Thursday, June 26, 2014

Important Deadlines Are Rapidly Approaching!

Board Members, Chapter and Project Leaders,
​I am sure you all know at least one person who contributes and does amazing things for OWASP, yet flies under the radar. This is the perfect time to nominate them for the WASPY Awards so they receive the global recognition and thanks they deserve.

ALL nominees for the WASPY Awards need​
​ to be submitted no later than EOD June 30​
​.  To learn more and to submit your nominees please see ​
WASPY Awards. We are also looking for companies to sponsor these awards. If you are interested in sponsoring please let us know!
Board of Elections candidates need to submit their candidacy by August 15!
Honorary Membership closes September 30!  To see if you qualify and to request Honorary Membership please refer to our Board Election page.
Regards,

--
Kelly Santalucia
Membership and Business Liaison
OWASP Foundation
1200-C Agora Drive, #232
Bel Air, MD  21014
USA
Direct: 1+ 973-670-5784
Fax: 1+ 443-283-4021 
Skype: kelly.santalucia

Tuesday, June 24, 2014

AppSecEU 2014 live streaming


OWASP AppSec Europe 2014 will be presenting six (6) tracks of live content directly from the conference's main rooms. Event will start on June 25 and June 26 at 9:15AM GMT+1. And if you miss it, keep calm and watch later on since all the recorded content will be available into the following playlist:



Check out the official OWASP YouTube channel for live events notifications


This has been made possible by the AppSecEU 2014 Conference Team
OWASP Media Project and Münster University of Applied Sciences IT Security Lab.

Monday, June 23, 2014

2014 Global Board of Directors Election


2014 Global Board of Directors Election
You have until August 15, 2014 to submit your candidacy. To learn more please visit https://www.owasp.org/index.php/2014_Board_Elections#Election_Timeline

Honorary Membership - To see if you qualify please visit our Election page and submit your request NOW! Honorary Membership will close on September 30, 2014.  


OWASP WASPY Awards 
Nominations close June 30. Submit your nominee NOW!
 

Thursday, June 19, 2014

Code Review Guide Summit Session at AppSecEU

Join us at the Code Review Guide code collection summit session at AppSecEU, on Monday 23rd June at 2pm.
During the session we aim to create a gathering of software developers sharing good and bad coding examples, with the goal of educating everyone reading the code review guide on what to do (and what not to do) when coding web sites.

In the session we will be looking for code examples on topics such as:
Authentication
Authorization
SSL/TLS Implementations
JSON
HTTP headers
SQL Injection
Secure communications
Frameworks (Spring, Struts, Drupal, Ruby on Rails, Django, etc)

See the flyer for more information on the session, and come along to share ideas,

(Posted on behalf of Gary Robinson, co-leader for the OWASP Code Review Guide v2.0)


Tuesday, June 17, 2014

OWASP Global Connector


OWASP Global Connector
June 9, 2014 | | www.owasp.org | Contact Us | Brought to you by the OWASP Foundation
owasp projects

Featured OWASP Project

OWASP .NET Project
The OWASP.NET Project is the clearinghouse for all information related to building secure .NET web applications and services. The goal of the project is to provide deep content for all roles related to .NET web applications and services. The focus of the project is on guidance for developers using the framework, OWASP Components that use .NET. The wiki page for the OWASP.NET Project can be found HERE
For more information, please contact the Project Leader, Bill Sempf

New OWASP Projects

OWASP Project Metrics
The goal of this project is to create an automated tool able to connect to the majority of distributed version control systems (DVCS) and generate data to measure project activity and quality using metrics and standard practices. For more information, please contact the Project Leader, Federico Figus.
OWASP iOSForensic
iosForensic is a python tool to help in forensics analysis on iOS. It get files, logs, extract sqlite3 databases and uncompress .plist files in xml. For more information, please contact the Project Leader, Florian Pradines.
OWASP Secure Development Training
Produce an open source training curriculum for secure development training. This training material can be used freely by trainers to be delivered in person and in commercial settings or accessed directly by students in video recorded format. For more information, please contact the Project Leader, Tobias Gondrom.
OWASP PHP Security Training Project
The goal of this project is to create an interactive training system, consisting of several units, for PHP developers. Every unit is divided in an attack and a defense part. Every unit shall be divided in an attack and a defense part. When working through the attack part, the developers will have to strike against a vulnerable application. Through this, they will learn to think like a hacker. Weaknesses to detect and exploit might be XSS, CSRF or SQL Injection, which are listed in the OWASP top 10. For more information, please contact the Project Leader, Timo Pagel.

Project Announcements

Cyber Security Startup Initiative
The latest OWASP Global Initiative will be participating in this year's Project Summit at AppSec EU. The aim of the Cyber Security Startup Initiative is to create opportunities for innovation in application security by promoting the creation of open source prototype tools produced by teams looking to form a startup.
More information can be found ON THE WIKI PAGE
The initiative's Project Summit session will take place on June 24, 2:00pm - 6:00pm. To sign up to take part in the session, sign up to attend HERE
Any questions about the initiative can be directed to the initiative leaders: Neill Gernon and Marco Morana.
Project Summit 2014

We are just a few weeks away from AppSec EU and the Project Summit. There are some great sessions planned for the two days. The full session schedule can be found HERE. The Project Summit is a fantastic opportunity to workshop your project and gather new volunteers for your project. The Project Summit will be taking place June 23-24 Anglia Ruskin University in Cambridge, UK and is free and open to the Community. You do not need a conference pass to attend the Project Summit.
The full conference schedule can be found HERE and you can add Project Summit session to SCHED.org.
Social Media

OWASP Foundation Social Media

LinkedIn
Twitter
Google +
Facebook
Ning
StackOverflow
membership

Thank you to our recently renewed Corporate Members:

  • Cloud Passage
  • Imperva, and
  • Protiviti
Honorary Membership applications now being accepted.
CLICK HERE to find out if you qualify for Honorary Membership Deadline to submit your application is September 30, 2014.
.
conferences

Global AppSec Events in 2014

AppSec Eurpoe 2014 (June 23 - 26, Cambridge, UK)

  • Keynotes announced! Lorenzo Cavallaro, Tobias Gondrom, Dr. Steven J. Murdoch, Wendy Seltzer, and Jacob West - see the entire schedule HERE
  • Get all the details on the speakers, the training, and activities HERE
  • This is the last week to register for the event.Register Here
AppSec USA 2014 (September 16 - 19, Denver, CO)

Upcoming Regional Events

OWASP Korea Day 2014 Workshop (June 17, 2014, Seoul, South Korea)
LASCON 2014 (October 21 - 24, Austin, TX)

Partner and Promotional Events

OWASP has partnered with these great events in beginning of 2014 to grow our community and build awareness around software security. If you want to learn more about OWASP's involvement or will be attending and want to help out contact us
Condition Zebra InfoRisk 360 (June 17-19)
Suits & Spooks (June 20-21, 2014) NY, NY.
Secure Asia 2014, (July 23-24), Bejing, China.
BlackHat (August 2-7), Las Vegas, NV. OWASP Members receive $200 off BH briefings with code: owaBR200off.
BSides LV, (August 5-6), Las Vegas, NV.
EC-Council TakeDown Con, (August 14-19), Huntsville, AL.
Fraud Summit Toronto, (Sept 8, 2014) Toronto, Canada.
(ISC)2 Security Congress, (Sept 22 - Oct 2), Today's employers are seeking software developers that have the knowledge and expertise to build secure, hacker-resistant software. Do you have what it takes? Prove it with a Certified Secure Software Lifecycle Professional (CSSLP®) certification from (ISC)2 . Validate your competence in secure software development in new and evolving environments, including the cloud, mobile and more. Watch the CSSLP webcast series to get started. Atlanta, GA.
EC-Council Hacker Halted(October 12-17, 2014) Atlanta, GA
ISSA International Conference (October 22-23), 2014, Orlando, FL

Suits & Spooks, (December 14), Singapore.
conferences
communication

2014 WASPY (Web Application Security People of the Year)

Call for Nominees is NOW OPEN!

The third annual WASPY awards is now taking nominations in the categories listed below. This is YOUR opportunity to recognize another in our community for their outstanding efforts.

  • Best Chapter Leader
  • Best Project Leader
  • Best Mission Outreach
  • Best New Community Supporter "Rookie of the Year"
  • Best Platform Supporter
Submit your nominationsHERE

2014 Global Board of Directors Election


Please visit our 2014 Board Elections page for frequent updates. Our Call for Candidates is only open until August 15! Please submit your candidacy here.
Once confirmed, the candidates will conduct individual interviews answering questions from the community. Anyone can submit a question(s), vote up or vote down existing questions. The top 5 to 6 questions will then be used for each candidate's interview. If you have a question you would like to submit, please do so here.
For a complete Election Time line, Click Here

Bi-Weekly Community Call

Bi-Weekly OWASP Town Hall meetings have been started by Michael Coates. The next one is scheduled for June 17th at 9am Pacific time. If you have any updates or announcements regarding OWASP that you would like to share with the world, please add it to the wiki page The meetings are held using google hangouts and live broadcast. They are always recorded and publicly posted via YouTube This is NOT a slide presentation. Items posted on the wiki will be discussed, and questions will be accepted over twitter or hang out chat.

Call For Volunteers (CFV) for AppSec EU

For just 8 hours of your time and effort, we'll provide you with a full conference pass. We need folks to work registration desk as well as room proctors, speaker liaisons, ticket takers for the conference dinner, and more! Shifts start on Monday for the Trainings and run through Thursday, so there's plenty of opportunity for you to get in your required time and still see the talks you want to attend.
Sign Up Today

Just for Fun

Congratulations to Calle Svensson who was the first person to solve last week's challenge: 98 coins
Click here to view last issue's puzzle
Here is this issue's challenge...
The government pays farmers a specific fee for each row of four trees that they plant. An enterprising, but dishonest farmer found a way of planting five rows of four trees using only ten trees. How did he do it?
Send your answers to our comment desk for a chance to win a prize. Winners will be announced in the next connector.

On Air Hangout in Spanish

June 26, 2014, 4PM ART (UTC -3)
Titulo: "DevOps, continuous deployment, PaaS y... seguridad?"
Descripcion: Los equipos de desarrollo aumentan su velocidad utilizando automatización y nuevas metodologías de desarrollo, deployan nuevas versiones de las Web applications de nuestra empresa una o más veces por dia y utilizan nuevas tecnologías como PaaS. ¿Qué puede hacer el área de seguridad informática para reducir el riesgo sin reducir la velocidad de los equipos de desarrollo? Como afrontar estos nuevos desafios?
conferences



OWASP Cornucopia Project



The OWASP Cornucopia project has been shortlisted for an award in a competition run by the .UK registrar.

What is the OWASP Cornucopia Project?
OWASP Cornucopia is a mechanism in the form of a card game to assist software development teams identify security requirements in Agile, conventional and formal development processes. It is language, platform and technology agnostic. 

The idea behind Cornucopia is to help development teams, especially those using Agile methodologies, to identify application security requirements and develop security-based user stories. Although the idea had been waiting for enough time to progress it, the final motivation came when SAFECode published its Practical Security Stories and Security Tasks for Agile Development Environments in July 2012. 

Further details on the project's mailing list:

   http://lists.owasp.org/pipermail/owasp_cornucopia/2014-June/000028.html

This is quite local (national) publicity, but does increase OWASP's profile, especially within the UK government.

Thank you to all the project's volunteers. Please join the project's mailing list to keep updated with news, to provide feedback, or to help in other ways:

   https://lists.owasp.org/mailman/listinfo/owasp_cornucopia

Many thanks to everyone involved and also the project leader, Colin Watson

Thursday, June 12, 2014

OWASP - What's Next - Community Discussion

Sarah Baso has been an amazing addition to the OWASP community and helped us advance our mission through her role as Executive Director. She's recently announced that she'll be stepping down in August. We wanted to provide additional information on what's next for OWASP.



OWASP Community,

Many thanks again to Sarah for her time and dedication to OWASP.  Sarah and the entire operations team has made tremendous strides for OWASP over the years. We’re sad to see Sarah go, but at the same time we feel very happy for her and the exciting events in her future.

While OWASP is made up of many great individuals, we are more than just a collection of individuals. Focused on the mission, we donate countless hours in our volunteer efforts just to make the world a better place. For us at OWASP we pursue this through advancing and bringing awareness to application security.

As we’ve seen over the past week there are many changes at OWASP. This is a natural evolution of an organization and also an opportunity for new leaders to step forward.

What’s next? With every transition we have the opportunity to pause and ask, “what should we do to move forward?” Sometimes this is to continue along the same path as before. Other times it is to shift into a new direction. There are several changes happening here at OWASP and we should evaluate what move is best for our growing community. This could be a straight backfill or this could be something new. As a community, let’s have that discussion.

A few specific items:
Open
There are many different paths forward for OWASP. As a community let’s determine where we want to go. The discussion and process will be open to all. Though we may have different ideas ultimately the community as a whole will reach a path forward and we can all rally around the next steps.

Focus on Community
We must continue to look at how we advance OWASP to empower community. OWASP is a unique organization and we need to build structures that are cognizant of our volunteers and their contributions, and also work in the distributed world wide organization that we are. This is more than just talk too. We need to address the hard questions so we can build a well functioning system that is exciting and welcoming for our community.

Two areas are already under discussion and I encourage you all to get involved, committees 2.0 and the upcoming board elections.

The business side of OWASP
The business side of OWASP is no small task. We have legal entities in US and Europe, income from events around the world, tax and legal obligations and more. In the interim we will be hiring a third party firm that specializes in the business operations of non-profits. This will enable OWASP to focus on what we do best, application security. In addition, the third party will also ensure the business side of the house is in order. This is a short term engagement that will be re-evaluated as part of our larger discussion.

OWASP Operations Team
The operations team works tirelessly to advance OWASP. We are truly grateful for their efforts. The business group mentioned above will augment our operations team. Every member of the operations team plays a critical role and we need them to be able to focus on their areas of expertise.

Although things will be changing in some areas of OWASP as we all evaluate the best structure, it is still crucial to provide a single point of contact for the operations team. In the interim the operations team will report directly to the chairman of the board, Michael Coates.

Continuing the conversation
This is only the beginning of the conversation. Here are several ways to continue sharing ideas.

1. Open Town Hall
A google hangout is scheduled for next week at Monday, June 16, 7am Pacific (hangout link & world time conversions). The call will be recorded and streamed live. You can join the call in real time or submit your questions ahead of time via google moderator.

2. Google Moderator
Have an idea to share? Want to dive into a different proposal? Use the google moderator to have a free form conversation with just enough structure in the tool so good ideas can rise up.

3. Mailing lists
The age old mailing lists (the OWASP leaders list and the OWASP community list)  are still there and will of course be used. But, sometimes good ideas get lost here in long threads. So please consider capturing important items within google moderator too.

4. Run for the board
Board elections are seeking candidates. Submit your candidacy here. http://www.tfaforms.com/329974.

Change can sometimes feel a bit uncomfortable, but at the same time it can be a great opportunity. Let’s embrace this opportunity to develop the future of OWASP together.

We are wishing our Sarah all the best for the future and looking forward to all of your feedback, ideas, and energy that made OWASP the great organization it is today and which will lead OWASP into the future.


- The OWASP Board
Michael Coates,
Tom Brennan,
Josh Sokol,
Tobias Gondrom,
Fabio Cerullo,
Eoin Keary,
Jim Manico




OWASP Executive Director Update

Dear OWASP Community Members,
On Friday May 23, 2014, I gave notice to the Board of Directors that I will be resigning as Executive Director of OWASP.  As some of you already know, I am pregnant with my first child and, now, have decided to take this opportunity to stay at home with the baby after she is born in late August. This has been a difficult and bittersweet decision, as I am sad to leave OWASP but very excited for this new chapter in my life full of its own challenges and experiences.
In the past three and a half years since I started working with the OWASP community on the 2011 Global Summit, I have had the great fortune of working with many volunteers around the world both virtually and in person.  I will treasure that work and all of the efforts and enthusiasm I have experienced first hand in the community.  Thank you to each and every one of you for your continued contributions to support OWASP as an organization and, most importantly, for your hard work improving the security of software.

The Board will be following up shortly with the community to provide more details on next steps for OWASP.  I plan to continue working to support the ongoing efforts and initiatives of the Foundation over the next couple of months, enabling a smooth transition of my responsibilities upon my departure in August.

As we work through this transition, if you have questions and comments I encourage you to share them with me, the Board of Directors, and other community leaders via the owasp-leaders and owasp-community mailing lists.
Sincerely,
Sarah Baso
Executive Director
OWASP Foundation

AppSec EU Call for Volunteers is now OPEN!!

It's that time! The Call For Volunteers (CFV) for AppSec EU is now live! For just 8 hours of your time and effort, we'll provide you with a full conference pass (£500.00). We need folks to work registration desk as well as room proctors, speaker liaisons, ticket takers for the conference dinner, and more! Shifts start on Monday for the Trainings and run through Thursday, so there's plenty of opportunity for you to get in your required time and still see the talks you want to attend.


We hope to see you in Cambridge at AppSec EU 2014. Cheers!

Wednesday, June 4, 2014




The call for presentations (CFP) is currently closed. Review your submitted talks here.

Dates and deadlines

  • April 27th, 2014: Submission deadline
  • May 30th, 2014: Notification of acceptance
  • June 13th, 2014: Notification of acceptance (our apologies for the delay)
  • August 4th, 2014: Final materials due for review
  • September 18th – 19th, 2014: Conference proceedings

Visit the main conference site for additional information about AppSec USA.

Tuesday, June 3, 2014

OWASP Project Manager - Resignation



OWASP Community Members -

Our Program Manager for OWASP Projects, Samantha Groves, shared with us on May 27, 2014, that she would be leaving the OWASP Foundation. Samantha’s last day with the Foundation will be Tuesday, June 10, 2014.

Samantha has been an amazing employee, relentless in supporting the Foundation, providing a platform for community decisions and collaboration. She has had a tremendous workload, which includes support of more than 150 active projects, responding to a constant influx of inquiries from project leaders asking for help with mediawiki templates, new project requests, and general advice on how to proceed with anything OWASP.  Additionally, she has oversight of our project related grants and google ad-words account, manages a project intern and a graphic designer, and facilitates platforms for project related initiatives such as the current project task force.  Last but not least Samantha has taken on the monumentally time consuming task of ensuring OWASP Projects not only have a presence at the Global AppSec conferences, but play an active role in engaging the community to learn and get involved in the projects.  This includes project modules such as the open source showcase, project track (project talks), project leader workshop, and project summit.

Samantha will be sorely missed by me and the rest of the staff, and surely many people in the community.  

On behalf of the Foundation, thank you Samantha for all you have done for us to support the mission and the community. We wish you all the best in your future endeavors.

Best Regards,

Sarah Baso
Executive Director
OWASP Foundation

###########################
For those of you who missed it, here is Samantha's email to OWASP Leader's from earlier today:

Dear OWASP Leaders,

I am writing to inform you that I have resigned my post, and I will be concluding my staff work with OWASP on Tuesday, June 10th, 2014. My original last day was meant to be August 8th, 2014, but circumstances have changed and I have had to depart sooner.  

I feel sad to leave OWASP as this is one of the best communities I have ever had the pleasure of working with. I consider many of you, family, and I am truly sad to be leaving. 

I am confident that this is the best decision for me, and I wish you all the best of luck. If you need me, you know where to find me. :-)

Thank you for the opportunity to get to know you. Keep being amazing! :-)


Best Regards,
Samantha Groves 

Monday, June 2, 2014

OWASP Flagship Project Announcement

OWASP Community,

On April 30 2014, the OWASP Board voted to change all projects with Flagship Status to Labs status. This message is intended to explain why we did this and what the future of OWASP projects and project evaluation is.

It's critical that the OWASP Foundation is sincere about the classification of our project inventory. Our "customers" depend upon these projects to provide a wide variety of critical security services. These include discovery of security vulnerabilities, cryptographic services, developer security education and a number of critical security controls. Some OWASP projects are used in the very heart of our customers infrastructure!

Our current methodology of project classification is based on three categories: Incubator Projects, Labs Projects and Flagship Projects. Let's take a moment to explore what these categories mean as they stand today.

OWASP Incubator Projects are "proofs of concept, experimental, and classified as prototypes" in their current state.

OWASP Labs Projects represent projects that have produced a deliverable of significant value but are not guaranteed to be production ready.

OWASP Flagship Projects clearly denote production quality projects that organizations can trust and depend on.

Evaluating almost 200 projects is no small task. The OWASP project list has not changed much over the last 2 years. Unfortunately, some of our flagship projects have not been active and have languished to a point where flagship status may not be appropriate.  Also, as OWASP continues to mature its project management and review capabilities, these categories may go away.

In an effort to present a more accurate and up-to-date status of OWASP projects, the OWASP Board has voted to reduce all Flagships projects to LABS status and will require projects to go through an evaluation process in order to be deemed flagship once again. This message states that current flagship projects are still important projects that deliver significant value, but may not be production ready or up to date.

OWASP is in the midst of building a new project review infrastructure and the processes to go with that. Our new project review mechanism is not finalized yet, but members of the OWASP Community are working to build that new strategy. But we need to realize that while many of our projects are great ideas, not all of them are "production quality projects". Please look for a proposal with options for comment and a community vote in the upcoming days.

We know this may upset some in our community, but we want to emphasize that we felt that several OWASP Flagship projects (which are of great value) were languishing in a variety of ways. Our goal was to present OWASP projects in a more honest light. OWASP Labs status again denotes great value.

Thanks you for your consideration over this matter. We are eager to hear any feedback from the community to help make OWASP projects better in the future.

Regards,
The OWASP Board and Staff 


Hi all,

AppSecEU 2014 is approaching quickly and we have lots of great speakers and exciting presentations and trainings for you.
Your opportunity to discuss with the best in our field, hear the latest security tech presentations and learn and have a lot of fun.

This year AppSecEU will be in Cambridge, just a short 1-hour train ride from London.
We got a great venue at Anglia Ruskin University’s Cambridge campus and will on June-25 have a stylish conference dinner in the Victorian Gothic style Great Hall at Homerton College. An evening event not to miss. :-)

AppSecEU 2014
Date: June 23-26
Venue: Cambridge, Anglia Ruskin University

Program: 
Conference (June-25/26)

The main conference will be on June 25th and 26th with lots of amazing keynote speakers flying in, and tech talks about the latest on mobile security, hacking web applications and how to defend them, to management topics like lots of best practices and stuff that works. And while there, you'll have the opportunity to meet and discuss with your peers and industry experts and also visit tables from our sponsors in the hallway, who will show their latest tools and products at the exhibition hall.
Trainings (June-23/24)
Before that on June-23th and 24th we have 1- and 2-day training classes and bootcamps where you can dive deep into the technical problems and learn from the leading experts in the field 
(and see how deep the rabbit hole goes). The classes will be about mobile app security, injection flaws, WebHacking, defensive programming and writing secure code, up to management trainings about openSAMM and a CISO training about managing application security for senior managers.

Here the link to the conference page:
https://2014.appsec.eu

And for your registration:
https://2014.appsec.eu/registering-for-the-conference/

(For your convenience, we also secured a block of very affordable rooms close to the venue - but better book quickly as they go fast.)

Please spread the word among your colleagues and friends and looking forward to seeing you all end of June in Cambridge!

Cheers,


Tobias Gondrom
OWASP Global Board Member