2016 in Review; Looking Ahead
2016 has been a period of radical change for OWASP, some of it was sudden and devastating, other changes were the culmination of months of small improvements. OWASP Foundation invites you to aid us in harnessing the energy from these changes to foment a period of radical growth in 2017.
The year in Review:
On behalf of the entire Operations team, we look forward to making 2017 an exciting and productive year for OWASP.
OWASP Community Manager
OWASP Operations Update
Starting in December 2016 and continuing throughout 2017, the staff are going to post monthly updates on the OWASP Blog so the community can keep up with what the OWASP Foundation is doing to make OWASP just that much better. We’re also open to starting brief weekly updates if the community wants to follow our direction more closely.
Read the December 2016 Operations Update here.
OWASP in the NEWS!
What The Galactic Empire Could Learn from OWASP – Stormpath, December 17, 2016
Privacy Commissioner, infosec boffins, call for reform of anti-hack Bill – The Register, December 18, 2016
Protecting Yourself From Online Scammers – Fox2Now, November 30, 2016
Application Security Conference: AppSec USA – Resolute Technology Solutions, December 16, 2016
Security! experts! slam! Yahoo! management! for! using! old! Crypto! – The Register, December 15, 2016
IT security skills dearth lifts SA's risk profile – IT Web Access Control, December 12, 2016
Security Awareness Program 2017: How Hospital Leaders Can Handle Cybersecurity Threats in the Coming Year – Insights, December 10, 2016
OWASP Project Inventory has 93 Projects (Code, Tools, or Documentation) produced by the efforts of volunteers. Projects are divided into three categories, Incubator, Lab and Flagship status. We currently have about 39 Projects in Flagship or Lab Status and the balance are in Incubator status. The main purpose for project reviews is to provide an evaluation based on a defined criteria which provides an incentive and measurement of a projects maturity as they grow from Incubator to Flagship.
Project reviews may be requested by the Project Leaders or flagged during each project's annual health check. The evaluation is based on defined criteria which attempt to gauge the project's quality, health (activeness), and stage within our incubator to lab to flagship continuum.
The review consists of an initial self-assessment done by the project leader which is peer reviewed by volunteers from OWASP. Next, OWASP staff take look over all the feedback on the project and ensure it meets the requirements for graduation. Once a project is ready for graduation, all the review feedback is presented to the community for any final comments or +1’s. You can view the four most recent reviews and share your thoughts here.
New Projects in 2016!
ESAPI's New Project Leader
OWASP Enterprise Security API Welcomes New Leader Matt Seil — By Kevin Wall
It is with mixed emotions that I am making this announcement, that Chris Schmidt is stepping down as long-time ESAPI co-leader and that Matt Seil will be taking over that position and attempting to fill Chris' shoes. On one hand, I'm saddened because Chris was such a great leader and contributor for ESAPI.
On the other hand, I am eagerly looking forward to working with Matt Seil as the new ESAPI co-lead. Matt was a major contributor to bug fixes for the ESAPI 220.127.116.11 release last February. He and I worked well together and I think he is highly respected in the OWASP community by those who know him.
Shortly after this New Years, Matt and I hope to get together and discuss future plans for ESAPI, both short-term and long-term goals. Once we have the initial groundwork for that recorded in electrons somewhere, we will share them with the broader ESAPI community to get feedback and then revise them as needed. (In the meantime, if you have some suggestions that you would like us to potentially consider, please email them to Matt Seil and me.
In the meantime, I hope that along with me, you will extend your thanks and appreciation to Chris for his labor of love on ESAPI and extend your welcome to Matt as the new ESAPI project co-lead.
Thank you and Happy Holidays!
The call for presentations and training are now open for AppSecEu 2017, which will take place in Belfast from May 8th to 12th 2017. OWASP's Global AppSec events serve a diverse audience of security professionals at all stages of their careers. We seek interesting perspectives and training to drive visibility and evolution in the safety and security of the world’s software. We have opportunities for multi-day trainings, talks, lighting trainings, lightning talks, arsonal and activities.
Our topics of interest for talks include, but are not limited to the following:
OWASP Trainings should be practical in nature--hands-on class will receive stronger consideration. Topics of interest for include but are not limited to:
While we understand that your submission might be a work in progress, we strongly encourage that all submissions be as thorough as possible to allow us to make the best decision. The program committee will review your submission based on a descriptive abstract of your intended presentation. Feel free to attach a preliminary version of your presentation if available, or any other supporting materials. Please review your proposal thoroughly as accepted abstracts and bios submitted will be published 1:1 on our site. If your presentation is accepted for inclusion in the conference program, you are free to submit a white paper describing your work, to be added to the website.
To ensure the best talks available are presented at AppSec Europe we are incorporating blind reading as part of our process. This means that names and job titles will be removed when the paper's abstract is being reviewed. Submissions for training will not be read blind. All speakers will be given access to speaker mentorship, we especially encourage first time speakers to take advantage of this service.
Marketing and sales pitches will not be accepted in the talks or trainings.
Global AppSec Events
AppSec Europe 2017 May 8 - 12, 2017, Belfast, UK
AppSec USA 2017 September 19 - 22, 2017, Orlando, Florida, USA
Regional and Local Events
AppSec Cali 2017 January 23 - 25, 2017, Santa Monica, CA, USA
AppSec Africa 2017 February 1 - 2, 2017, Casablanca, Morocco
SnowFROC 2017 March 16, 2017, Denver, CO, USA
Latam Tour 2017 April 3 - 28, 2017, South America
OWASP Middle East Cyber Security Conference 2017 May 3 - 4, 2017, Dubai, UAE
Boston Training January 25 - 27, 2017, Waltham, MA, USA
Partner and Promotional Events
IoT Tech Expo Global 2017 January 23-24, 2017 Olympia, London OWASP members save 20% by using discount code: OWASP20
Cyber Resilience & InfoSec 2017 February 6-7, 2017 Abu Dhabi, U.A.E.
SC Congress London February 23, 2017 London, UK
CyberCentral April 4-6, 2017 Prague, Czech Republic
QuBit Conference 2017 April 4-6, 2017 Prague, Czech Republic OWASP members save 10% by using discount code: QB17OWASP
Cyber Security North Africa Summit April 26-27, 2017 Cairo, Egypt
SC Congress New York May 2, 2017 New York, NY
Techno Security & Digital Forensics Conference June 4-7, 2017 Myrtle Beach, SC
SC Congress Toronto June 13-14, 2017 Toronto, Canada
Ads are not endorsements and reflect the messages of the advertiser only.They represent co-marketing arrangements
with other organizations in support of the OWASP Community. CLICK HERE for more information on advertising.
Chapter Handbook Review
The Chapter Handbook goes under periodic review. This is your opportunity to be heard at OWASP. Each chapter is listed in its own doc, please comment to tell us where you think the handbook needs clarification, further guidance, or updates. Please confine your activity to the comments and do not directly edit the pages. Comments will remain open for one month.
Chapter One - Handbook Overview
Chapter Two - Mandatory Chapter Rules
Chapter Three - How to Start a Chapter
Chapter Four - Chapter Administration
Chapter Five - Governance
Chapter Six - Chapter Activity
Chapter Seven - Organizing Chapter Meetings
OWASP is Testing Meetup Pro
OWASP has been listening to you and we are proud to announce that we began testing the new MeetUp Pro service this month.
MeetUp Pro will provide an umbrella under which the chapter groups would be gathered. This means that all of our chapters would be uniformly branded and advertised on our master homepage. From the chapters’ point of view, the meetup would function the same as before with the only changes being that the leaders are listed as “local leaders” and only the official OWASP account would have the ability to start and eliminate chapters.
There are a lot of benefits for chapters of going pro, not only will your meetups be more searchable, but the cost of the service, currently born from your chapter budgets, will be absorbed by the foundation budget. A significant “silent” benefit is that the API should allow us to mirror the information on the MeetUp page on the Chapter wikis thereby eliminating a large amount of work that we currently ask our leaders to do, but do not enforce.
After MeetUp Pro is out of Beta, All chapters will once again be required to keep their wiki pages up to date. Our goal is to remove the onerous time sink of doing this.
If you would like to see what the new Pro pages look like check out this page, where the first 7 chapters have joined.
Request for Blog Content
OWASP would like to start spotlighting chapter activity on our blog. If your chapter hosted and recorded an amazing talk that just NEEDS to be shared, or perhaps you ran a great event and would like to help other chapter follow suite think about writing a blog post to be shared on the OWASP Blog. Contact our community manager, Tiffany Long for more details.
We would like to thank the following companies for supporting the OWASP Foundation. The companies listed below have contributed this month by either renewing their existing Corporate Membership or joining OWASP as a new Corporate Member. Details about Corporate Membership can be found here.
Premier Corporate Member
Signal Sciences is the industry’s first Web Protection Platform using both Next Generation WAF as well as RASP technologies. Signal Sciences WPP was built in response to our own frustrations of trying to use legacy WAFs while enabling business initiatives like DevOps, cloud adoption and CI/CD. The Signal Sciences NGWAF works seamlessly across cloud, physical, and containerized infrastructure, providing security without breaking production traffic. To learn more, please visit http://www.signalsciences.com
Contributor Corporate Member
Parasoft helps organizations perfect today’s highly connected applications by automating time-consuming testing and analysis tasks while providing management the analytics necessary to focus on what matters – eliminating the deployment of security vulnerabilities that could lead to system failure, data loss, and loss of life. Parasoft’s software security solution analyzes code, generates and executes tests, and processes the data collected throughout the SDLC to ensure compliance with security policy across all layers of the software stack. In addition, Parasoft can analyze and automatically prioritize defects that lead to security vulnerabilities and kick-off security verification and remediation tasks across the team. Learn more at www.parasoft.com/appsec
OWASP Social Media
OWASP Social Media Sites