Monday, July 31, 2017

July 2017 Connector

OWASP Connector


Mon, July 31, 2017

Operations Update

The June Operations Update includes vital information about OWASP's infrastructure initiatives, project activity, and Chapters. Read it for an overview of what is happening in OWASP.

Congratulations to our 2017 WASPY Award Winners!

The Web Application Security People of the Year awards are our community’s way of honoring the amazing volunteers who fly under the radar, but whose work makes OWASP the organization we know and love. This year we changed things up. Due to community feedback that the WASPYs were nearly useless and functioned largely as popularity contests we chose to invite the community to nominate the volunteers who make their OWASP experience amazing. Then rather than relying on [public voting which rewards large chapters, the staff and board members voted based on your nominating statements.

We also chose to get back to our roots and focus on three categories which best represent the ways that our members interact with us and each other.

The 2017 WASPY Award winners are:

Best Community Supporter - The WASPY for COMMUNITY honors members who create dynamic INTERACTION and LEARNING opportunities for the OWASP Community. Nominees to the Community WASPY Award create collaborative and inclusive environments and grow the OWASP Community.

A three way tie between:

Dinis Cruz Jeremy Long Nicole Becher

Best Mission Outreach - The WASPY for Mission Outreach honors community members who help the community GROW. Growth can happen inside the larger OWASP community or outside it in the broader AppSec and development communities.

Mark Miller

Best Innovator - The WASPY for Innovation is given to a community member who has contributed to the TECHNICAL advancement of OWASP in the past year. This advancement is usually through an OWASP Project and can be in the form of code, an application, or anything that materially makes the AppSec community better in a unique way.

Sebastian Deleersnyder

A huge thanks to our community for calling out these amazing volunteers! Please take the time to read the citations for all of our nominees.

2017 Global Board of Directors Election

The Call for Candidates for the Global Board of Directors closes TODAY! The OWASP Global Board of Directors is an all-volunteer board dedicated to the organizational mission which directs the strategic direction of OWASP. This year there are 4 open positions for the board.

Due to a vote on February 8th, 2017 which mandated that no board member may serve more than 2 2-year terms in a 10 year period there will be no incumbent board member up for election. To learn more about the Election and to submit your candidacy, please visit:

The submission period questions to the candidate also closes today. You can submit your questions here:

Changes in OWASP Accounting and Staff

As many of you know, the OWASP staff was reduced by 20% when Alison McNamee and Kate Hartmann moved on from OWASP. Both of these women have been with OWASP since nearly the beginning and will be dearly missed.

When it comes to our accounting, currently we have purchased accounting services from Virtual. We are also taking the opportunity to revamp our processes which were developed to serve our community when it was much smaller. In the coming weeks you can look forward to an easier and more transparent system--including the ability to track your reimbursement requests independently.

The first visible change, however, is that reimbursements will be sent out twice a month-- on or before the 15th of the month and on or before the last day of the month. Reimbursements must be approved at least 24 hrs before they are scheduled to be processed to be expected in either batch. Please keep this in mind when approving reimbursements.

We appreciate your patience as we move through these transitions.


The OWASP Staff

OWASP Volunteer Platform

We are ready to begin the design stage for building the OWASP Volunteer Platform and we need your help! The first step of the design phase is a set of surveys. OWASP Leaders will receive a survey to explore your needs as volunteer managers via email. The survey will be active until September 22, 2017. The wider OWASP community will be encouraged to follow a link to the Volunteer Portal Survey for Community Members which explores the needs of prospective volunteers in a volunteer management platform. You do not need to be a paid member of OWASP to take the survey. If you are both a Leader who manages volunteers and a volunteer elsewhere in OWASP you are encouraged to take both surveys.

Your input is invaluable and we thank you for your time.

(estimated time to take: 4 min.)

OWASP in the News


Ads are not endorsements and reflect the messages of the advertiser only. They represent co-marketing arrangements with other organizations in
support of the OWASP Community.  CLICK HERE for more information on Advertising.


OWASP Code Sprint '17

OWASP Foundation is pleased to announce the student selections for the OWASP Code Sprint 2017. There were 32 student proposals submitted and it was a very challenging decision to only select 14 Student Slots. You can see which students and projects won placement on the OWASP Blog

More Mentors Welcome:

Do you want to become a mentor for a student?

Choose a participating OWASP project from the OWASP Code Sprint 2017

Project Summit AppSec USA

The 179 AppSec USA Project Summit is now accepting participants and suggestions for our Hot Topics. Project Summits at Global events include working sessions that allow project leaders and contributors to work together face to face in an intense and productive environment to move their projects forward. This is a great opportunity for local contributors or those attending the conference to become more deeply involved in OWASP Projects. Qualifying Project Leaders can receive grants to cover their attendance at the event.

Requirements for Participation:



  • Active OWASP Project started in the last 9 months.
  • $750.00 for Air Travel Assistance per OWASP Project
  • Agenda and Deliverables for your project at the summit are required.
  • Deadline on September 5th!

Funding Opportunities(through the Reimbursement Process):



Please use the contact us form for any questions or concerns.

Contacts at OWASP Foundation: Matt Tesauro and Claudia Aviles Casanovas

  • $750.00 for Air Travel Assistance per OWASP Project
  • Two Nights of accommodations for the days of the Project Summit USA
  • OWASP Project Leaders (three leader max) receive a complimentary pass for AppSec USA 2017.

Ads are not endorsements and reflect the messages of the advertiser only. They represent co-marketing arrangements with other organizations in
support of the OWASP Community.  CLICK HERE for more information on Advertising.

Hands on training at AppSecUSA!

It’s one thing to hear from leading technology professionals and pioneers at an information and applications securities conference … but nothing beats hands on, immersive learning and training opportunities led by those same thought leaders and change makers. Imagine stepping away from your desk for two full days to explore application security automation alongside CTO of We45, Abhay Bhargav, or identifying security risks by hacking into IoT devices during an afternoon with Aditya Gupta, Founder and CEO of Attify. What if you could collaborate with global industry experts on open-source defensive security techniques and practice mitigating mobile app attacks in a real-life test environment?

During the first two days of OWASP’s 14th annual AppSecUSA conference in Orlando, Florida from September 19 – 22, 2017, you can. Guests will have the opportunity to participate in two full-day, self-guided training sessions with other attendees and speakers such as Sebastien Deleersnyder, Managing Partner and co-founder of Belgian securities company Toreon, and many more. These pre-conference training days will set the tone for OWASP’s signature AppSecUSA event, which showcases cutting edge lectures and keynote sessions featuring securities experts from around the world in a friendly, interactive environment.

Explore the full training and lecture schedule here:, or preview the conference’s announced speakers list. The conference is just a month and a half away, with registration tickets going fast and hotel accommodations filling up even faster. Don’t miss OWASP’s exclusive opportunity to learn from and rub elbows with the most senior security developers and experts out there. No matter what industry you’re in, or where you live, this exciting, international conference is the place to be as a security and information leader.

AppSec USA Speakers are announced!

A Senior Application Security Engineer for Verizon, the Director of Software Engineering for Capital One, and a Senior Cloud Security Engineer at Netflix walk into a bar …

No, this isn’t the start of a bad information securities joke. It’s a preview of the speakers you can expect to hear from at OWASP’s AppSecUSA Conference in Orlando, Florida from September 19 – 22, 2017. In addition to individual breakout sessions featuring application security and information technology leaders from companies such as Citrix Systems, Slack, PayPal, and USAA, you’ll also have direct access to daily keynote addresses showcasing the latest security ideas and technology advances.

AppSecUSA’s opening keynote kicks off with a not-to-be-missed session from educator and author Jim Manico and Cigital CTO John Steven. Jim will weave topics from his upcoming book about Java web security with John’s expertise on threat modeling and architecture risk analysis to frame up today’s landscape in secure development and where the industry is going.

On day two, Runa Sandvik, Director of Information Security at The New York Times, delves deeper into how application and information security impacts a variety of industries, including journalism and the general population’s understanding of the news. And if that wasn’t enough, Jen Ellis, VP of Community and Public Affairs for Rapid7, will wrap up the conference with her perspectives on how technology specialists and government agencies can work better together for a more secure information infrastructure in our world today.

AppSecUSA’s speakers tackle hot topics from government security to threat management, and from DevOps security to cookie security and supply chain management across a wide array of industries. For a full list of announced follow the AppSec USA Schedule register for AppSecUSA today. This is one lineup you don’t want to miss!

Dragons, Pixis, & iOS!

Are you a developer interested in learning how to your code can be better? The OWASP Developer Summit is your FREE two day training opportunity! Qualified trainers will walk you through threat modeling with the OWASP Threat Dragon, attacking products through APIs, and everything you need to know to keep your iOS Apps safe.

Using OWASP Threat Dragon for Threat Modeling

OWASP Threat Dragon is a new OWASP project that introduces a threat modeling tool that is portable (able to be used on the web in various platforms), integrates well with build process, and is a great tool to introduce to developers and teams. This developer hands-on session will focus on introducing the Threat Dragon tool, best ways to use the tool in a day-to-day developer environment, and making it part of the CI implementation (including integration with Jenkins, etc.).

Hacking APIs and Web Services with OWASP DevSlop & PIXI!

Modern applications often use APIs and other micro services to deliver faster and better products and services. However, there are currently few training grounds for security testing in such areas. In comes DevSlop, OWASP's newest project, a collection of DevOps security disasters made as a vulnerable testing and proving ground for developers and security testers alike. DevSlop's Pixi, the first of many entries to come for this OWASP project, will be demonstrated and presenting for participant's hacking and learning pleasure. Pixi consists of vulnerable web services, and participants will be walked through how to exploit several of it's vulnerabilities so they can learn how to do better when they create their own web services and other types of APIs from now on.

Extreme iOS App Exploitation, Defense and ARM Exploitation

Detailed training contents: iOS has become one of the most popular mobile operating systems with more than 1.4 million apps available in the iOS App Store. Some security weaknesses in any of these applications or on the system could mean that an attacker can get access to the device and retrieve sensitive information. This training will show you how to conduct a wide range of penetration tests on iOS applications to uncover vulnerabilities and strengthen the system from attacks. Extreme iOS App Exploitation, Defense and ARM Exploitation is a 14 hrs session which will help you conduct end to end pentesting of iOS Applications and will also help you to understand the security measures which needs to be taken. This training will also have CTF challenge where attendees will use their skills learnt in session. To attend this hands-on session, all you have to do is bring your macbook with xcode installed on it.

Register to get your spot today!

OWASP World Tour

OWASP will be hosting three FREE Developer training events this year! These training events will feature paid professional trainers teaching ~500 people in three countries around the world. Keep an eye on the OWASP Blog, Facebook, and Twitter accounts for the CfT which will be opening soon.

Tokyo: September 30, 2017; Tokyo Institute of Technology

Boston: October 9, 2017; Boston University

Tel Aviv: October 17, 2017; The College of Management

Upcoming Events

Regional and Local Events

  • AppSec AU — September 7–9, 2017; Melbourne, Australia
  • OWASP Indonesia Day — September 9, 2017; Yogyakarta, Central Java, Indonesia
  • New York Metro Joint Cyber Security Conference — October 5, 2017;New York, NY
  • Cheat Sheet Workshop with Jim Manico — September 10–12, 2017; Frankfurt, Germany
  • OWASP Bucharest AppSec Conference 2017 — October 6, 2017; Bucharest, Romania
  • AppSec Israel 2017 — October 17–18, 2017; Tel Aviv, Israel
  • LASCON 2017 — October 26–27, 2017; Austin, TX, USA
  • OWASP AppSec Africa 2018 — May 10–12, 2018; Morocco

Training Events

  • OWASP World Tour (Details Coming Soon!) — October 9, 2017; Boston University, Boston, MA, USA

Developer Summits

Partner and Promotional Events


OWASP Go Live?

We are looking for a chapter interested in live streaming its meetings to join OWASP London in testing this feature with us. If you are interested in trying this out with us please submit your interest via the Contact Us form (choose Chapters from the drop down menu). Please include the frequency of your meeting, whether your chapter has equiptment, and what your preferred platform is.



June 2017 Corporate Members

July 2017 Corporate Member
We would like to thank Peach for supporting the OWASP Foundation.  
Peach has contributed this month by joining OWASP as a new Corporate Member.  
Details about Corporate Membership can be found here.
Contributor Corporate Member
Peach Tech provides advanced security testing solutions and leading-edge products, such as the innovative + automated Peach APISecurity: Peach API Security intelligently executes a series of fuzz tests and passive security tests on your web APIs. Comprehensive test results empower your team to mitigate security vulnerabilities. Each uncovered vulnerability includes actionable data. Peach APISecurity supports many CI systems and test suites, and transforms unit tests into security tests. We also developed the robust fuzzing platform Peach Fuzzer. We customize testing strategies for security-minded clients engaged in all stages of development. Leverage the power of Peach Tech to secure your world.
For more information, please visit:
Want your company name here? 
Find out how by visiting our Corporate Member information page, or contact Kelly Santalucia, our Membership & Business Liaison today!  
Thank you to all of our Premier and Contributor Corporate Members for your support!

The OWASP Foundation, 1200C Agora Drive #232, Bel Air, Maryland, 21014, USA

No comments: