Tuesday, August 29, 2017

Connector August 2017

OWASP Connector


Mon, August 28, 2017

Operations Update

The August Operations Update includes vital information about OWASP's infrastructure initiatives, project activity, and Chapters. Read it for an overview of what is happening in OWASP.

Improved Reimbursements System on Horizon for OWASP

OWASP’s growth over the past decade has been phenomenal! We we have grown from an idea to over 40,000 participating members, 2,000 paid or honorary members, and a staff of 6. As an organization we have prioritized support for volunteer-led priorities and experimentation in our dynamic community. This means that staff has created a lattice of support procedures for small, experimental activities that rapidly became a mainstay of OWASP. As our needs or size changed, these procedures either remained the same or underwent repeated limited revision.

Some of these processes were perfect for OWASP 5 or even 2 years ago, but now need to be made more robust to support their exponentially larger loads. During 2017 and 2018 the staff will be focusing on improving these basic processes to increase speed, transparency and ease for our volunteers

One example of this is the OWASP reimbursement system. Currently all reimbursements go through tata forms into a black hole until paid. The only way for a submitter to check on the progress of their reimbursement is by repeatedly emailing staff member. Furthermore, in many cases that staff member must repeatedly email accounting to get an update as well. Worse, previous, workflows were not identical across all OWASP activities. All of this led to confusion and inefficiency.

The OWASP Staff has created a new reimbursement system that will utilize Jira to make sure that all reimbursements go through the appropriate workflow and that the submitter can see where their reimbursement is in the process at any time. All reimbursement communications will be in the same place to facilitate swift repayment. This reimbursement system will be launched in the coming month and there are no changes to the current funding rules. You can read more about how it will work complete with examples on the OWASP Wiki.

2017 Global Board of Directors Election

The OWASP Board of Directors are seven hardworking volunteers elected to direct the financial and outreach goals of the organization. As a group the board members self organize into positions and guide the organization by defining our strategic goals. You can follow the election on the Board of Directors Election wiki page.

This year we have seven candidates running for the four open board positions. You can click on their names to read their bios and statements of purpose :

Greg Anderson Bil Corry Arthur Hicken Steve Kosten

Sherif Mansour Owen Pendlebury Milton Smith Chenxi Wang

Additionally, during this time we request that our members submit questions to be asked of our candidates for the board during an interview that will be recorded and shared prior to the election. The following are the winning questions from our community.

1. How do you make sure that the board's decisions won't be influenced by any personal favors or corruption?

2. OWASP does not have a great reputation internationally due what most people call "Politics", how do you intend to solve the "Politics" problem?

3. How do you intend to address bullying within OWASP? If someone is a repeat offender, will you enforce rules to expel or suspend offending parties?

4. How do you intend to empower the Compliance Committee? Currently all it has the power to do is mediate or make suggestions, it needs more than that.

5. What accomplishments related to OWASP Foundation's mission have you demonstrated in the last (5) years?

6. What kind of action plan do you have in mind to help motivate the participation of Developers into OWASP community?

7. What is your strategy to keep chapters active and motivated with OWASP and keep having meetings and organize local events?

Don’t forget that you must be a member by September 30th to vote for the OWASP Board of Directors. Get your Membership Today!

OWASP Volunteer Platform

We are ready to begin the design stage for building the OWASP Volunteer Platform and we need your help! The first step of the design phase is a set of surveys. OWASP Leaders will receive a survey to explore your needs as volunteer managers via email. The survey will be active until September 22, 2017. The wider OWASP community will be encouraged to follow a link to the Volunteer Portal Survey for Community Members which explores the needs of prospective volunteers in a volunteer management platform. You do not need to be a paid member of OWASP to take the survey. If you are both a Leader who manages volunteers and a volunteer elsewhere in OWASP you are encouraged to take both surveys.

Your input is invaluable and we thank you for your time.


(estimated time to take: 4 min.)

OWASP in the News



OWASP Top 10 2017 Project Update

The OWASP Top 10 is the most heavily referenced, most heavily used, and most heavily downloaded document at OWASP. Therefore, it rightfully has a greater level of scrutiny and a greater level of review as befitting a Flagship project.

Under new leadership, the project has issued a second call data and survey which will end on September 18th. You can read more about it on the Top 10 Blog post at the OWASP Blog.

OWASP Project Reviews @ APPSEC USA 2017

Once more OWASP is reviewing projects who wish to graduate from Incubator to Lab to Flagship at this workshop. We are also performing some more detail health checks. The purpose of these assessments is to determine whether a project meets the minimum criteria to graduate as outlined in the Project Health Assessment Criteria Document. The review process begins with an initial self-assessment done by the project leader and reviewed by Matt Tesauro. Next, the assessment enters the peer review phase where we ask volunteers in our OWASP Community to participate and finalize the results. Here's a Sample of a Project Assessment to give you an idea what these look like.

We are still looking for more volunteers to help in this mission. Sign Up!

OWASP Project Reviews @ APPSEC USA 2017 - Funding Incentive is Available!

Please contact Claudia Aviles Casanovas and Matt Tesauro with any questions.


Utilizing DevSecOps to Its Fullest Potential at AppSec USA

DevSecOps will be one of the most discussed topics at this year’s AppSec conference for obvious reasons. It’s one of the fundamental building blocks of security, development, and organizational growth. We’ll have plenty of DevSecOps talks and workshops to keep you busy, but here are a few of this year’s highlights:

Overcoming Mobile App Security Challenges with DevOps (Thursday, 9/21 @ 11:30am): Solution Engineer for NowSecure, Brian Lawrence examines some of the most common reasons companies struggle without consistent DevOps programs. He’ll look at challenges such as technology fragmentation, how mobile apps expose enterprise architecture, the unending updates cycle, and more before framing some successful DevSecOps processes to mitigate these issues.

Making Vulnerability Management Less Painful with OWASP DefectDojo (Thursday, 9/21 @ 1:30pm): Let Greg Anderson, Senior Security Engineer for Pearson, take some of the pain and tedium out of vulnerability management by introducing you to DefectDojo. He’ll demo this enterprise-level tool’s ability to automate, report, scan, and service vulnerabilities to make your -and your engineers’ - lives easier.

WAFs FTW! A Modern DevOps Approach to Security Testing Your WAF (Thursday, 9/21 @ 3:30pm): In this lecture Zack Allen, Threat Operations Manager at ZeroFox, examines a framework to test arbitrary Web Application Firewall implementations and explores rapid prototyping of attack payloads without relying on developer support to verify WAF defenses and make this tool more valuable than ever.

Core Rule Set for the Masses (Friday, 9/22 @ 11:30pm): Although ModSecurity - OWASP’s very own web application firewall - is widely considered an exceptional security tool, maintaining and managing the system can be tedious, time consuming and difficult. OWASP volunteer Tin Zaw and Robert Whitely, Security Solutions Architect for Verizon Digital Media Services, work together to share some benefits of enhancing and fine tuning to spend less time managing and more time enjoying ModSecurity.

How to Stop Worrying About Application Container Security (Friday, 9/22 @ 2:30pm): Information Security Engineer for the US Citizenship and Immigration Services (USCIS), Brian Andrzejewski challenges existing security models by harnessing containers to deploy applications securely and swiftly. He’ll use his experience at USCIS as a case study to frame this innovative concept and discuss the merits of building a container ecosystem.

Volunteer spots for AppSec USA now open!

OWASP has volunteer positions available for AppSec USA. If you are interested, please take a moment to choose your shifts through this signup.com form.

If you are volunteering in exchange for your ticket you will receive an email explaining how to register for the conference. If you are planning on doing this, please remember that you will need to sign up for 8 hours worth of shifts and OWASP does not cover travel or accommodations.

Remember to consult the Conference Schedule to make sure that you do not choose a shift that conflicts with your preferred talks.

Volunteer Orientation is on-site Monday evening. You will receive an email with the exact time and location closer to the event. If you can't make it, please let us know!

OWASP World Tour

This year the strategic goal of OWASP is to raise awareness and spread application security knowledge world-wide by hosting a training world tour. The 2017 world tour will have three, free mass application security training events. Each one-day AppSec training course will teach 500 developers, software testers and entry level application security professionals core security topics.

Our goal is that each training will combine general security principles such as the principle of least privilege, using secure defaults, reducing attack surface with AppSec specific topics such as parameterized queries to prevent SQLi and input validation and encoding. We are also interested in teaching how OWASP Projects can assist in developing secure software.

As part of the OWASP World Tour we are inviting all professional trainers to apply to the Call for Training for your opportunity to train in Tokyo, Boston, or Tel Aviv. Training will close in this month, so apply today!

If you are interested or know someone who is interested in attending the OWASP World Tour near you, please keep an eye on the OWASP Blog or OWASP World Tour Wiki Page for registration.

5th Annual AppSec Bucharest

OWASP Bucharest team is happy to announce the OWASP Bucharest AppSec Conference 2017 at Hotel Caro; a three day security and hacking conference dedicated to the application security. The event will be in English, with cutting-edge topics presented by renowned security professionals.

The CfP is open through September 9th as is the Call for Training.

Oct 11th and 12th are dedicated to trainings and on the 13th talks and workshops will run in parallel. We will also have CtF with a grand prize of 1024 Euros. Conference talks are free however, you need to register.

More information, including the current training schedule available on the wiki.

Upcoming Events

Regional and Local Events

Training Events

  • OWASP Cyber Security Explorer — August 10–11, 2017; Amity University, Rajasthan, India
  • OWASP Training Day 2017  — October 4, 2017; Portland, OR, USA
  • OWASP World Tour  — September 30, 2017; Tokyo, Japan,
  • OWASP World Tour  — October 9, 2017; Boston University, Boston, MA, USA
  • OWASP World Tour  —  October 17th, 2017; Tel Aviv, Israel

Developer Summits

Partner and Promotional Events


OWASP Go Live?

We are looking Chapters interested in participating in the alpha test of the OWASP Discourse system. You can read more about the requirements on the OWASP Discourse roll out plan. If interested please fill out this form of interest.


June 2017 Corporate Members

August 2017 Corporate Members

We would like to thank the following companies for supporting the OWASP Foundation.  
The companies listed below have contributed this month by either renewing their existing 
Corporate Membership or joining OWASP as a new Corporate Member.  

Details about Corporate Membership can be found here.

Contributor Corporate Members

Code Dx is committed to reducing barriers to effective application security. Our automated application vulnerability correlation and management tools help find and fix insecure code faster, with less effort and a smaller team. Focus your precious resources on developing valuable new features, and ship secure code faster and more often.
For more information, please visit https://codedx.com/

Founded in 1975, Information Builders continues to deliver state-of-the-art technology that is transforming business in all commercial industries, government, and education. We remain one the largest independent, privately held companies in the software industry. Headquartered above Madison Square Garden in New York, Information Builders operates in more than 60 global locations and has built an active customer base of tens of thousands of major installations at the world's leading organizations. Information Builders is not only a major software supplier to our customers, but also a major provider to the leading software vendors in the industry including HP, IBM, Oracle, SAP, Teradata, and many others. In addition to our commitment to superior software engineering, we are equally proud of our people. Some of the most talented and creative professionals in the industry work at Information Builders and are passionate about what they do. In fact, the professionalism and tenure of our employees is often cited as a major differentiator by our customers. Our reputation for customer service has garnered us the highest honors from “CRM” magazine, the SSPA, and the American Business Awards. Our products and services have received top recognition from independent analyst research firms including Gartner, Forrester, Ventana Research, BARC, Butler, Bloor, and The Data Warehouse Institute (TDWI). Most importantly, our customers have received the most information technology and business awards for their accomplishments. More than 50 of our customers have had their information systems inducted into the Smithsonian Institute for superior information technology achievement through the Computerworld Honors Program. http://www.informationbuilders.com/about_us

Want your company name here? 
Find out how by visiting our Corporate Member information page, or contact Kelly Santalucia, our Membership & Business Liaison today!  

Thank you to all of our Premier and Contributor Corporate Members for your support!

The OWASP Foundation, 1200C Agora Drive #232, Bel Air, Maryland, 21014, USA

Labels: ,


Post a Comment

Subscribe to Post Comments [Atom]

<< Home