Wednesday, January 27, 2016

OWASP Connector Newsletter - January 27, 2016

January 27, 2016 | www.owasp.org | Contact Us | Brought to you by the OWASP Foundation
Communications

2016 OWASP Strategic Goals

OWASP in the News

OWASP Podcasts

projects

Project Review Team Members Announced

OWASP Proactive Controls Top
Ten V2 Release

OWASP Security Knowledge Framework Project Release

New Cornucopia Web Edition

ZAP: XCOLD Information Leaks

Transaction Authorization Cheat Sheet Update

ZSC Tools Volunteers Needed

Conference

Global AppSec Events

Local and Regional Events

Partner and Promotional Events

chapters

New OWASP Chapters

Chapter Restarts

Chapter Transitions

New Student Chapters

Chapter Activities

membership

Corporate Members: Why Not
You?

Social Media

OWASP Foundation Social Media


Communications

2016 OWASP Strategic Goals Announced

The 2016 OWASP Strategic Goals are available to review. Five goals will guide our programs in the coming year:
  1. Education & Training
  2. Expand Outreach, specifically to the Developer Community
  3. Mature the OWASP Projects Platform
  4. Community & Chapter Support
  5. Enhance the OWASP Infrastructure
Look for an update shortly on the OWASP Blog from the board for further details.

OWASP in the NEWS!

Security Innovation Making Splash OWASP AppSec California - BusinessWire 1/25/2016

OWASP's Revamped Developer Guide will Help You Pass Pen Tests (Interview with Andrew Van der Stock on OWASP Application Security Verification Standard 3.0)- The Register 1/12/2016

Security Brief - Protecting Against the OWASP Mobile Top 10 - App Developer Magazine 1/7/2016

OWASP AppSec EU made list of the Top 11 Security Conferences in the world! - Tripwire 1/5/2016

OWASP Podcasts

OWASP Projects and activities are often the subject of webcasts and podcasts. Sit back and relax as you watch and listen to these recent episodes.

What's in Store for the OWASP 24/7 Podcast Series in 2016

projects

Project Review a Team Members Announced

We are happy to announce that we have formed a team of volunteers for the Project Review Committee to relaunch the Project review team and incentives for projects.

  • Timo Goosen
  • Christo Goosen
  • Enrico Branca
  • Johanna Curiel
  • Tom Brennan ==> As part of the Board members and now leading Projects
We are redefining the goals of the Project Review Team (mostly known as the Project task force) but we want to create clear goals by redefining some of the original committee goals launched almost 2 years ago.

Main changes to this committee goals will be:

  • Handling the process for starting new projects and reviewing submitted proposals
  • Guide new leaders to take that idea into a feasible and realizable project
  • Create webinars/meetings with regional leaders to promote guidelines
  • Create a Handbook & Guidelines for starting a new project and maintaining the project guidelines
  • Implement a portal for project reviews & reporting through Github which Enrico has already worked on Automation and monitoring of new projects and existing projects
  • Implement a fixed QA review for project graduation with professional testers as we did back in 2014 major reviews
  • Look for sponsors and create specific budget for the committees activities
  • Create incentives for projects as explained on this proposal: https://docs.google.com/document/d/1PvNeEWgoO1w51VhHLwqqSgo0mBh-RvmSFUKMTz4QrYg/edit#heading=h.lw77ixr6kxi

If you want to be part of the team and would like to provide feedback. We are looking for:

  • Evaluators of new projects
  • Season Reviewers for quarterly major reviews
  • Help monitor the wiki pages and alerts
Keep in mind you can always provide feedback anytime through: https://groups.google.com/a/owasp.org/forum/#!forum/owasp-project-reviews


OWASP Proactive Controls Top Ten V2 Release

We just released the OWASP Proactive Controls Top Ten v2. (Download PDF). Big thanks Jim Bird and Katy Anton for their dedication in making this release a reality. This document is a "developer centric" answer to the OWASP Top Ten. It's meant to be an awareness document to inform developers about the basics of building secure software. As a process, we made the document "world editable" and fielded literally hundreds of community change requests (many from anonymous sources) from to hopefully represent consensus in our community. 

Thanks to everyone who helped make this happen. We hope it helps serve the cause in some way.


OWASP Security Knowlege Framework Project Release

A new release of the OWASP Security Knoledge Framework project is available! https://www.owasp.org/index.php/OWASP_Security_Knowledge_Framework
https://www.securityknowledgeframework.org


Cornucopia Web Edition Released

OWASP Cornucopia project co-leader Darío De Filippis conceived, created and published a wiki version of "OWASP Cornucopia - Ecommerce Website Edition", the web application security training and threat modeling card game. The wiki deck, comprising 91 new pages, complements the existing print versions and provides a single place to easily browse around the suits and cards, jump to the relevant cross-references, and most importantly includes an extra technical note for each card. The technical notes supplement the card text, providing additional information on each threat and attack. It also aids game play by providing some clarification between cards which at first might seem similar.


The project team welcomes any contributions to correct, extend, and improve the technical notes for each card. 

The wiki deck can be found at:
https://www.owasp.org/index.php/Cornucopia_-_Ecommerce_Website_Edition_-_Wiki_Deck


The main project page, including FAQs, how to play video, presentation, and how to obtain the decks of cards is at https://www.owasp.org/index.php/OWASP_Cornucopia

ZAP: XCOLD Information Leaks

Have you heard about X-ChrOmeLogger-Data (XCOLD) Information leaks? No?? Then you better read the latest ZAP Newsletter!
http://zaproxy.blogspot.co.uk/2016/01/zap-newsletter-2016-january.html


Transaction Authorization Cheat Sheet Update

An updated version of our Transaction Authorization Cheat Sheet available:
https://www.owasp.org/index.php/Transaction_Authorization_Cheat_Sheet


ZSC Tools Volunteers Needed

The ZSC Tool project needs volunteers. For details, visit https://www.owasp.org/index.php/OWASP_ZSC_Tool_Project



Conference

Global AppSec Events

OWASP AppSecEU

The European OWASP Conference is going to be one of the best ever.
Do not miss this opportunity!
7 June - 1 July 2016


Thanks to the impressive number of paper submissions received, the qualified organisations and people that submitted them and the important sponsors, this will be one of the best OWASP conferences ever. Do not miss the opportunity to hear and share ideas and knowledge with a wide number of experts!

The next OWASP AppSecEU (http://2016.appsec.eu/) will take place at the Marriott Park Hotel in Rome, Italy.

The Open Web Application Security Project is an open-source project for application security. OWASP provides advice on the creation of secure Internet applications and testing guides.

It boasts a strong global community with more than 45,000 participants, more than 55 corporate members and 20 academic supporters through 249 active local chapters in 6 continents and 97 countries.

More than 800 people are expected at the event, with 3 days of training followed by the 2-day conference that includes:
  • Five parallel talks with focus on the OWASP core mission (Dev, Ops, Hack, CISO and Research);
  • Keynotes from industry leaders;
  • Exhibition spaces that offer innovative solutions for the needs of companies.
Do not miss the opportunity to participate as SPONSOR to this high level conference, mentioned in Tripwire as a TOP 11 SECURITY CONFERENCE IN 2016.

More details on registration, program and speakers will be sent in a forthcoming communication.

Please contact us with any questions or comments you may have at the following address:
appseceu2016@owasp.org


Other Global AppSec Events

AppSecUSA 2016 will be held on 11-14 October 2016 in Washington DC. Mark your calendars!

Regional and Local Events

AppSec Cali 2016, Jan. 25, 2016 - Jan. 27, 2016, Santa Monica, CA

New Zealand Day 2016, February 3, 2016 - February 4, 2016, Auckland, New Zealand

Snow FROC 2016, February 18, 2016, Denver, CO

Latam Tour 2016, April 7, 2016 - April 22, 2016, Latin America

CyberSecurity 2016, May 16, 2016 - May 20, 2016, New York, NY, USA

AppSec ASIA 2016, May 19, 2016 - May 22, 2016, Wuhan, China

Partner and Promotional Events

IoT Evolution Expo, January 25 - 28 , 2016 Ft. Lauderdale, FL - OWASP Members receive 25% off the list ticket cost by using discount code: OWASP

SC Congress London, February 10, 2016 ILEC Conference Centre London, UK

Blackhat Asia 2016, March 31 - April 1, 2016 Marina Bay Sands, Singapore. OWASP members receive a $200/USD discount on Briefings with discount code: OWBR0316

SC Congress Toronto, June 1, 2016 - June 2, 2016 Metro Convention Center Toronto, CN



Ads are not endorsements and reflect the messages of the advertiser only. They represent co-marketing arrangements
with other organizations in support of the OWASP Community. CLICK HERE for more information on advertising.

chapters

New Chapters

Chapters Restarts

Transitions

New Student Chapter

  • Amity University Rajasthan-Jaipur
    Contact: Harsh Bothra (hani22499@gmail.com), student leader
     
  • Information Technology Institute, Cairo, Egypt
    Faculty Advisor: Mrs. Lamia Mostafa, (lmostafa@mcit.gov.eg)
Learn more about our Student Chapters and Academic Supporter programs.

Notable Chapter Activity

Funding Updates

Some of our chapters and projects that ended the year with less than $500 will be seeing an increase in their funding allocations. It is our hope that these addition will help active chapters to jumpstart their activities for the new year without worry that they will not be able to afford to host a meeting. Chapters and projects with current activity and at least two leaders got an increase and we will soon announce a series of calls to discuss ideas for renewed activities.

One of the best ways for our projects and chapters to raise funds is to recruit new, paid memberships and local sponsors. Individual memberships are a low $50 per year (pro rated in some countries) and corporate memberships are available at $5,000, $20,000 and $50,000, a portion of which can be allocated to a chapter and/or project. Local sponsorships are available in smaller amounts and can be allocated directly to a project or chapter, making a valuable contribution to their activities. Interested local sponsors can make a contribution via the "Donate" button on your favorite chapter or project's wiki page.

Please show your support for OWASP Projects and Chapters by becoming an Individual or Corporate member today!

We at the OWASP Global Foundation are looking forward to hearing about more such events in future.

Share your chapter's successes! Submit Your Stories


Membership

New Contributing Corporate Members

Thanks to all of our Premier and Contributing Corporate Members for your support in 2015!

Social Media

OWASP Social Media Site

Labels: ,

Thursday, January 14, 2016

January 2016 - Community News Flash


January 2016 Community News Flash
In this Issue:
  • FEATURE: OWASP Global AppSec 2017 - Call for Proposals!
  • FUNDING: Updated Balances, Time to Plan for 2016
  • PROJECTS: What's Right, What's Wrong & What Needs to Change
  • CHAPTERS: New Chapters, Leader Transitions, Meeting Ideas for 2016
  • EVENTS: Upcoming Local and Regional Events
  • RESOURCES: List of Resources in this Issue
FEATURE: OWASP Global AppSec 2017 - Call for Proposals!

OWASP encourages any community member interested in hosting an OWASP Global Conference to submit a proposal.

The dates of each OWASP Global AppSec conference (or Tour) vary somewhat each year but ideally the conference is held:
  • Latin America (this may be a Latam Tour instead) - Q1
  • Europe - Q2
  • North America - Q3
  • Asia Pacific (this may be an Asia Tour instead) - Q4
To bid for a 2017 OWASP Global AppSec please complete the OCMS formhttp://www.tfaforms.com/301382 with the following information before February 29th, 2016.
  1. The proposed city and host chapter.
  2. The name of the intended local organizer and his/her team committed to the task for 2016 along with a brief explanation on why the conference committee wants to organize an OWASP Global AppSec.
  3. Previous conferences or local/regional events experience of the conference committee.
  4. The intended dates for the conference. (Typically includes 2 days of pre-conference training, followed by 2 days of conference talks).
  5. Venue recommendations. If possible, assurance that the following will be available:
    • Green room, storage room, breakout rooms, etc.
    • A large auditorium. Other lecture rooms near the main auditorium.
    • Projection facilities in all rooms up to modern standards.
    • A suitable mixing space near the rooms for registration, breaks and other activities.
    • A hall near the rooms for sponsor exhibitions.
    • If possible, attach a tentative floor plan design.
  6. Budget. Please use the Application Form on google docs (Since many of the categories of expenses are optional, consider this a check list. You can add as many items as you want and you do not need to fill in every box if you do not want it to be included in your event.)
  7. Possible "big name" speakers in AppSec who might be plenary speakers with low travel costs.
  8. Any other relevant information.
By submitting an application, you are already demonstrating your commitment to OWASP. Hosting a conference requires both a commitment and a great deal of responsibility. A lot of time, energy and effort are needed during the proposing, planning and implementing phases of hosting a conference. For more information see the How to Host a Conference page. https://www.owasp.org/index.php/How_to_Host_a_Conference We really appreciate every proposal we receive. The selection process that will be made by the OWASP operations team.

Application submission begins January 1st. The deadline for applications isFebruary 29th. Applicants will be notified by March 18th.

Should you have any questions concerning the proposal process or need assistance with you application, please do not hesitate to contact me.

We are looking forward to your proposals!

Laura Grau
Global Conference Manager
OWASP Foundation
laura.grau@owasp.org


FUNDING: Updated BalancesPer recent changes to our funding procedures some of our chapters and projects that ended the year with less than $500 will be seeing an increase in their funding allocations. Only those with current activity and at least two leaders will see the increase. Please watch for a notice of your new funding balance. If you do not see an increase, be sure that your wiki page reflects your current activity and has contact information for at least two leaders. If you need assistance, let Community Manager, Noreen Whysel know at noreen.whysel@owasp.org.

Keep in mind also that one of the best ways to raise funds is to recruit new, paid memberships and local sponsors. Individual memberships are a low $50 per year (pro rated in some countries) and corporate memberships are available at $5,000, $20,000 and $50,000, a portion of which can be allocated to a chapter and/or project. Local sponsorships can also be allocated directly to your project or chapter. Direct prospective sponsors to the "Donate" button on your chapter or project's wiki page.

See the results of several board proposals affecting funding for 2016:https://www.owasp.org/index.php/OWASP_Board_Votes#Voting_Records

You may check your account balance and funding history here:
Chapters:
Projects

PROJECTS: What's Right, What's Wrong & What Needs to Change

OWASP Projects are the CORE of the Foundation. As we kick off 2016 join together with your peers to discuss PROJECTS: What's Right, What's Wrong & What Needs to Change.

When: Wed, Jan 27, 2016 3:00 PM - 4:00 PM EST
Where: ONLINE
RSVP: https://attendee.gotowebinar.com/register/7141369075633328641

Volunteer Agenda
  • Source Legal Considerations for OWASP Project Leaders
  • Current Workflow (End-To-End / Lab - Flagship)
  • Identified Areas of Improvement
  • Establishing Regional Representation
    • Asia-Pacific Security Council (APSC)
    • North America Security Council (NASC)
    • Europe Middle East and Africa Security Council (ESC)
    • Latin America Security Council (LASC)
  • Sprints, Sabbaticals & Summits
You can be part of the problem or the solution... that choice is yours - forward as appropriate.


Moderator: Tom Brennan, Volunteer

Call for Comments: OWASP Projects Handbook

What makes a good project great? We know you want to make great projects. The OWASP Projects Handbook can help. And now that we have come together as a community to discuss making great projects, it's time to give us your feedback.

A Call for Comments on the OWASP Projects Handbook update is now open. We invite project participants to visit the OWASP Projects Handbook draft on Google Docs and enter comments. You can also download a PDF version from the OWASP Projects wiki page and forward comments to Claudia Aviles-Casanovas at claudia.aviles-casanovas@owasp.org.

Project Updates

OWASP Security Knowledge Framework: A new release of the OWASP-SKF project is now available!


This new release contains a lot of new features such as:
  • User management and project assignment
  • The implementation of the new ASVS 3.0 version
  • New knowledge base items

ASVS: The OWASP Application Security Verification Standard (ASVS) Project provides a basis for testing web application technical security controls. Jim Manico will host a call on March 22 to discuss new features in ASVS. Save the date to your calendar and sign up be reminded as we get closer:


For more information about the ASVS project, read this latest interview with Andrew van der Stock from The Register:http://www.theregister.co.uk/2016/01/12/owasps_revamped_developer_guide_will_help_you_pass_pen_tests/

ASVS v3.0.1 has been committed into GitHub and uploaded to our translation platform on Crowd In. The call for translations for the ASVS project remains open.


You can reach Andrew van der Stock about volunteering at vanderaj@owasp.org.

OWASP 24/7 PodCasts

Created by Mark Miller, OWASP 24/7 Podcasts offer a great forum for getting an update on projects. Listen to interviews with project leaders at https://soundcloud.com/owasp-podcast.


CHAPTERS: New Chapters, Leader Transitions, Meeting Ideas for 2016
New Chapters
Restarted Chapters
Leader Transitions
  • Charlottesville/Southwest Virginia: Jeffrey Collyer and Phil Offield expanding the Charlottesville chapter to include Lynchburg and area colleges. The new chapter will be renamed Southwest Virginiahttps://www.owasp.org/index.php/Southwest_Virginia
     
  • London: Sam Stepanyan and Sherif Mansour Farag, new leaders. Huge thanks to Justin Clarke, Tobias Gondrom, and Dennis Groves who are stepping down as London leaders. https://www.owasp.org/index.php/London
     
There are many leader openings for chapters that have gone inactive, particularly in the Middle East and Africa. Go to the Volunteer page for a listing of open positions:http://owasp.force.com/volunteers/GW_Volunteers__VolunteersJobListing

New Student Chapters
  • Information Technology Institute, Cairo, Egypt
    Faculty Advisor: Mrs. Lamia Mostafa (lmostafa@mcit.gov.eg)
     
  • National School of Business Management, Sri Lanka
    Leader: Ruwan Ranganath (ruwanranganathz@gmail.com)
Learn more about our Student Chapters and Academic Supporter programs.


Notable Chapter Activity

OWASP Delhi submitted a comprehensive year end report for chapter activities since its restart in January 2014 complete with photographs and a summary of expenses. Also a Video from the March 2015 meeting was sent by the CISO of Sapient who served as host for that meeting. Chapter Leader Sandeep Singh would like to offer this reporting structure as a model for other chapters to adopt in planning the year's activities. You can View the Report in Google Docs.


While you are planning for 2016, here is a great idea that Tom Brennan passed along. This year, Tom will be serving as the Chairman of the NYMJCSC: New York Metro Joint Computer Security Conference, an annual event that is in its third year in NYC. Last year's event included the following organizations:
  • InfraGard (New York Metro)
  • ISACA (New York Metro, New Jersey and Greater Hartford Connecticut)
  • (ISC)2 (New Jersey)
  • ISSA (New York)
  • OWASP (New York Metro, Long Island, Brooklyn)
  • HTCIA (North East Region)
  • ACFE (New Jersey)
The New York City chapter advertises this event as a multi-track meeting for October. Wouldn't it be great for all OWASP Chapters to collaborate with other industry peer groups in October (which is Cyber Security Awareness Month in the US)?

The NYMJCSC 2016 website is in the planning stage, but you can visit the NYMJCSC 2015 event website at: http://www.nymjcsc.org/ for details. If you are in the New York City area this Fall, the Save the Date is October 5th.

Restarting an Inactive Chapter

If you are interested in starting or helping to restart a chapter that has gone inactive, please review the listings at the Volunteer Opportunities page of the wiki. If you are a current chapter leader and are having difficulty finding space, volunteers or funding to host a meeting, let me know. I can direct you to resources and funding to help you.

Also keep in mind you can view your Chapter's budget and available funds at the Donation Scoreboard:



EVENTS: Upcoming AppSec Events

Global AppSec Events

The Call for Papers for AppSec Europe 2016 ends on the 15th of January. That's TOMORROW! Be sure to send in your abstracts today: http://2016.appsec.eu/important-dates/call-for-papers/

Did you know that OWASP's AppSec Europe event made TripWire's Top 11 Security Conferences? Read more at OWASP AppSec EU made TripWire's list of the Top 11 Security Conferences in the world? We are very proud of our AppSec Europe team.
  • AppSec Europe 2016, 30 June - 1 July, 2016, Rome, Italy
  • AppSec USA 2016, 11 October - 14 October 2016, Washington
Regional and Local Events

The Call for Papers for AppSec Asia 2016 is open through 15th of February. Be sure to send in your abstracts: https://www.owasp.org/index.php/AppSec_ASIA_2016
Partner and Promotional Events
  • BSides Lagos: January 22, 2016, Nigeria
  • SC Congress London: February 10, 2016, ILEC Conference Centre London, UK
    Register today for an exclusive OWASP Member discount of $125. Full Conference pass sells for $350 Use the discount code - OWASPMEM
  • Blackhat Asia 2016: March 31 - April 1, 2016, Marina Bay Sands Singapore
    OWASP members receive a $200/USD discount on Briefings with discount code: OWBR0316
  • SC Congress Toronto: June 1, 2016 - June 2, 2016, Metro Convention Center Toronto, CN
    Register today for an exclusive OWASP Member discount of $125. Full Conference pass sells for $350 Use the discount code - OWASPMEM
Watch the AppSec Conference page for updated event listings. Be sure to enter your upcoming event into the OWASP Conference Management System so we can promote it and provide assistance.


RESOURCES







CONTACT ME
Feel free to contact me at any time if you have a question or suggestion. To create a trackable case, please use the contact us form at http://www.tfaforms.com/308703.

Noreen Whysel
Community Manager
OWASP Foundation

Community Manager Open Hours on Slack:
Join the #AsktheCM channel Tuesdays from 10am-Noon EDT.
https://owasp.slack.com/messages/askthecm/

Labels: ,

Tuesday, January 5, 2016

OWASP Projects - Global Improvements & Benchmark Specifics


January 5, 2016

Hello OWASP Community:

This is an update to the Community about the Board’s evaluation of concerns and complaints from the OWASP Community about both vendor neutrality and marketing activities around the OWASP Benchmark project.

In October, several Board members met face to face with the Benchmark project leaders and representatives from the vendor involved and expressed our deep concern about the marketing activities and neutrality of the project.  The discussions were frank and open on both sides and demonstrated the willingness of both parties to collaborate on a solution.

In November, the OWASP Board dedicated a two hour meeting to the issues identified by the Benchmark project and worked to make a plan of action including:
  • Updating the OWASP Project review processes to clarify specific criteria for graduation from Incubator to Lab status to ensure all projects are vendor independent and have multiple community supporters, including the OWASP Benchmark project.  
  • Overhauling the OWASP Branding Guidelines to bring them in line with industry standards and protect the Foundation’s image with clarifying language on how the OWASP brand can and cannot be used.

At the December 9 OWASP Board meeting, the Board took the following actions.  Our intent is to protect the integrity of the OWASP Project outputs, while also encouraging and stimulating innovation via OWASP Project research, development and discovery.
  • Globally, update the Project review and graduation criteria to apply to all Projects with requirements for multiple community supporters and vendor independence.
  • Specifically, the Board believes the Benchmark Project is a beneficial tool worthy of further development and updates.  Therefore, it will be moved back to Incubator status until requirements for multiple community supporters and vendor independence are met.

These actions represent consensus agreement among board members.  As a general statement, the OWASP Board is not comfortable with the way that the OWASP Benchmark, which is an early stage and technically limited project, was originally used to promote a vendor tool.

In summary, we continue to take the quality of OWASP Projects as a serious issue.  The OWASP Community has a major role in that effort by participating on the Project review team and providing feedback during Project review & graduation evaluations.  While this project had a specific issue to resolve, it did highlight the need for further updates and improvements in the OWASP policies surrounding all Projects.  We appreciate the engagement of the community and welcome further input.

Sincerely,  Paul Ritchie, OWASP Executive Director