2014 in order to be eligible for 2014 Honorary Membership. ALL qualified individuals MUST apply for Honorary Membership in order to vote by completing the Honorary Membership Form . Global AppSec Events in 2014 AppSec EU 2014 (June 23 - 26, Cambridge, UK) Keynotes announced! Lorenzo Cavallaro, Tobias Gondrom, Dr. Steven J. Murdoch, Wendy Seltzer, and Jacob West A few sponsorship are still available Training details are available Registration is now OPEN AppSec USA 2014 (September 16 - 19, Denver, CO) Keynotes announced! Steve Crusenberry, Gary McGraw, and Bruce Schneier Sponsorship opportunities are still available. Member Event Registration Public Registration, Upcoming Regional Events LASCON 2014 (October 21 - 24, Austin, TX) Keynotes confirmed include: Kelley Misata (Director Of Outreach and Communications, The Tor Project), Jeff Williams (CTO, Contrast Security), Zane Lackey (Founder/CSO @ signal sciences), Marcus Carey, and Chris Nickerson Partner and Promotional Events OWASP has partnered with these great events in beginning of 2014 to grow our community and build awareness around software security. If you want to learn more about OWASP's involvement or will be attending and want to help out contact us Hacker's IDOL - A Cyber Safety Campaign, April 1-October 17, India. Suits & Spooks, June 20-21, NY, NY. BlackHat August 2-7, Las Vegas, NV. OWASP Members receive $200 off BH briefings with code: owaBR200off. BSides LV, August 5-6, Las Vegas, NV. EC-Council TakeDown Con, August 14-19, Huntsville, AL. EC-Council Hacker Halted, October 12-17, Atlanta, GA. ISSA International Conference October 22-23, 2014, Orlando, FL Suits & Spooks, December 14, Singapore. OWASP Foundation Social Media LinkedIn Twitter Google + Facebook Ning StackOverflow OWASP Committees 2.0 OWASP is an organization that has been built on collaboration and community involvement. I also hope that OWASP is an organization that can support and innovation - encouraging the community to try new things and be willing to look frequently and assess what is working and what isn't. We have grown to the point where an improved process needs to be implemented where our leaders can lead and those who wish to participate can do so easily and productively. In 2008, the Foundation created committees. These committees were successful in that they pushed forward some much needed guidelines and put some structure around areas that were undefined. Unfortunately, over time, there were built in flaws with the committee design that created roadblocks and eventually their failure. We would like to propose a revamped committee structure based on a solid foundation that provides the voice and opportunities to the community. This structure will depend on a high level of community engagement. Wiki page outlining structure for the committees 2.0 Most importantly - We want your input! not just leaders, or individuals with an owasp.org email, anyone in the community is encouraged to participate in this poll of both the general idea of the committees 2.0 and particular features of the new model. Participate here - anyone can view, you must be logged into a google account (not just owasp.org) to vote or submit a suggestion. 2014 Global Board of Directors Election Each year The OWASP Foundation holds its annual Global Board of Directors election. This October, OWASP members will be voting to fill 3 of the 7 seats available. If you are interested in learning more about the election and what the requirements are to run for a seat, please visit our 2014 Board Elections page. Our Call for Candidates is now open! Please submit your candidacy here. Call for Candidates will close August 15, 2014. During the candidates recorded interview, each candidate will be asked a series of questions provided by our OWASP Community. Anyone can submit a question(s), vote up or vote down existing questions. The top 5 to 6 questions will then be used for each candidate's interview. If you have a question you would like to submit, please do so here. Deadline to submit your question is August 25, 2014. For a complete Election Time line, Click Here Just for Fun Congratulations to Ben Dechrai who was the first person to solve last week's challenge: The missing pages are 291 to 322 included Click here to view last issue's puzzle Let's see who has the fastest solution this week ... Five pirates have obtained 100 gold coins and have to divide up the loot. The pirates are all extremely intelligent, treacherous and selfish (especially the captain). The captain always proposes a distribution of the loot. All pirates vote on the proposal, and if half the crew or more go "Aye", the loot is divided as proposed, as no pirate would be willing to take on the captain without superior force on their side. If the captain fails to obtain support of at least half his crew (which includes himself), he faces a mutiny, and all pirates will turn against him and make him walk the plank. The pirates start over again with the next senior pirate as captain. What is the maximum number of coins the captain can keep without risking his life? Send your answers to our comment desk for a chance to win a prize. Winners will be announced in the next connector. OWASP Global Webinars In case you've missed any of our past webinars, you can replay them from the OWASP YouTube channel. All of our webinars as well as conference talks and the tutorial series have all been posted. If you have content that should be on the OWASP channel, contact Jonathan Marcil

Have a listen to what Adrian Winckles, AppSecEU 2014 Conference Chair,  had to say about the upcoming AppSecEU 2014 conference happening June 23-26 in Cambridge, UK.
http://www.securityorb.com/2014/05/securityorb-show-appsec-eu-2014/

Committees 2.0?

OWASP Leaders and Community Members -

TLDR - Please review, comment and vote on the new committee structure by June 9, 2014. Wiki page outlining new structure for the committees, and google moderator link for input and voting.

Details: 

OWASP is an organization that has been built on collaboration and community involvement. I also hope that OWASP is an organization that can support and innovation - encouraging the community to try new things and be willing to look frequently and assess what is working and what isn't.

We have grown to the point where an improved process needs to be implemented where our leaders can lead and those who wish to participate can do so easily and productively.

In 2008, the Foundation created committees.  These committees were successful in that they pushed forward some much needed guidelines and put some structure around areas that were undefined.  

Unfortunately, over time, there were built in flaws with the committee design that created roadblocks and eventually their failure.

We would like to propose a revamped committee structure based on a solid foundation that provides the voice and opportunities to the community.  This structure will depend on a high level of community engagement.

The primary vision is high level committees that focus not on operational issues, but on the strategic goals as determined by the board of directors.

Below is a side by side comparison of the flaws with the 2008 committees and a proposal for redesign and implementation of a fresh 2014 model.

'	2008 committee challenges	2014 committee proposal
Platform	The platform used to “manage” committee activity was limited to the wiki. This required committee chairs to maintain their wiki page and required potential members to complete cumbersome wiki pages to apply for the committee. Both of these activities, over time, became overlooked. Information was not updated and often potential members were ignored.	OWASP has consolidated its operational platform to work on the Salesforce platform. The overhauled operational platform provide the staff with the tools to better facilitate committees (not run them) with the ability to track members, member activities, topics, and needs in an open to all format. Additionally, this platform provides a place for committee and subcommittee engagement to occur.
Structure	Committees became an all or nothing group. This created meetings with months of planning and no real activity. Also, committee members were asked to participate in all of the committee activities and not just the tasks (or sub activity) that interested them or that they had time for.	The 2014 committee platform proposes a tiered structure that would allow the committee to exist at a high level, and have “sub committees” or “task forces” to be created under the umbrella of the global committee.
Membership	Initially, the committee members were recruited for a one year term. The committee members were to elect a committee chair who would serve as the point of contact for the committee. Evolution of the committee led to the perception of “lifetime” terms and members who “signed up” but never participated and felt like they could never leave.	The tiered committee structure allows a smaller group to lead or steer initiatives and sub committees. The leadership group will commit to a one year term, and the initiatives within the group will be task oriented and therefore have a deadline and a defined end point for the participants. An open call for participants for each new task or initiative allows for individuals who are no longer interested in participation to step away.
Leadership	The selected committee chairs became unwilling recruits who stepped in out of necessity or default. As such, much of the “objectives” of the committees fell to the staff to complete.	A key core committed group driving initiatives with variable lengths will allow the global community to participate in the activities that interest them for the length of time that it may require.
Committee Purpose	For some of the committees and committee chairs, the lack of a defined objective was a huge roadblock. The committees were created and provided a very broad segment. This lack of mission created disjointed efforts.	The committees should be assigned, not to a broad area of operations, but to the strategic goals as set by the Board. By collaborating as a global community with the opportunity to define a roadmap for a goal will allow for the committee members to be successful and to see progress.
Interaction	The 2008 committees worked, for the most part, independently of each other. This often created duplicate or even conflicting efforts leading to frustration.	The core leadership group will work as one unit. Each leader will chose a particular goal, and the leaders will monitor each other and interact on a regular basis to develop the initiatives and task force groups.
Board Involvement	The 2008 committees were assigned a board member to provide leadership and oversight. This created some reluctance from committee members to be daring and definitive.	The committees should not be managed by the board of directors. The board needs to show trust and encouragement for the community to experiment and to be successful. Board members can not participate as core committee members, but can provide input and participate in any of the task force initiatives as a community member.
Board Approval	The final decline of the committees occurred when a committee would bring a proposal to the board and have the board veto the committee chairs and members. This sent the message to the chairs that the efforts they were putting into the committees was done in vain.	Proposals brought forward from the committees should be voted upon by the community (or community leadership). The community decision should be considered valid. Implementing a process for a trial period of 6 months to a year would be sufficient to determine if it was beneficial for the organization. This also reinstates the sense of ownership the community has in the organization.

Rollout:

Community Comment and voting period - May 27 - June 9, 2014

Hold an open nomination period until June 30 to establish the core committee leadership team.  The leadership team will review the 2014 strategic goals and establish an initial set of initiatives to work towards the goals, “cross pollinating” ideas and successes.

The community will have the opportunity to “sign up” for an initiative or sub committee and begin work.

Leverage the improved operational platform of the foundation which allows for open discussions, participation, and visibility while allowing the staff to provide metrics on participation and progress.

The process will be reviewed and modified as needed in 6 months.

Wiki page outlining structure for the committees 2.0 https://owasp.org/index.php/Committees_2.0

Most importantly - We want your input! not just leaders, or individuals with an owasp.org email, anyone in the community is encouraged to participate in this poll of both the general idea of the committees 2.0 and particular features of the new model. Participate here - anyone can view, you must be logged into a google account (not just owasp.org) to vote or submit a suggestion.

Thanks and looking forward to here input, improvements, missing information.

OWASP AppSec Europe 2014, the premier security event for Builders, Breakers and Defenders, has announce its program.

AppSec Europe is returning to the United Kingdom in 2014, from the 23rd to the 26th of June. Hosted in Cambridge at Anglia Ruskin University, conveniently located near the “Silicon Fen” of Cambridge, the leading Tech Hub in Europe, and near the historical centre of Cambridge, the conference planning team is hard at work to bring you:

• Training and conference sessions
• Three tracks, focusing on the core OWASP mission (Builder, Breaker, Defender), with an added Research track
• Keynote addresses by highly respected Industry experts
• Exhibit area offering solutions to your problems

The AppSec Europe 2014 conference programme runs over four days, with two days of training courses (Monday the 23rd and Tuesday the 24th of June 2014) followed by two days of conference and research presentations (Wednesday the 25th and Thursday the 26th of June 2014).

In addition to the conference and training sessions, numerous activities are also planned including Women in AppSec, The University Challenge, OWASP Project Summit and much more.

Registration is limited, so we encourage to secure your spot early. REGISTER HERE

Don't forget additional items you can select at registration:

• Select the Conference Dinner if you wish to attend
• Grab one of the hotel rooms from the OWASP block
• Sign up for Punting on the River Cam on Friday the 27th

For a complete schedule and more details, please visit: https://2014.appsec.eu/

See you soon in Cambridge.

Last Call for the Women in AppSec Program at AppSec EU

There is still one week left to submit to the Women in AppSec Program at AppSec EU, the submission deadline is May 26, by 5pm GMT. The AppSec EU organizers are looking to send at least one woman from the European region to this year’s AppSec EU conference in Cambridge, UK, June 23-26. This year’s winner(s) will be awarded attendance to the AppSec EU conference and at least one in-depth training session.

This will be the first year that the AppSec EU conference will be participating in the Women in AppSec Program. The Women in AppSec Program was launched in 2011 at AppSec USA, with the objective to encourage women from all levels in application/ information security to expand their skills.

Successful submissions will include a completed form found here: https://docs.google.com/forms/d/1A2QxEs_YnuTLadD1OLqemsWiY06dAGVp3H_vATFeA4o/viewform, as well as one letter of recommendation sent to Samantha Groves (samantha.groves@owasp.org). The program is open to any woman from the European region.

Any questions about the program or to submit letters of recommendation should be directed to Samantha Groves, Samantha.groves@owasp.org.

PRESENTATION OF THE OWASP LABELING SECURITY SYSTEM PROJECT

“Security is invisible, and the OWASP foundation has the purpose of making security visible”. That was the first thing I read about OWASP when I was invited to talk about license contracts and security at an OWASP local chapter conference. While listening an OWASP Top Ten conference, my first concern was about how making security visible for non technical  users.  Secure coding is not visible for users, unless they have the skills to understand Java, PHP, Java script, Ajax, HTML, and so on.

So I thought about creating a Labeling Security System for making security visible for Users. My peers thought it was a good idea, because users could just read a Labeling logo, and know what it represents in terms of security, GREAT.  When I proposed the project to OWASP, I found out that Jeff Williams proposed something similar years ago. That encouraged my research.

The system should be transversal, market wise, and it could be based on other OWASP security projects. These are the labels:

1.Security (secure coding). This label is for technical security in Applications. Using recommended guides(such as OWASP top ten) and tools(such as ZAP or Dependency Check) for developing and maintaining the Application secure. 

2.Privacy (Trust).  This label is for increasing User's trust on software providers. Software should come free of non authorized spyware, and it should process personal data in an “ethical” way.

3. Ingredients (Transparency).  This a label for Open source software. Software components (including third party code) should come in a human readable file, so users know what they are installing. 

4. Openness(Open security).  This is a label for Web applications. Web applications could make available their last vulnerability scan report.  

The 4 labels are independent, as they confront different(but related) security issues. Each one comes with a label clause, to be added into the license agreement(if source code or binaries), or the Terms of service(if Web applications, cloud services).  By clicking the logo, the users would connect to a database in the OWASP Security labeling system Server, confirming the authenticity and reliability of the Web application(or computer program) suscription.

However,  I found  3 issues in the opinion polls. I am working on those issues: 

(1) Developers don't want to have a bad security ranking label on their product(security label). There is not ranking. The only ranking is 'good enough'.  

(2) Developers disclaim liability in their license agreements.  There is not liability by default. You are just responsible of what you have offered, and you are not offering 100% security because that is not possible. Therefore, you can still disclaim direct and indirect damages. 

(3) Most IT administrators would not publish their own web application vulnerabilities(openness label).  This condition is not in real time. You could publish your vulnerability reports after you have fixed the Application problems. However, if the reports  meet a time criteria, (such as weekly),  users can know that at least the web application is maintained and fixed on a regular basis.

This is the challenge, and  I invite you all to join this project. The Security Labeling system is FREE and OPEN. Let's make the Security VISIBLE for all (including USERS).

https://www.owasp.org/index.php/OWASP_Security_Labeling_System_Project

luis.enriquez@owasp.org

Luis Enriquez

OWASP 2014 Global Board Of Directors Election

OWASP 2014 Global Board Of Directors Election

Each year The OWASP Foundation holds its annual Global Board of Directors election. This October, OWASP members will be voting to fill 3 of the 7 seats available. If you are interested in learning more about the election and what the requirements are to run for a seat, please visit our 2014 Board Elections page.

Call for Candidates is NOW OPEN! Submit your candidacy here. Deadline is August 15, 2014

Honorary Membership is NOW OPEN! Check here to see if you qualify.  Submit your request for honorary membership here.  Deadline is September 30, 2014

During the candidates recorded interview, each candidate will be asked a series of questions provided by our OWASP Community. Anyone can submit a question(s), vote up or vote down existing questions. The top 5 to 6 questions will then be used for each candidate’s interview. If you have a question you would like to submit, please do so here. Deadline to submit your question is August 25, 2014. 

For the complete Election Timeline, Click Here 

May 12 OWASP Connector

May 12, 2014 | | www.owasp.org | Contact Us | Brought to you by the OWASP Foundation Featured OWASP Project OWASP Bricks OWASP Bricks is a deliberately vulnerable web application built on PHP & MySQL focuses on variations of commonly seen application security vulnerabilities & exploits, which can be exploited using tools like Mantra and ZAP. OWASP Bricks provides a platform for learning web application security and a test bed for analyzing the performance of web application security scanners. For more information, please contact the Project Leader, Abhi Balakrishnan New OWASP Projects OWASP Code Pulse 2.0 The OWASP Code Pulse team is proud to announce version 1.0 of their real-time coverage tool! Are you a penetration tester or a user of tools like ZAP? Then we think we have something that is going to make your life as a pen-tester easier. Code Pulse is a real-time code coverage tool that lets you visually see coverage gaps in your testing activity. To find out more about it and to download it please visit Code Pulse For more information, please contact the Project Leader, Hassan Radwan. Project Announcements Open Source Showcase The AppSec EU Conference Team is happy to announce that there will be ten projects participating in this year's Open Source Showcase at AppSec EU this summer. The Open Source Showcase is an unique event module that allows project leaders and/or project contributors to showcase their work in a demo setting and gain exposure for their projects without to conduct a full session. The Showcase affords a more personal view of project between attendees. Throughout the conference, these project will be demoing at the Open Source Showcase space within the conference venue. Join us at the Open Source Showcase June 23-26. Demo times to be announced closer to the conference. See you in Cambridge! Below is a list of all the participating projects. Bywaf - ByWaf is a web application penetration testing framework (WAPTF). It consists of a command-line interpreter and a set of plugins. OWASP Python Security Project - Python Security aims at creating a hardened version of python that makes it easier for security professionals and developers to write applications more resilient to attacks and manipulations. OWASP Ninja PingU Project - is a high performance network scanner tool for large scale analyses. It has been designed with performance as its primary goal and developed as a framework to allow easy plugin integration. OWASP PCI Toolkit - OWASP PCI toolkit is a c# Windows form project, that will help you to scope the PCI-DSS requirements for your System Components. Beta version of this tool will be released May 2014. WPScan - WPScan is a black box WordPress vulnerability scanner. OWASP Hackademic Challenges Project - The Hackademic Challenges implement realistic scenarios with known vulnerabilities in a safe, controllable environment. Users can attempt to discover and exploit these vulnerabilities in order to learn important concepts of information security through the attacker's perspective. Currently, there are 10 web application security scenarios available. OWASP OWTF - OWASP OWTF is an OWASP+PTES-focused try to unite great tools and make pen testing more efficient. OWASP WTE - The OWASP WTE project is an enhancement of the original OWASP Live CD Project and expands the offering from a static Live CD ISO image to a collection of sub-projects. Its primary goal is to make application security tools and documentation easily available and easy to use. OWASP ZAP - The Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications. It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing. ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually. ThreadFixThreadFix is a software vulnerability aggregation and management system that helps organizations aggregate vulnerability data, generate virtual patches, and interact with software defect tracking systems. Project Summit We are just a little over a month away from AppSec EU and the 2014 Project Summit. So far we have some great projects signed up to participate, but we need more projects participating. The Project Summit is a fantastic opportunity to workshop your project and gather new volunteers for your project. The Project Summit will be taking place June 23-24 Anglia Ruskin University in Cambridge, UK and is free and open to the Community. You do not need a conference pass to attend the Project Summit. Don't have a project? No problem, we can still use your help at the Project Summit. Sign up to participate in the Project Summit by contacting Samantha Groves or Kait disney-Leugers Thank you to our newest Corporate Member: Moki Mobility Honorary Membership applications now being accepted. Be sure to review the requirements for Honorary Membership before you submit your form. Deadline for Honorary Membership is September 30, 2014 **Please note: Chapters and Projects MUST be active. Your leadership position MUST be on file prior to September 30, 2014 in order to be eligible for 2014 Honorary Membership. ALL qualified individuals MUST apply for Honorary Membership in order to vote by completing the Honorary Membership Form . Global AppSec Events in 2014 LATAM Tour Wrap Up Congratulations to all of the chapter leaders and organizers who participated in the 2014 LATAM Tour The tour resulted in Organized events in 7 countries Over 650 attendees 8 sponsors, and 16 educational and community supporters AppSec EU 2014 (June 23 - 26, Cambridge, UK) Keynotes announced! Lorenzo Cavallaro, Tobias Gondrom, Dr. Steven J. Murdoch, Wendy Seltzer, and Jacob West A few sponsorship are still available Training details are available Registration is now OPEN AppSec USA 2014 (September 16 - 19, Denver, CO) Keynotes announced! Steve Crusenberry, Gary McGraw, and Bruce Schneier Sponsorship opportunities are still available. Member Event Registration Public Registration, Upcoming Regional Events LASCON 2014 (October 21 - 24, Austin, TX) Keynotes confirmed include: Kelley Misata (Director Of Outreach and Communications, The Tor Project), Jeff Williams (CTO, Contrast Security), Zane Lackey (Founder/CSO @ signal sciences), Marcus Carey, and Chris Nickerson Partner and Promotional Events OWASP has partnered with these great events in beginning of 2014 to grow our community and build awareness around software security. If you want to learn more about OWASP's involvement or will be attending and want to help out contact us Hacker's IDOL - A Cyber Safety Campaign, April 1-October 17, India. Information Security Media Group, Inc. Fraud Summit, May 14, Chicago IL, Discount code for OWASP Members: OWASPFraud2014 ISSA-LA Security Summit, May 16, Universal City, CA. OWASP Members receive a 25% discount with the code: Ow@spIssaLA25 Suits & Spooks, June 20-21, NY, NY. BlackHat August 2-7, Las Vegas, NV. OWASP Members receive $200 off BH briefings with code: owaBR200off. BSides LV, August 5-6, Las Vegas, NV. EC-Council TakeDown Con, August 14-19, Huntsville, AL. EC-Council Hacker Halted, October 12-17, Atlanta, GA. Suits & Spooks, December 14, Singapore. National Cyber Security Awareness Month Each and every one of us needs to do our part to make sure that our online lives are kept safe and secure. That's what National Cyber Security Awareness Month—observed in October —is all about! Join OWASP on this important effort. To learn more, please visit: Stay Safe Online OWASP Foundation Social Media LinkedIn Twitter Google + Facebook Ning StackOverflow OWASP Global Webinar Wednesday, May 21st at 10AM EST Join us for this month's OWASP Project Webinar lead by Project Leader Jonathan Carter. Jonathan will be explaining his project OWASP Reverse Engineering and Code Modification Project. OWASP Reverse Engineering and Code Modification Project educates security professionals about the risks of reverse engineering and how to ensure that code cannot be reverse engineered or modified. Register for the 10 am EST Presentation Register for the 9 pm EST Presentation 2014 Global Board of Directors Election Each year The OWASP Foundation holds its annual Global Board of Directors election. This October, OWASP members will be voting to fill 3 of the 7 seats available. If you are interested in learning more about the election and what the requirements are to run for a seat, please visit our 2014 Board Elections page. Our Call for Candidates is now open! Please submit your candidacy here. Call for Candidates will close August 15, 2014. During the candidates recorded interview, each candidate will be asked a series of questions provided by our OWASP Community. Anyone can submit a question(s), vote up or vote down existing questions. The top 5 to 6 questions will then be used for each candidate's interview. If you have a question you would like to submit, please do so here. Deadline to submit your question is August 25, 2014. For a complete Election Time line, Click Here Bi-Weekly Community Call Bi-Weekly OWASP Town Hall meetings have been started by Michael Coates. The next one is scheduled for May 20th at 9am Pacific time. If you have any updates or announcements regarding OWASP that you would like to share with the world, please add it to the wiki page The meetings are held using google hangouts and live broadcast. They are always recorded and publicly posted via YouTube This is NOT a slide presentation. Items posted on the wiki will be discussed, and questions will be accepted over twitter or hang out chat. Check out the updates and announcements from May 6! OWASP Projects Framework - INPUT REQUESTED After many discussions over the current OWASP Project Program model, the Board of Directors have agreed to change the direction of OWASP Projects. We would like to give the community an opportunity to voice their opinion, and help us decide how to move projects forward. We want leaders to comment and debate various project program models to help us better serve you, the OWASP community. Please review the project program models 2014 OWASP Annual Report is completed Click here to view the Report Just for Fun Congratulations to Dusty Evanoff who was the first person to solve last week's challenge: The answer is 100 miles. (Vowels worth 300, consonants worth -100.) Click here to view last issue's puzzle This puzzle is a short but really tricky one. Good Luck From a book, a number of consecutive pages are missing. The sum of the page numbers of these pages is 9808. Which pages are missing? Send your answers to our comment desk for a chance to win a prize. Winners will be announced in the next connector.

OWASP Projects: Program Models

Hello Leaders,

After many discussions over the current OWASP Project Program model, the Board of Directors have agreed to change the direction of OWASP Projects. We would like to give the community an opportunity to voice their opinion, and help us decide how to move projects forward. 

We want leaders to comment and debate various project program models to help us better serve you, the OWASP community. 

https://www.owasp.org/index.php/Governance/ProjectProgramModels

More Information 

The OWASP Projects Program is one of our most visible endeavors. We have over 200 project leaders and even more contributors spread across all of the projects in our inventory. It was determined, after a long discussion, that the current program model requires too many resources to manage efficiently and effectively. After debating over different approaches, we decided to consolidate 3 main ideas and structure them into models to get the conversation started. Of course, each of these models have their own positives and negatives. 

For OWASP to scale and grow we need to pick an approach and document it. This way the community can communicate their proposed direction for projects, and everyone will be able to understand what the focus is for OWASP Projects once a consensus has been reached. 

Action for the Community

We would like the OWASP community to cast a vote for the model they believe is best for OWASP. Before we vote on the issue, we also want our community to help identify considerations for each model. What are the positives and negatives? Is there another approach that we should consider? Is there something we are not considering?

The 3 models are listed here in the wiki:

https://www.owasp.org/index.php/Governance/ProjectProgramModels

Please update and add additional considerations. Please don't remove existing text. Instead use the comment section at the bottom to explain areas you may disagree with.

Thank you, OWASP Community!

OWASP 2013 Annual Report

OWASP currently spans over 100 countries globally and encompasses a community of 42,000+ making us the larges application security community in the world.

Over the past year OWASP has grown to 200+ active chapters worldwide. We’ve reached nearly 4,000 developers and security professionals through our global application security conferences. Additionally, we’ve made tremendous strides in our over 150 open source projects and technical materials. Prominent OWASP projects that grew in 2013 include the security cheat sheets, Zed Attack Proxy (ZAP), CISO Security Guide, AppSensor, Xenotix XSS Exploitation Framework, OWASP Security Principles, the OWASP Top Ten 2013 edition, OWASP Top Ten Security Controls, and many more.

Thanks to your memberships, sponsorships, contributions, and support the Foundation was able to generate more than $2 Million Dollars in revenue supporting OWASP Programs such as Local Chapters, Projects, and Outreach around the world.

We are pleased to announce the release of our 2013 Annual report, which includes more information on our major programs and finances, and look forward to another great year.
http://wiki.owasp.org/images/8/8f/2013-Annual-Report.pdf