Tuesday, July 8, 2014

OWASP July 8, 2014 Connector


OWASP Global Connector
July 9, 2014 | | www.owasp.org | Contact Us | Brought to you by the OWASP Foundation
owasp projects

Featured OWASP Project

OWASP Java Encoder Project
The OWASP Java Encoder is a Java 1.5+ simple-to-use drop-in high-performance encoder class with no dependencies and little baggage. This project will help Java web developers defend against Cross Site Scripting! The OWASP Java Encoder library is intended for quick contextual encoding with very little overhead, either in performance or usage. To get started, simply add the encoder-1.1.1.jar, import org.owasp.encoder.Encode and start encoding.
For more information, please contact the Project Leaders, Jeff Ichnowski and Jim Manico

New OWASP Projects

OWASP Faux Bank
Faux Bank has all 10 of the top vulnerabilities implemented, as well as fixes for these vulnerabilities. The idea is that developers can see a real-world system with vulnerabilities, so that they can see what to look for and how to write secure code. The OWASP Faux Bank wiki page can be found here. For more information, please contact the Project Leader, Davie Elliott.
OWASP Store Sheep Project
OWASP Store Sheep is a work in progress application do demonstrate security concepts relating to Windows Store Apps. Store Sheep is a training app for Developers wishing to learn to securely code a Windows Store ('Metro Style') App, and Testers wanting to learn to test one. It contains a number of security vulnerabilities with explanations and fixes for them. The project page for the OWASP Store Sheep project can be found here. For more information, please contact the Project Leader, Marion McCune.
OWASP SonarQube Project
OWASP Sonarqube Project consist to deliver a set of "standard" profile for security, like OWASP Top10 profile, ASVS profiles, PCI-DSS profile,ISO 27034ASC profile, ....who can be used by team with the support of OWASP Community. More than 20 programming languages are covered through plugins including Java, C#, C/C++, PL/SQL, Cobol, ABAP. The OWASP SonarQube Project is looking to expand the offered languages, and is looking for language experts in .NET, PHP and any other language. The project page for the OWASP SonarQube Project can be found here. For more information, please contact the Project Leaders, Sebastien Gioria. and Freddy Mallet
OWASP URL Checker
OWASP URL Checker is an open source scrip-table tool to scan websites for URL's which may lead to information divulging, exploits and common attack patterns. This tool will check a user defined website for potentially exploitable/ vulnerable URL's by comparing them against the URL extensions in the database. The project page for the OWASP URL Checker can be found here. For more information, please contact the Project Leader, Craig Fox.

Project Announcements

OWASP Security Shepherd New Version
The new version of the OWASP Security Shepherd Project was released earlier this month. The project now has 50 lessons and challenges based on risks from both the Top Ten Mobile and Web App Security Risk lists. OWASP Security Shepherd is perfect for those who are looking to learn about appsec for the first time or are well seasoned in the arts of pen-testing and are looking for a challenge.
More information can be found ON THE WIKI PAGE or you can contact the project leader Mark Denihan
Research Assistant Needed for the Developer guide
The Developer Guide Project is looking for an honors student or masters student to replicate the 1979 paper by Morris and Thompson. It has been many years since we've had statistically sound research into the basic properties of the password. Morris and Thompson introduced countermeasures that we still use today (30 day password rotation, min six character passwords) that made sense for a PDP 11/870 back in 1979. The project leaders would like a cryptographer research student or masters student to help look into session tokens, particularly RESTful API tokens. The basic topic would be a short paper on the necessary properties to protect against session prediction, session recovery, side channel attacks against sessions, and investigate a few sample session issuers, such as RESTful API in common use.
If you are interested in helping the Developer Guide, please contact Andrew van der Stock.

New Set of Architectural Security Principles
The Reverse Engineering and Code Modification Prevention project has released a set of architectural security principles that enforce integrity preservation in mobile apps. This is an updated list of principles / controls that security architects will find useful when enforcing code integrity within their mobile apps.
For the complete list of the integrity controls and underlying security principles, check out the Architectural Principles sub-project.
New Dependency Check Version 1.2.3 Out Now
On June 28th, the OWASP Dependency Check released version 1.2.3. Dependency Check can be used to analyze an applications dependent libraries (Java and .NET) to identify and report on any known, published vulnerabilities related to the libraries being used. The tool will be demoed during the Black Hat Arsenal in Las Vegas on Wednesday, August 6th.
You can find the newest release of the OWASP Dependency Check on the project page.
Social Media

OWASP Foundation Social Media

LinkedIn
Twitter
Google +
Facebook
Ning
StackOverflow
membership

WASPY Award Nominations are Complete

Every year a group of individuals including researchers, developers, security professionals, and others work to ensure the security of web applications. Some of these individuals are featured in news stories or at conferences as recognized experts. But there are many other 'unsung heroes' that work every day to improve web application security and yet are rarely recognized.
The Web Application Security People of the Year (WASPY) Awards is the OWASP Community's opportunity to recognize those individuals who have made an impact by leveraging the OWASP platform.
THE 2014 NOMINEES ARE
Best Chapter Leader
  • Sebastien Deleersnyder - Belgium
  • Jonathan Marcil - Montreal
  • Riotaro Okada - Japan
  • Ron Perris - Orange County
  • Sen Ueno - Japan

Best Project Leader
  • Tokuji Akamine - OWASP XSecurity Project
  • Spyros Gasteratos - OWASP Hacademic Challenges Project
  • Achim Hoffman - OWASP O-Saft
  • Jeremy Long - OWASP Dependency Check
  • John Melton - OWASP AppSensor
  • Matteo Meucci - OWASP Testing Project
Best Mission Outreach
  • AppSec USA 2013 Team - AppSec USA 2013
  • Jonathan Marcil - OWASP Videos
  • Mostafa Siraj - Cairo Chapter
Best New Community Supporter
  • AppSec APAC 2014 Team - AppSec Asia Pac 2014
  • Robert Dracea - AppSec Asia Pac 2014 - Japan
  • Beth Guth - South New Jersey
  • Takanori Nakanowatari - AppSec Asia Pac 2014 - Japan
Congratulations to all the nominees! You can read the full write up on each persons accomplishments on the 2014 WASPY Awards Wiki Page
Honorary Membership applications now being accepted.
CLICK HERE to find out if you qualify for Honorary Membership Deadline to submit your application is September 30, 2014.
.
conferences

Global AppSec Events in 2014

AppSec USA 2014 (September 16 - 19, Denver, CO)

Upcoming Regional Events

MSP Day of Talks (July 21, 20014, Minneappolis, MN)
BASC (October 18, Boston, MA)
LASCON 2014 (October 21 - 24, Austin, TX)

Partner and Promotional Events

OWASP has partnered with these great events in beginning of 2014 to grow our community and build awareness around software security. If you want to learn more about OWASP's involvement or will be attending and want to help out contact us
Secure Asia 2014, (July 23-24), Bejing, China.
BlackHat (August 2-7), Las Vegas, NV. OWASP Members receive $200 off BH briefings with code: owaBR200off.
BSides LV, (August 5-6), Las Vegas, NV.
EC-Council TakeDown Con, (August 14-19), Huntsville, AL.
Fraud Summit Toronto, (Sept 8, 2014) Toronto, Canada.
(ISC)2 Security Congress, (Sept 22 - Oct 2), Today's employers are seeking software developers that have the knowledge and expertise to build secure, hacker-resistant software. Do you have what it takes? Prove it with a Certified Secure Software Lifecycle Professional (CSSLP®) certification from (ISC)2 . Validate your competence in secure software development in new and evolving environments, including the cloud, mobile and more. Watch the CSSLP webcast series to get started. Atlanta, GA.
EC-Council Hacker Halted(October 12-17, 2014) Atlanta, GA
ISSA International Conference (October 22-23), 2014, Orlando, FL

3rd Annual CISO Asia Summit and Roundtable (November 5-9), 2014, Singapore
Suits & Spooks, (December 14), Singapore.
International Conference on Cyber Security, (January 5-8, 2014), New York, NY.

Just for Fun

We would like to congratulate Javier Coirolo for submitting the first correct response to last issue's puzzle. Thank you everyone who submitted responses.
Click here to view last issue's puzzle
Here is this issue's challenge...
A chicken farmer has figured out that a hen and a half can lay an egg and a half in a day and a half. How many hens does the farmer need to produce one dozen eggs in six days?
Send your answers to our comment desk for a chance to win a prize. Winners will be announced in the next connector.
communication

Governance

Request for Comment: Committees 2.0 Structure

The model outlined below represents a potential implementation of the idea currently being described as OWASP Committees 2.0. We aim to leverage the lessons learned from our previous committee model to create a new model that grows our leadership circles and empowers our leaders for more rapid action, while still ensuring that their activities stay true to OWASP's core values. It is still a work-in-progress, but represents the contributions from the OWASP Board, the OWASP Executive Director, OWASP Staff, Dinis Cruz, Johanna Curiel, and various others.
Click here to review the document.
This is your opportunity to have a voice in the future of OWASP governance. We look forward to hearing your thoughts on this proposal.

2014 Global Board of Directors Election

Please visit our 2014 Board Elections page for frequent updates. Our Call for Candidates is only open until August 15! Please submit your candidacy here.
Once confirmed, the candidates will conduct individual interviews answering questions from the community. Anyone can submit a question(s), vote up or vote down existing questions. The top 5 to 6 questions will then be used for each candidate's interview. If you have a question you would like to submit, please do so here.
For a complete Election Time line, Click Here

Global Board of Directors Meeting Times


Interested in what is going on with the Board of Directors? Board meetings are open to the public, and upcoming meetings as well as agendas are posted to the Board wiki page
Upcoming 2014 Meetings
  • July 9, 2014 9am-10am PST
  • August 13, 2014, 9am-10am PST
  • September 10, 2014, 9am-10am PST
  • September 16, 2014, 6pm - 9pm MST (in person at AppSec USA
Reminder: Discussing Governance at OWASP
We have an open mailing list for discussing the overall topic of governance at OWASP. Click Here to browse the list archives.

Initiatives

OWASP Winter Code Sprint
We are thrilled to announce the launch of OWASP Winter Code Sprint (OWCS) for this upcoming Autumn/Winter (Sept 14-March 15).
What is OWCS?
The OWCS is a program to involve students with Security projects. By participating in OCWS a student can get real life experience while contributing to an open source project and getting university credits.
How it works
Any OWASP project that will give you university credits can participate in OCWS. Each project will be guided by an OWASP expert along with a professor. Students are graded by their University, based on success criteria identified at the beginning of the project.
Projects are focused on developing security tools. It is required that the code any student produces for those projects will be released as Open Source. Universities are free to specify their own requirements to projects, such as written reports. OWASP does not influence the way grades are allocated. The OWASP advisers will provide any information professors need in order to grade their students.
How to participate?
As a Student:
  1. Review the list of OWASP Projects currently prticipating in OWCS
  2. Get in touch with the OWASP Project mentor of your choice
  3. Agree on deliverables with OWASP mentor and university professor
  4. Work away during Autumn/Winter 2014
  5. Rise to Open Source Development Glory!
As a Professor:
  1. Review the list of OWASP Projects currently prticipating in OWCS
  2. Get in touch with the OWASP Project mentor of your choice
  3. Promote the participating OWASP Projects among students
  4. Review student progress with help from OWASP mentors
  5. Grade student work according to university scoring system
  6. Provide student grade results to OWASP mentor/s
CLICK HERE for more information

OWASP Meet and Greet at BlackHat USA

What does this mean? Chapter and Project leaders that are already planning on attendingBlackHat USA 2014 can sign up for a 2 hour slot (or more) to promote their chapter and/or project at the OWASP booth. This will allow conference goers that may only know you via email to put a face to a name. It will also provide you visibility to thousands of individuals to promote your chapter and/or project.
We have a limited amount of "Expo Only" passes available if you were not planning on attending BlackHat but will be in Las Vegas on Wednesday, August 6 and/or Thursday, August 7 and want to promote your chapter/project at the OWASP booth.
Leaders will be showcased for the time(s) you select and the leader with the most visitors over the two days will win a prize!
To help us promote your chapter and/or project, please fill in the time(s) that best accommodates your schedule to be showcased at the OWASP BlackHat booth here.
BSides 2014 Las Vegas Tuesday, August 5 - Wednesday, August 6
Anyone that will be in Las Vegas and would like to help promote OWASP at our BSides booth is welcomed! Please select the time(s) that best fit your schedule to volunteer at the OWASP booth here. The volunteer with the most visitors over the course of the two days will win a prize!




No comments: