| || || |
| || || |
|OWASP Projects and activities are often the subject of webcasts and podcasts. Sit back and relax as you watch and listen to these recent episodes. |
Simon Bennetts - FLOSS Weekly ZAP interview
North Sweden Chapter leaders, Markus Orebrand and Magnus Hultdin were featured in an Infotech Umea article
Fabio Cerullo - OWASP and 2015 LATAM Tour - Mundo Hacker TV
HP and OWASP Internet of Things Top Ten at RSA conference - A Good Housekeeping Seal for the Connected Home | Security Ledger
Mark Miller - OWASP 24/7 Podcast Series
|Be on the lookout for more information on the upcoming Elections and Annual Awards! The election process will begin May 1 with the Global Board call for candidates. |
More information will follow via email.
Thank you to the local teams for translating OWASP documentation into many different languages.CISO Guide in Spanish
|The Hacky Easter challenges have returned! |
Hacky Easter 2015 is a free, white-hat hacking competition for education and fun. The competition runs until May 31, 2015. CLICK HERE to access the challenges! Good luck to all.
|Did you know that when you access Amazon through the special OWASP Charity link OWASP received a percentage of the purchase? |
This is an easy way to help support OWASP. 100% of proceeds collected through Amazon Smile in 2015 will support the Women in AppSec initiative.
|OWASP KALP Mobile Project is for the users around the world who want to view the OWASP Top 10 vulnerabilities, download the Top 10 list on their mobile device, and email it. This is a lightweight information of OWASP Top 10 list, Cheat Sheets as well as Prevention Cheat Sheets created from the OWASP site.|
Visit the project page for links to download the application for Android and iOS devices.
OpenSAMM Consortium Launches Industry's First Public Benchmarking Data for Improving Software SecurityOpenSAMM is an easy-to-use assessment which provides flexible datasets that can be customized by organization demographics, including sector, development and cultural profile, resulting in pragmatic milestones towards reducing overall security risk.
The expanded access to these datasets makes OpenSAMM available to a larger number of organizations, which previously weren't able to apply valuable benchmarking data to their particular case.
Each of the practical, constructive benchmarks within the framework was derived from best practices of leading application security firms.
Read the entire press release HERE
Open SAMM Project Page
Complete details of all the changes, visit the ZAP release Blog Post
Some of the highlights are:
Following the latest release of ZAP 2.4.0, Samuli Elomaa has written a brief introduction to using ZAP with Docker
What can you do with ZAP docker images? The main advantages are:
AppSensor is about detecting and responding to attacks within software applications.
In February the project team created a two-page flyer "AppSensor - Introduction for Developers"
And now in April, a new 12-page booklet "AppSensor - CISO Briefing" has also been finalised
The CISO Briefing is also available to buy at cost in hardcopy.
These materials are intended to complement the more extended information on the microsite http://www.appsensor.org/, project wiki and AppSensor - Guide. AppSensor is also participating in the project summit at AppSec EU in May.
WHID goal is to serve as a tool for raising awareness of the web application security problem and provide information for statistical analysis of web applications security incidents.
A useful way to use WHID is to help provide data for "Likelihood of Attack" RISK ratings. There is a lot of public "vulnerability" data publicly available, but which ones are actively being used by attackers?
Read more, find Top 10 mappings, and submit an incident by visiting WASC Web Hacking Incidents Database project page
There is significant knowledge about application vulnerability types, and some general consensus about identification and naming. Issues relating to the misuse of valid functionality, which may be related to design flaws rather than implementation bugs, are less well defined. Yet these problems are seen day-in day-out by web application owners. Excessive abuse of functionality is commonly mistakenly reported as application denial-of-service (DoS) such as HTTP-flooding or application resource exhaustion, when in fact the DoS is a side-effect. Some examples are blog & comment spam, fake account creation, password cracking, web scraping, etc.
These factors have contributed to inadequate visibility, and an inconsistency in naming such threats, with a consequent lack of clarity in attempts to address the issues.
The OWASP Automated Threats to Web Applications Project is in the process of reviewing reports, academic and other papers, news stories and vulnerability taxonomies/listings to identify and name classes of these - threat events to web applications that are undertaken using automated actions.
The aim is to produce an ontology providing a common language for devops, architects, business owners, security engineers, purchasers and suppliers/vendors, to facilitate clear communication and help tackling the issues. The project also intends to identify symptoms, mitigations and controls in this problem area. But for the moment the project would like to receive real-world experience on the prevalence and naming of such threats - especially from those responsible for the ongoing operation of web applications.
One way to help would be to complete the new survey which has been published this week. Help identify real-world automated threats using this Google Form: http://goo.gl/forms/9zKz56aAp5
For more information, please visit the Project Wiki Page
|The Conference Program is Now Available! |
Limited Seats are available in the pre conference Trainings
Wednesday, May 20 - One day courses:
|AppSec USA 2015 (September 22 - 25, 2015, San Francisco, CA) |
|LASCON 2015 (October 19-22, 2015) Austin, TX |
AppSec Rio de la Plata 2015 (November 17-20, 2015) Montevideo, Uruguay
AppsWorld Germany 2015 (April 22-23, 2015) Berlin, Germany
NCCDC (April 24-26, 2015) San Antonio, TX
AppsWold North America 2015 (May 12-13, 2015) San Francisco, CA. OWASP members recieve 15% off delegate passes. Enter voucher code: I89GS/APPSP15
SANS CyberTalent Fair (May 14-15, 2015) Virtual, online
BSides Knoxville (May 15, 2015) Knoxville, TN
International Conference on Cyber Security (ICCS) (May 16-17, 2015) City of Redlands, CA. OWASP members receive 25% off the general event fee. Discount code ICCSOWASP
Cloud Security World 2015 (May 19-21, 2015) New Orleans, LA..OWASP members receive a 25% discount off standard event fee. Discount code CLD15-OWASP
Hack In the Box (May 26-29, 2015) OWASP members receive 20% off by using discount code OWASP-HITB2015AMS
SC Congress Toronto (June 10 - 12, 2015) Toronto, Canada. Register with your @owasp email address and receive a discount.
Hack in Paris (June 15-19, 2015) La Plaine Saint-Denis, Paris
EuroPython 2015 (July 20-26, 2015) Bilbao, Spain
(ISC)2 Security Congress APAC 2015 (July 28-29, 2015) Manila, Philippines
BlackHat USA (August 1-6, 2015) Las Vegas, NV
BSides Las Vegas (August 4-5, 2015) Las Vegas, NV
Info Security Malaysia Conference (August 6, 2015) Kuala, Lumpur
Security One2One Summit (October 4-6, 2015) Austin, TX
SecTor (October 19-21, 2015) Toronto, CN
|Ads are not endorsements and reflect the messages of the advertiser only. CLICK HERE for more information on advertising.|
|Leeds Beckett University: New Student Chapter and Academic Supporter - Chapter Leaders - Joseph Gwynne-Jones - President, Christopher Easton - Vice President, James Johnson - Treasurer, Connor Wilson - Secretary, Cliffe Schreuders - Faculty Advisor |
Manaus, Brazin - New Chapter Leader - Fabio Lapuinka
Phoenix, AZ USA - New Chapter Leader - Joaquin Fuentes
Charlottesville, VA USA - New Chapter Leader - Jeff Collyer
UW Bothell Student Chapter - New Chapter Leaders - Tyler Laws, Brendan Sweeney
OWASP Noida, India hosted a tour beginning April 6 to promote Cyber Safety Campaign Across India. The tour began on 6th April 2015 at the Poddar International School in Nagpur, Maharashtra, India
Check out the event on Facebook!
Check out the Twitter Feed!
Share your chapter's successes! Submit your stories here
Noreen Whysel, OWASP Community Manager has begun processing your comments and suggested changes to the Chapter Leader Handbook
To add your comments, go to the Chapter Handbook page. On each chapter of the handbook, click the "Discussion" tab at the top left of the page to review the suggested changes. You will need to log in to add your own suggestions. At this time do not make any edits to the Chapter Leader Handbook pages. Only add suggestions to the Discussion page. Please contact Noreen if you need assistance.
docker pull owasp/zap2docker-stableOr for weekly images:
docker pull owasp/zap2docker-weeklyThis will download and install the zap docker images from docker project's image hub. Alternatively you can build your own with the docker files located at build/docker directory of the zap source code archive.
docker run -u zap -p 5900:5900 -p 8080:8080 -i owasp/zap2docker-stable x11vnc --forever --usepw --createThis will first ask you to set VNC server password, once done it will startup the VNC session. Which you can connect with your VNC client (eg. in the example its localhost and tcp port 5900). In order to reach the ZAP proxy from your web browser just set your http proxy point to your docker host's IP (or localhost) and TCP port 8080, when you are done you can just kill the docker image with ctrl+c.
For downloading the report files from the docker image, you can use the data volume mounting option: -v localdir:/home/zap/ , altough this does have problems when using systems like boot2docker. Please see the following site for more detailed information regarding managing data in docker containers: https://docs.docker.com/userguide/dockervolumes/
docker run -u zap -i owasp/zap2docker-stable zapr --debug --summary http://target
docker run -p 8090:8090 -i owasp/zap2docker-stable zap.sh -daemon -port 8090 -host 0.0.0.0When this is run, you can access the ZAP API from localhost/host-ip at tcp port 8090. Eg. http://127.0.0.1:8090/ or http://dockerip:8090/
See more details regarding the ZAP api usage here: https://code.google.com/p/zaproxy/wiki/ApiDetails