Thursday, March 31, 2016

OWASP Connector Newsletter - March 31, 2016


Communications

Virtual Training Platform Available

You ask and OWASP delivers!

We're excited to announce that The OWASP Foundation has added the GoToTraining platform to our arsenal of virtual tools. GoToTraining lets you take advantage of an interactive learning environment where you can post materials (pre course materials, videos, images, class resources), give tests, take polls, and execute small group activities. Classes can be limited in the number of attendees or host as many as 50 students.

We would like to begin to schedule training sessions for delivery as early as April. Do you have a 1 to 4 hour class you would like to present?

Popular Topics for OWASP Training are (in no particular order)

  • XSS
  • XSS Filter Evasion Cheat Sheet
  • XSS Prevention Cheat Sheet
  • ZAP
  • SQL Injection
  • SQL Injection Prevention Cheat Sheet
  • Testing for SQL Injection
  • CSRF (Cross-Site Request Forgery)
  • CSRF (Cross-Site Request Forgery) Prevention Cheat Sheet
  • and of course, The OWASP Top 10

For Q2, all trainings will be recorded and made available through the OWASP YouTube Channel and links to the recordings will be posted on the relevant pages on the wiki.

If you are a trainer in a non English speaking country and would like to host a training in another language, that would be fantastic!

Any interested trainers, please CONTACT US or reach out to Kate Hartmann directly.

As always, thank you for all you do!

Annual Report Call for Content

The OWASP Foundation is looking for exciting and illustrative success stories from YOU, the community for inclusion in our 2015 Annual Report. This yearss theme is simply: Growing, Learning, Sharing, Leading.

Tell us how you and your team worked to spread the OWASP mission in 2015. Here are some ideas but feel free to be creative!

  • How did your local/regional/global collaborate spread security awareness?
  • What types of educational outreach did you and/or your team accomplish?
  • How did you and/or your team leverage the OWASP platform to inspire non security professionals to turn their attention to application security?
  • Where did you leave a BIG OWASP footprint?
  • How did YOU benefit from the different facets of the OWASP platform?

Submit your content - articles, pictures, ideas by April 14, 2015. This is your opportunity to share with the world why you participate. We want everyone to contribute! Everyone's story is important to the Foundation. Become globally famous by submitting your picture and/or brief bio so we can be sure to give you credit for your contribution. Of course, you may also request to remain anonymous if you prefer.

Act Now to Qualify for an Honorary Membership in 2016

Purchase or renew your OWASP Individual Membership for a chance to win!

Anyone who purchases a new individual membership, renews their existing individual membership or submits & are approved for an Honorary* Membership between April 1, 2016 and June 20, 2016 will be entered into a raffle to win a prize! Join or Renew today!

The raffle will be held June 22, 2016. Winners will be notified and results posted the same day. Prizes include and will be raffled off in this order:

One (1) Amazon gift card (value $50/USD)
One (1) AppSecEU 2016 conference ticket (value 600€)
One (1) AppSecUSA 2016 conference ticket (value $995)

*Honorary Membership is now available year round ​starting ​April 1​, 2016!

To learn more about Honorary Membership and to see if you are eligible, please visit our Honorary Membership page here. Submissions will be reviewed and verified by OWASP.

OWASP in the NEWS!

How to Hack an App: 8 Best Practices for Pen Testing Mobile Apps - Tech Beacon 3/21/2016

OWASP Releases Software Assurance Maturity Model (SAMM) - PR Newswire 3/16/2016

Black Duck's Open Source 'Rookies of the Year' 2015 - ComputerWeekly 3/16/2016

mHealth App Security is a Myth, New Survey Finds - mHealth Intelligence 3/14/2016

Google offers app to help companies assess their vendors' security - Networks Asia 3/11/2016

OWASP Podcasts

OWASP Projects and activities are often the subject of webcasts and podcasts. Sit back and relax as you watch and listen to these recent episodes.

Active Deception as a Methodology for Cybersecurity w/ Lawrence Pingree from Gartner

DevOps, Security and Engineering at Slack with Slack's Senior Staff Security Engineers Leigh Honeywell And Ari Rubenstein

Security War Games with Sam Guckenheimer at Rugged DevOps RSAC 2016

Guns, Germs and Steel at RSAC 2016 with John Willis

Equal Respect: Women in Technology with Chenxi Wang

projects

Google Summer of Code Needs Mentors

We are calling out for more mentors to get involved. We have 81 Proposals and need your participation.

Become a Mentor:

Do you want to become a mentor for a student?

Choose a participating OWASP project from the wiki page listed below preferably the one you are most familiar with. Link: https://www.owasp.org/index.php/GSOC2016_Ideas

Touch base with the project leader and ask one of the org admins (Claudia, Kostas or Fabio) to send you an invitation and get you started today.

Please let us know if you need help or supporting material.

Thank you in advance for your time and look forward to your participation.

Konstantinos Papapanagiotou
Initiative Leader

Fabio Cerullo
Initiative Leader

Claudia Aviles-Casanovas
Project Coordinator 
Phone:973-288-1697

OWASP Security Knowledge Framework is Black Duck's Rookie of the Year


We are thrilled, excited and really happy to announce that the OWASP Security Knowledge Framework has won the Rookie of the Year awards and honorable mention from Black Duck!

We want to thank everybody that helped us achieving this award especially the contributors and OWASP.

More information about the BlackDuck award can be found here: https://info.blackducksoftware.com/OpenSourceRookies2015.html.

This is a great milestone for OWASP and the SKF team!

Pycon

PYCON 2016 is coming to the Rose City in Portland, Oregon on May 28th - June 5th!
OWASP Developer Survey ranked PyCon #2

Opportunities to attend in behalf of OWASP

Sign-up Today!


PyCon 2016 has offered us the option to participate and contribute to their Open Spaces and Sprints.

Open Spaces
Open spaces are a way for people to come together to talk about topics, ideas, or whatever they like. They offer groups the ability to self-gather, self-define, and self-organize in a way that often doesn't happen anywhere else at PyCon. Any subject that two or more attendees would like to talk about is a candidate for an Open Space.

How Do I Participate In An Open Space?
It's pretty easy: Just show up :)


During PyCon, there will be Open Spaces boards somewhere near the registration desk. The boards acts as a time table for all the Open Spaces, so you know where and when to go for the Open Spaces you're interested in. If a topic is not listed yet, find an open time slot and add it! Open Spaces topic cards are included in the goodie bag you receive at registration.

What Open Spaces Are There?
There are Open Spaces on many subjects a bunch of PyCon attendees would like to discuss. Since the PyCon attendees are a diverse bunch, so are the Open Spaces. In past years, we've had a mani/pedi party, a feminist hacking space, an AcroYoga space, and a board games room. There's also plenty of the usual suspects of technical subjects, from computer security to your favorite Python project to professional occupations like DevOps.

Where And When Are The Open Spaces?
The Open Spaces are in a set of of dedicated rooms during all three of the conference days (Monday 5/30, Tuesday 5/31, Wednesday 6/1). The rooms may be needed for other events during portions of some days; please consult the Open Spaces boards for the final word on what's going on where.

How Do I Host An Open Space?
For PyCon 2016, we will be using the Open Space cards that were re-introduced a few years back. These are small postcard sized cards with a short explanation of what Open Spaces are. The back side of that card is for hosting Open Spaces. Just fill in the name and a short description of your Open Space, and then pin your card on the Open Space board in the room and time slot you want. It's also a great idea to add your Twitter handle to the card in case anyone interested in attending your Open Space has a question or would like to contact you about it. The cards will be made available in the goodie bag which you will receive at registration. Extra cards will be available at the Open Spaces boards. In order to promote your Open Space we encourage you to tweet about it and use the hashtag #PyConOpenSpaces to make sure people see your tweets.

Planned Open Spaces
If you have an idea for an Open Space, and a time when you want to meet, list it here on this page. It's also useful to add an approximate time slot if you have any preferences, so that attendees know where to look for your Open Space on the Open Spaces boards.

Development Sprints
Thursday, June 2nd 2016 - Sunday, June 5th 2016

Development sprints are a key part of PyCon, and a chance for the contributors to open-source projects to get together face-to-face for up to four days of intensive learning, development and camaraderie. Newbies sit with gurus, go out for lunch and dinner together, and have a great time while advancing their project.

What's New with the Sprints by Naomi Ceder
What are development sprints & why you should attend! by Kushal Das
What's so special about Sprints? by Naomi Ceder
What's A Sprint?

Come for PyCon, stay for the sprints!

PyCon Development Sprints are four days of intensive learning and development on an open source project of your choice, in a team environment. It's a time to come together with colleagues, old and new, to share what you've learned and apply it to an open source project.

In the crucible of a sprint room, teaming with both focus and humor, it's a time to test, fix bugs, add new features, and improve documentation. And it's a time to network, make friends, and build relationships that go beyond the conference.

PyCon provides the space and infrastructure (network, power, tables & chairs); you bring your skills, humanity, and brainpower (oh! and don't forget your computer).
Please sign up on the PyCon 2016 Sign Up Sheet. If you are interested in attending in behalf of OWASP.

XML External Entities Resources Cleanup

A great deal of work has gone into cleaning up and updating the OWASP Wiki XXE ( XML External Entities) resources. Here are the two main updated resources.

XXE Prevention Cheatsheet
https://www.owasp.org/index.php/XML_External_Entity_%28XXE%29_Prevention_Cheat_Sheet

XXE Vulnerability page
https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing

Thank you to Dave Wichers for leading the charge on XEE as well as John Passki and Xiaoran Wang for their work in this area.

Project Releases: Code Review Guide 2.0 Alpha and Dependency Check v.1.3.5

Code Review Guide 2.0 Alpha Released

The alpha release for the Code Review Guide 2.0 has been released. Please see the project page for more details. plus a shout out to the Long Island OWASP group for helping with a working session.
https://www.owasp.org/index.php/Code_review

OWASP Dependency Check v.1.3.5 Released

The OWASP dependency-check team is pleased to announce the release of version 1.3.5! Thanks to all those who have used the tool and provided feedback via the discussion group and issues in github. A special thanks goes out to those that have submitted pull requests! Please visit the documentation site for information on obtaining the new version (CLI, Maven Plugin, Ant Task, Gradle Plugin, Jenkins Plugin).
https://www.owasp.org/index.php/OWASP_Dependency_Check

Conference

AppSecUSA2015_banner 2

Registration, Call for Papers and Call for Training is Open for
AppSecUSA 2016 Conference in Washington, D.C.

Submit your application today!

The Open Web Application Security Project’s 13th Annual AppSecUSA Conference will take place in Washington, D.C. fromOctober 11-14. There are four exciting ways to participate!
 
  • Register as an attendee and learn about the latest breakthroughs in application security
  • Speak about a cutting edge topic in the industry. Submit a speaking application today
  • Teach about a web application security topic that is important to you. Submit a teacher training application
  • Lightning Talk. Not ready to speak for a full hour but would like to share your knowledge? Apply to be a Lightning Talk speaker and give a brief 15 minute talk

See you in Washington, D.C.!


OWASP is a non-profit organization with the mission of making application security visible so individuals can make informed risk decisions.

AppSecEU University Challenge

The University Challenge is a competition among teams comprised of university students that will be held on June 28th and 29th 2016, during the training days of the conference. There is no admission fee for the University Challenge - participation in the conference is possible at the student rate if applicable. This years UC is a two stage challenge:

Day 1: Capture The Flag (CtF), solving hacking challenges.
Day 2: Offense/Defense (Blue/Red Team), defending your vulnerable web application whilst attacking the application of the other teams.

This year the OWASP University Challenge will be limited to 10 teams. Teams will consist of 4-8 students, with one team per university. All team openings are on a first come first serve basis. If multiple teams are received from the same university the second team will be put on a wait list.

Please register your time via this link (Google web form): http://goo.gl/forms/AN6uPS4vAG.

Global AppSec Events

AppSec Europe 2016, 30 June - 1 July, 2016, Rome, Italy. Call for Lightning Trainings closes April 30. Call for Activities closes April 30.

AppSec USA 2016, 11 October - 14 October 2016, Washington, DC

Local and Regional Events

Latam Tour 2016, April 7, 2016 - April 22, 2016, Latin America

AppSec ASIA 2016, May 19, 2016 - May 22, 2016, Wuhan, China

AppSec PH 2016, August 26, 2016 - August 28, 2016, Philippines

Project Summits

OWASP SAMM Summit 2016, April 20-21, 2016, New York, USA

Partner and Promotional Events

Blackhat Asia 2016: March 31 - April 1, 2016, Marina Bay Sands Singapore, OWASP members receive a $200/USD discount on Briefings with discount code: OWBR0316

Cyber Security Summit Atlanta, April 6, 2016, The Ritz-Carlton, Buckhead, Atlanta, GA. The first 50 OWASP members will receive 50% off the summit ticket price by using discount code OWASPEXEC

The Cyber Security Summit, April 6 - April 7, 2016, Prague, Czech Republic. A limited amount of 10 seats are available for OWASP members for only € 299. For further questions, please contact Ms. Tatiana Buranska tatiana.buranska@ebcg.com +421-2-32202282

Connected Security Expo, April 6 - April 8, 2016, Sands Expo Las Vegas, NV

QuBit Conference, April 12 - April 14, 2016, Grandior Hotel Prague. OWASP members can save 10% by using their OWASP email address and discount code: OWASP*2016

Cyber Security Summit Dallas, May 3, 2016, Omni Dallas Hotel Dallas, TX, USA

13th Annual CISO Europe Summit & Roundtable 2016, May 10 - May 13, 2016, Copenhagen Marriott, Denmark. OWASP members save 20% by registering with your OWASP email address and discount code: OWASP2016

ONE2ONE SUMMIT, May 23 - May 25, 2016, Hotel Monteleone, New Orleans, LA

Hack in the Box: May 26-27, 2016, Amsterdam, The Netherlands

SC Congress Toronto: June 1, 2016 - June 2, 2016, Metro Convention Center Toronto, CN. Register today for an exclusive OWASP Member discount of $125. Full Conference pass sells for $350 Use the discount code - OWASPMEM

Techno Security & Forensics Investigations Conference / Mobile Forensics World: June 5 - June 8, 2016, Myrtle Beach, SC, OWASP Members save 30% by using your @owasp email address and discount code: OWASP16

Cyber Security Summit DC/Metro, Virginia, June 30, 2016, The Ritz-Carlton, Tysons Corner

ICCS 2016: July 25 - July 28, 2016, Fordham University at Lincoln Center, New York, NY

Black Hat USA 2016: July 30 - August 4, 2016, Las Vegas, NV

DevCon5, August 1 - August 4, 2016, New York, NY

BSides Las Vegas: August 2 - August 3, 2016, Las Vegas, NV

ICCS 2016, August 13 - August 14, 2016, Rajasthan, India

Cyber Security Summit Chicago, August 25, 2016, Hyatt Regency Chicago

ONE2ONE SUMMIT: September 14 - September 16, 2016, Boca Beach Club, Boca Raton, FL

Cyber Security Summit New York, September 21, 2016, Grand Hyatt New York

(ISC)2 Security Congress EMEA 2016: October 18-19, 2016, Croke Park Stadium Dublin, Ireland

Cyber Security Summit Los Angeles, October 27, 2016, Fairmount Miramar Hotel

Ads are not endorsements and reflect the messages of the advertiser only.They represent co-marketing arrangements
with other organizations in support of the OWASP Community.   CLICK HERE for more information on advertising.
Qualys ICCS 2016, July 25-28, 2016, Fordham University, New York, NY, USA Black Hat Asia 2016, March 29-April 1, 2015, Marina Bay Sands, Singapore


chapters

New Chapters

Chapter Restarts

  • India (regional coordinators): Milan Singh Thakur (milan@owasp.org) and Nitin Pandey (nitin.pandey@owasp.org) join as leaders, replacing Dhruv Soi and Nitin Saxena who have served in that role for many years. Thanks!

Transitions


New Student Chapter


Academic Supporters


Learn more about our Student Chapters and Academic Supporter programs.

Notable Chapter Activity


OWASP Day 2016 in Tokyo


OWASP Nigeria hosts its first meeting in Lagos.


OWASP Kerala holds a series of meetings at four universities.

Share Your Stories!

We at the OWASP Global Foundation are looking forward to hearing about more such events in future. Share your chapter's successes! Submit your stories to support@owasp.org

OWASP Membership is a great way to contribute to our local chapters and projects. A portion of your membership can be allocated to the chapter and/or project of your choice. Please show your support for OWASP Projects and Chapters by becoming an Individual or Corporate member today!

Membership

Membership Drive

As part of our overall 2016 Membership recruitment and appreciation program, we will be introducing a new incentive on April 1, 2016. Stay tuned!

Renewed Corporate Members (Premier Level)

  • Qualys

Renewed Corporate Members (Contributor Level)

  • Denim Group
  • Intelligent Environment
  • Symantec
  • Twitter
Become a Corporate Supporter. Find out how by visiting our Corporate Supporters information page.
Upcoming Partnership & Co-Marketing Events:

See https://www.owasp.org/index.php/Category:OWASP_AppSec_Conference

Social Media

OWASP Social Media Site

No comments: