Monday, February 15, 2016

February 2016 Community News Flash


February 2016 Community News Flash
In this Issue:
  • FUNDING: Let's Talk About Funding and Plan for 2016!
  • PROJECTS: Announcing GSoC 2016, New Releases from OWASP ZSC, ESAPI, WebGoat 7, and a ZAP User Survey
  • CHAPTERS: New Chapters, Leader Transitions, Meeting Ideas for 2016
  • EVENTS: AppSec Europe and Other Upcoming Local and Regional Events
  • RESOURCES: List of Resources in this Issue

FUNDING: Let's Talk About Funding and Plan for 2016!
Get ready to share the OWASP vision and spread application security awareness. This January the OWASP Board released $33,000 to 65 Chapters! This is an incredible opportunity for formerly underfunded chapters to plan for the coming year.

Join Community Manager Noreen Whysel and Projects Coordinator Claudia Aviles-Casanovas in an online discussion of Funding Ideas for 2016. We will be dialing in to GotoMeeting on February 12 and February 16. The call will be recorded if you are unable to attend. There will be two calls.

Fri, Feb 12, 2016 12:00 PM - 1:00 PM EST
Tue, Feb 16, 2016 8:00 AM - 9:00 AM EST

Call details:

PROJECTS: Announcing GSoC 2016, New Releases from OWASP ZSC, ESAPI, WebGoat 7, and a ZAP User Survey

Got an Idea for Google Summer of Code 2016?

The time of the year has come to propose ideas for GSoC 2016.

We haven't been selected yet, but we need to populate this list of ideas as part of the organization application process.

We have created a list here:

We have removed last year's ideas and only left some as "example ideas". Please add more ideas to this list as you wish. You should put your ideas down before the application deadline, ie before February 19th. You will be able to add more idea after the deadline but we would like to present to Google as many ideas as possible.

OWASP ZSC

We are preparing to start developing a powerful obfuscation tool OWASP ZSC and looking for some volunteers to contribute the tool project.

OWASP ZSC Project
OWASP ZSC is an open source software in python language which lets you generate customized shellcodes and convert scripts to an obfuscated script. This software can be run on Windows/Linux/OSX under python.

Usage of shellcodes
Shellcodes are small codes in assembly which could be use as the payload in software exploiting. Other usages are in malwares, bypassing anti viruses, obfuscated codes and etc.

Usage of Obfuscate Codes
Can be use for bypassing antiviruses, code protections, same stuff etc…

Why use OWASP ZSC ?
According to other shellcode generators such as metasploit tools and etc, OWASP ZSC using new encodes and methods which antiviruses won't detect. OWASP ZSC encoders are able to generate shellcodes with random encodes that lets you to get thousands of new dynamic shellcodes with the same job in just a second, it means you will not get a same code if you use random encodes with same commands, and that makes OWASP ZSC one of the bests! otherwise it's going to generate shellcodes for other operation systems in the next versions. It’s the same story for the code obfuscation.

There are more details about how it works and user guides and also how to develop.
And whole developer and users guide documents are available for download in gitbooks.

Developers can add new features and if you don’t have idea but like to develop, you can find the issue which software needed to be fix/add/done HERE.

After fix/add or develop something, please send your pull request and remember that your code must be compatible with python2 and python3.

If you have any question you can open an issue or just mail us. Do not forget to register on our mailing list.

If there is any questions, you can submit it in issues on github, mail us or contact the Project leaders directly.

ali.razmjoo@owasp.org
johanna.curiel@owasp.org
owasp-zsc-tool-project@lists.owasp.org

URLs:


WebGoat v.7

Webgoat v.7 released. Listen to our podcast as Bruce Mayhew explains the new version. The WebGoat Project started 10 years ago and has had over 1,000,000 downloads. Version 7.0 is being released this week. Matt Miller caught with Bruce Mayhew, project lead, to talk about the history of the project, what has been updated in version 7, and what he foresees as the future of this project. Project Page: http://www.owasp.org/index.php/CategorY:OWASP_WebGoat_Project

New ESAPI Release

ESAPI project co-leader, Kevin Wall announced his team has just tagged (and signed) a new ESAPI release. The tag name is esapi-2.1.0.1. There are 36 GitHub issues that were closed. You can find full details at: https://github.com/ESAPI/esapi-java-legacy/blob/master/documentation/esapi4java-core-2.1.0.1-release-notes.txt.
Note that there are also some important changes made to the GitHub repo itself. Specifically, we have chosen to adopt a git workflow based on this blog: http://nvie.com/posts/a-successful-git-branching-model/, where all the new development work will be done on the 'develop' branch and the 'master' branch will henceforth reflect the latest official ESAPI release.

To accommodate this,
  • The 'develop' branch has now been made the DEFAULT branch.
  • The 'master' branch has now been made a PROTECTED branch.
Chris Schmidt will be uploading this to Maven sometime later this day, probably once he's through with his day job. Lastly, a special shout-out to Matt Seil and Jeremiah Stacey for their help with Git and some nasty JUnit concurrency issues.

ZAP User Survey

Please help us to make @owasp ZAP even better for you by answering the ZAP User Questionnaire: https://docs.google.com/forms/d/1-k-vcj_sSxlil6XLxCFade-m-IQVeE2h9gduA-2ZPPA/viewform

A Call for Comments on the OWASP Projects Handbook update is now open. We invite project participants to visit the OWASP Projects Handbook draft on Google Docs and enter comments. You can also download a PDF version from the OWASP Projects wiki page and forward comments to Claudia Aviles-Casanovas at claudia.aviles-casanovas@owasp.org.

OWASP 24/7 PodCasts


We now have 72 podcasts for your listening pleasure. Knock yourself out!

Created by Mark Miller, OWASP 24/7 Podcasts offer a great forum for getting an update on projects. Listen to interviews with project leaders at https://soundcloud.com/owasp-podcast.

CHAPTERS: New Chapters, Leader Transitions, Meeting Ideas for 2016

New Chapters

Restarted Chapters
Leader Transitions
  • Cluj, Romania: Lucian Suta and Cristian Serban, new leaders. Much appreciation owed to Lucian Corlan who founded the chapter last year and developed wonderful public programs on application security with local government.
    https://www.owasp.org/index.php/Cluj
     
  • Kolkata, India: Jitendra Adhikari (Jitendra.Adhikari@owasp.org) and Tanmoy Khanra (Tanmoy.Khanra@owasp.org) join the leadership team with Krishnendu Paul. Dibyendu Sikdar is stepping down. Many thanks to Dibyendu for your service to OWASP Kolkata.
    https://www.owasp.org/index.php/Kolkata
There are many leader openings for chapters that have gone inactive, particularly in the Middle East and Africa. Go to the Volunteer page for a listing of open positions: http://owasp.force.com/volunteers/GW_Volunteers__VolunteersJobListing

New Student Chapters
Learn more about our Student Chapters and Academic Supporter programs.

Restarting an Inactive Chapter

If you are interested in starting or helping to restart a chapter that has gone inactive, please review the listings at the Volunteer Opportunities page of the wiki. If you are a current chapter leader and are having difficulty finding space, volunteers or funding to host a meeting, let me know. I can direct you to resources and funding to help you.

Also keep in mind you can view your Chapter's budget and available funds at the Donation Scoreboard:

EVENTS: Upcoming AppSec Events
The European OWASP Conference is going to be one of the best ever.
Come to hear and share ideas with the experts! 
27 June - 1 July 2016

Read the latest news on the next OWASP AppSecEU on the conference site: http://2016.appsec.eu/

Important keynote speakers will be present at the Marriott Park Hotel in Rome, Italy.

Our special guest will be Charlie Miller, who will present the keynote talk "Bugs ruin everything". In his speech, Miller will discuss some popular methods for finding vulnerabilities and why it is so difficult to spot them.

Charlie Miller is a senior security engineer at Uber ATC, a hacker, and a gentleman. Back when he still had time to research, he was the first with a public remote exploit for both the iPhone and the G1 Android phone. He is a four-time winner of the CanSecWest Pwn2Own competition. He has authored three information security books and holds a PhD from the University of Notre Dame. He has hacked browsers, phones, cars, and batteries.

The Open Web Application Security Project is an open-source project for application security. OWASP provides advice on the creation of secure Internet applications and testing guides.

It boasts a strong global community with more than 45,000 participants, more than 55 corporate members and 20 academic supporters through 249 active local chapters in 6 continents and 97 countries.

More than 800 people are expected at the event, with 3 days of training followed by the 2-day conference that includes:
  • Five parallel talks with focus on the OWASP core mission (Dev, Ops, Hack, CISO and Research);
  • Keynotes from industry leaders;
  • Exhibition spaces that offer innovative solutions for the needs of companies.
Do not miss the opportunity to participate this important conference, mentioned in Tripwire as a TOP 11 SECURITY CONFERENCE IN 2016.

More details on registration, program and speakers will be sent in a forthcoming communication.

Global AppSec Events
  • AppSec Europe 2016, 30 June - 1 July, 2016, Rome, Italy
  • AppSec USA 2016, 11 October - 14 October 2016, Washington, DC
Regional and Local Events
Partner and Promotional Events
  • SC Congress London: February 10, 2016, ILEC Conference Centre London, UK. Register today for an exclusive OWASP Member discount of $125. Full Conference pass sells for $350 Use the discount code - OWASPMEM
  • ONE2ONE SUMMIT, February 27 - February, 29, 2016, Parc 55 San Francisco, CA
  • CISO Middle East Summit & Roundtable, February 29 - March 3, 2016, Habtoor Grand Hotel Dubai, The UAE. OWASP members save 20% by registering with your OWASP email address and discount code: OWASP2016
  • Blackhat Asia 2016: March 31 - April 1, 2016, Marina Bay Sands Singapore
  • Connected Security Expo, April 6 - April 8, 2016, Sans Expo Las Vegas, NV
  • QuBit Conference, April 12 - April 14, 2016, Grandior Hotel Prague. OWASP members can save 10% by using their OWASP email address and discount code: OWASP*2016
  • 13th Annual CISO Europe Summit & Roundtable 2016, May 10 - May 13, 2016, Copenhagen Marriott, Denmark. OWASP members save 20% by registering with your OWASP email address and discount code: OWASP2016
  • ONE2ONE SUMMIT, May 23 - May 25, 2016, Hotel Monteleone, New Orleans, LA. OWASP members receive a $200/USD discount on Briefings with discount code: OWBR0316
  • SC Congress Toronto: June 1, 2016 - June 2, 2016, Metro Convention Center Toronto, CN. Register today for an exclusive OWASP Member discount of $125. Full Conference pass sells for $350 Use the discount code - OWASPMEM


Watch the AppSec Conference page for updated event listings. Be sure to enter your upcoming event into the OWASP Conference Management System so we can promote it and provide assistance.

RESOURCES

Project Inventory:
https://www.owasp.org/index.php/OWASP_Project_Inventory
https://www.owasp.org/index.php/Category:OWASP_Project


Google Summer of Code 2016 Ideas:
https://www.owasp.org/index.php/GSOC2016_Ideas


OWASP ZSC Tool: 
https://www.owasp.org/index.php/OWASP_ZSC_Tool_Project

WebGoat v.7: 
http://www.owasp.org/index.php/Category:OWASP_WebGoat_Project

ESAPI Release
https://github.com/ESAPI/esapi-java-legacy/blob/master/documentation/esapi4java-core-2.1.0.1-release-notes.txt


ZAP User Questionnaire
https://docs.google.com/forms/d/1-k-vcj_sSxlil6XLxCFade-m-IQVeE2h9gduA-2ZPPA/viewform


Chapter Leader Handbook:
https://www.owasp.org/index.php/Chapter_Leader_Handbook


Funding Resources:
https://www.owasp.org/index.php/Funding


Donation Scoreboard - Current Chapter and Project Funding Allocations:
https://docs.google.com/spreadsheets/u/2/d/11acTOmtmBGq6-5CIGsjlEByU8POSGqda0r23VNnhEGQ/pub?hl=en_US&hl=en_US&output=html


OWASP Conference Management System:
https://www.owasp.org/index.php/Owasp_Conference_Management_System


CONTACT ME
Feel free to contact me at any time if you have a question or suggestion. To create a trackable case, please use the contact us form at http://www.tfaforms.com/308703.

Noreen Whysel
Community Manager
OWASP Foundation


Community Manager Open Hours on Slack:
Join the #AsktheCM channel Tuesdays from 10am-Noon EDT.
https://owasp.slack.com/messages/askthecm/


No comments: