Friday, February 24, 2017

Project Review Session at OWASP Project Summit during Belfast APPSEC EU 2017

We have an open session for two days for Project Reviews during our OWASP Project Summit EU 2017 Belfast. We are looking for some volunteers to review projects and helping make OWASP Projects move to the next level with your expertise and feedback.

Please Sign Up and join us in APPSEC EU 2017 in Belfast!

We currently have these leaders attending and want to send thank you for stepping up to the challenge and thank Johanna Curiel, our current Vice Chair on the Board, for helping us lead this effort.
  • Azzeddine Ramrami
  • Talal Albach
  • Kuai Hinojosa
  • Nabin Kc

Overview of Project Reviews:

OWASP is reviewing projects who wish to graduate from Incubator to Lab to Flagship.  The purpose of this assessment is to determine whether a project meets the minimum criteria to graduate as outlined in the Project Health Assessment Criteria Document.  The review process begins with an initial self-assessment done by the project leader and reviewed by Matt Tesauro.  Next, the assessment enters the peer review phase where we ask volunteers in our OWASP Community to participate and finalize the results. I have included a Sample of a Project Assessment for your review and consideration.


Labels: , , ,

Monday, February 20, 2017

February 2017 Corporate Members


February 2017 Corporate Members

We would like to thank the following companies for supporting the OWASP Foundation.  
The companies listed below have contributed this month by either renewing their existing 
Corporate Membership or joining OWASP as a new Corporate Member.  

Details about Corporate Membership can be found here.


Contributor Corporate Members
For more information please visit https://www.nccgroup.trust/us/



NetSPI is a privately held information-security consulting company founded in 2001. By using its consulting team's deep security knowledge and its Correlated VM vulnerability management & reporting solution, the company is a trusted advisor to large enterprises. NetSPI provides a range of assessment and advisory services designed to analyze and mitigate risks and ensure compliance with relevant regulations and industry standards. Clients include large financial services firms, retailers, healthcare organizations and technology companies. For more information, visit http://www.netspi.com


Oneconsult AG offers holistic cyber security consulting against external and internal cyber threats such as APT, hacker attacks, malware infection, digital fraud and data leakage. We specialize in information and IT security and are your trustworthy partner for identifying, assessing, preventing and addressing information and IT security threats. Our core services are penetration testsISO 27001 security audits and IT forensics. To protect your organization and mitigate specific information security risks, Oneconsult also offers practical security consultingsecurity training and virtual security officer services. Our technical tests for office IT and SCADA/ICS cover (mobile) application penetration tests, ethical hacking, client audits, configuration and code reviews as well as reverse engineering and targeted exploit development for APT audits. Oneconsult’s dedicated security research team detects dozens of zero-day vulnerabilities per year in standard software. We have already carried out 1000+ security projectssince 2003 and have become a trusted provider to 250+ organizations worldwide covering a wide variety of industries. For  more information, visit https://www.oneconsult.com/en/ 


For more information, visit https://www.ptsecurity.com/ww-en/


Twistlock provides the industry’s first enterprise suite for container security. We monitor container activities, manage vulnerabilities, detect and isolate threats targeting containerized applications. Our technologies enable enterprises to enforce consistent security policies from development to production, thus maximizing the benefits of container computing. For more information, please visit https://www.twistlock.com


Veracode delivers the application security solutions and services today’s software-driven world requires. Veracode’s unified platform assesses and improves application security from inception through production so that businesses can confidently innovate with the applications they build, buy and deploy as well as the components they integrate into their environments. For more information, visit http://www.veracode.com/


WhiteHat Security has been in the business of securing web applications for 15 years. Combining advanced technology with the expertise of its global Threat Research Center (TRC) team, WhiteHat delivers application security solutions that reduce risk, reduce cost and accelerate the deployment of secure applications and web sites. The company’s flagship product, WhiteHat Sentinel, is a software-as-a-service platform providing dynamic application security testing (DAST), static application security testing (SAST), and mobile application security assessments. The company is headquartered in Santa Clara, Calif., with regional offices across the U.S. and Europe. For more information, visit https://www.whitehatsec.com/


Want your name here? 
Find out how by visiting our Corporate Member information page, or contact our Membership & Business Liaison, Kelly Santalucia today!  

Thank you to all of our Premier and Contributor Corporate Members for your support!





Thursday, February 16, 2017

OWASP Comprises 30% of ToolsWatch.org Top Ten Security Tools for 2016

The OWASP Community produces a lot of amazing things. This month we are glad to share that three OWASP Projects have taken spots in 2016 Top Security Tools as voted by ToolsWatch.org Readers. Congratulations and many thanks to the project leaders and many contributors to these projects! 


Zed Attack Proxy


OWASP Zed Attack Proxy Project (ZAP), a penetration testing tool that combines automatic scanning and manual tools, was voted the 2nd most popular tool of 2016.  You can join Simon Bennetts and the ZAP team by visiting the ZAP GitHub or taking this survey.





OWASP VBScan Project, the black box vulnerability scanner which detects and analyses VBulletin CMS vulnerabilities in perl, was voted 3rd most popular tool of 2016.  You watch demonstrations on the wiki page or help by following up with Mohammad Reza Espargham on GitHub.





OWASP ZSC Tool Project placed 6th in the top ten for 2016.  The project generates customized shellcodes and convert scripts to an obfuscated script. You can contribute Ali Razmjoo and Johanna Curiel's python project on their GitHub.


Thank you for your votes!!
Congratulations OWASP Project Leaders!


.

Labels: , , , , , , , ,

Monday, February 13, 2017

OWASP PROJECT SUMMIT EU May 9th & 10th 2017


We are excited to announce the OWASP Project Summit EU May 9th & 10th 2017. OWASP is providing a platform for project leaders on the two full days prior to AppSec Europe 2017.  Project Summits are a place for project leaders and contributors to collaborate as well as provide feedback to OWASP. The platform provides an open forum setting for ideas, discussing innovations, gaining project contributors and sharing feedback for projects with the goal of helping them advance to the next level. Use this opportunity to demo your project to others at the summit, promote for sponsorship, gain feedback, or simply brainstorm some ideas and add a few features.


   This year’s project summit will include the opportunity to work on some of the hot
   topics and initiatives being discussed at OWASP. Please give us your feedback on
   which topics you’d like to see discussed at the summit.  We’ve listed some below--feel
free to suggest others:


  • Gamification of Projects
  • OWASP Documentation Projects into github/markdown & sharing content
  • Project Review Activities and the new Conversational Review methods



If you are looking for your company, chapter or project to support OWASP Projects, we also have Great Sponsorship Opportunities.


Let's make this a success Sign up!          




Requirements for Participation:
  • Active OWASP Project started in the last 9 months.
  • Complete and updated wiki page with a clear roadmap.
  • Agenda and Deliverables for your project at the summit are required.
  • Deadline on April 10th
Funding Opportunities: (through the Reimbursement Process)
  • $750.00 for Travel Assistance per OWASP Project
  • Two Nights of accommodations for the days of the Project Summit EU.
  • OWASP Project Leaders (three leader max) receive a complimentary pass for AppSec EU


Please use our contact us form with any questions or concerns.

Contacts at OWASP Foundation: Matt Tesauro and Claudia Aviles Casanovas

Labels: , , ,

Thursday, February 9, 2017

Should Your Chapter Start a Study Group?

Guest Post by Josh Sokol

Back in 2010, when I first took over as President of the OWASP Austin Chapter, I noticed that there were a number of chapter members who had an interest in getting their CISSP certification (myself included).  We knew that it would be a pretty large undertaking, spanning multiple months of effort, but also knew that we would all be more successful if we could work together and support each other through the process.  We found a test date that was far enough in the future to meet our goal of spending a week on each domain, plus a couple of weeks for review, and the first-ever OWASP Austin Study Group was born.  Each week, a different study group member was responsible for leading the discussion on a topic.  Usually it would be accompanied by a lightweight "review" slide deck and then the group would go over different sets of review questions for that week's domain together.  It worked out great with over half of the group taking their test on the goal date and almost everyone receiving a passing grade.

Once our CISSP Study Group had finished, we took a short break, but then decided that it would be fun to meet regularly on other topics.  We moved our meetings from several hours on Thursday evenings to an hour over lunch, once a week, and what began as a quest for a certification turned into a continuous pursuit of knowledge.  Over the past seven years, the OWASP Austin Study Group has covered dozens of topics ranging from the OWASP Developers Guide to WebGoat to the Web Application Hackers Handbook and beyond.  Today, we even offer to buy the next book for anyone who attends 75% or more of the study group sessions for the current book.  It is a fantastic way to keep participants engaged and ensure optimal participation each week.

So, how do you start a study group for your chapter?  The first step is to find a group of people who have a common interest.  This is super easy since your chapter meetings should be full of people interested in application security.  The next step is to find a place and time to meet.  Ideally, this should be someplace relatively easy for everyone to get to with free parking and enough space for everyone who wants to attend.  Having a projector or other audio-visual equipment available is a huge bonus.  Offices that allow outside visitors are ideal for this, but libraries, restaurants, or coffee houses could also make great meeting locations.  Lastly, you need to choose a topic.  Perhaps you want to start, like we did, with a goal of getting a certification like the CISSP, CEH, CSSLP, OSCP or similar?  Or, maybe you want to start easy with something like the OWASP WebGoat tutorials?  If you want some ideas, feel free to talk to me, but regardless of what topic you pick, you'll undoubtedly have a ton of fun learning new things while developing relationships with other security professionals in your area.  Have fun!

Labels: , ,

Monday, February 6, 2017

OWASP Project Releases


New Release 2/6/17
  • Change Session to no longer call/use ExtensionActiveScan.
  • Change ActiveScanController to obtain the excluded URLs (session and global) instead of having the Session to set them.
  • Change ExtensionActiveScan to allow to set a list of excluded URLs and to not change running active scans, normalizing the behavior with the normal spider.

New Release 1/19/2017 Latest Release Version 1.1.4

Code Pulse 1.1.4 brings along updates to the distributed stack:
  • ASM has been updated to version 5.1 - this enables Java 8 tracing support
  • Java, Jetty, and NW.js have been updated to the latest versions
  • Dependency-Check has been updated to the latest version



New Release 1/30/2017 Latest Release Version v2.21.2

  • The name field of all challenges was changed to a more human- and CTF-friendly form (see #264)

OWASP Off  The Record 4 Java

OWASP Foundation would like to welcome Project Leader Jigar Joshi !

Type of Project: Code Project
Brief Description:
Privacy is daily reality for many internet users. Eavesdropping user's content and using it for various reason is not desired by many of the application users. Putting trust on communication channel, service provider or government not to intercept your content is not a good idea.
OTR framework solves this problem by cryptographically processing the users content in transit and at rest. No eavesdropper can read the content, not even the service provider.

Labels: , , , , , , ,

Friday, February 3, 2017

OWASP Operations Update for February 2017

Welcome to the operations update for February 2017.  This continues the series of blog posts updating the community about the happenings at the OWASP Foundation.  The previous post is available here.

Major efforts, status of those efforts and important changes from last time:

OWASP is evaluating hosting providers.  After Rackspace discontinued their donation of hosting services, OWASP is evaluating options for hosting its IT infrastructure.  We discovered this on January 31st after speaking with our account representative at Rackspace.

  • First, thanks to Rackspace for providing up to $2,000 USD in cloud hosting on Open Stack since the fall of 2011.  The long term donation of hosting was very helpful and greatly appreciated.
  • OWASP is reviewing our current hosting needs and evaluating whether to stay or migrate to a different hosting provider.  Wherever we end up, it will be an API-driven, elastic cloud based hosting provider.  After years of being on Open Stack, we don't want to leave a dynamic infrastructure environment.
  • A plan for hosting both short and long term will be in place by February 10th, 2017
The Website Reboot aka TWR - a major effort to update and modernize OWASP's web presence.  Since last month, we've:
  • Continued to make progress on Phase 1 - updating the wiki to 1.27.x
    • Ansible to deploy the wiki servers has been written and tested
    • We are holding the deployment temporarily due to the unanticipated end of Rackspace's hosting donation
    • We're spending the week of Feb 6th to determine where to host the updated production version - either at Rackspace or a new provider.  This may require some minor changes to the Ansible deploys to replace the Rackspace specific portions.
  • Next up Phase 2
    • Blocked: waiting for the 2017 Budget to get approved by the OWASP Board
The OWASP Communications Plan - a staff-created plan to professionalize how OWASP interacts with its community and the world at large.  Here's where our efforts on this were focused in January:
  • Migration to Discourse from Mailman
    • SaaS provider setup a production instance of Discourse for OWASP in mid-January
      • Should have been an empty instance to fill with the migration data
      • Regrettably the provider moved our test data aka cruft over to production by mistake
      • The production site is getting the test data removed currently
    • Schedule for migration is up in the air due to the potential hosting changes and the demand on staff time to adjust and plan for that change.  Its on the short list, we're just not sure where at this moment.  Scheduling will be part of the hosting plan completed by February 10th, 2017.
  • Beta program for the Foundation's Global Meetup account is continuing.
Other Major Efforts in progress
  • Association Management System (AMS)
    • Kate completed a week long training on the new system - training was provided as part of the licensing of the AMS software
    • Implementation of the AMS including migration of the current system to the new system is planned for early February as soon as the membership plan (below) is finalized by the OWASP Board.
    • Migration is a complicated effort of contractors and OWASP staff and is expected to take between 8 and 12 weeks and include significant clean-up of our Salesforce data.
    • Blocked: waiting on the board decision on the proposed membership changed below
  • Updating Membership Models
Projects
  • Health Checks on all OWASP Projects were started during January and completed on the 30th
    • Beyond the normal health checks, all wiki and Salesforce data was cross-checked
      • Current releases for all projects were added to Salesforce in preparation for future project meta-data automation
    • Next steps
      • Abandoned and outdated projects in Salesforce will be cleaned up
      • Project Leaders will be contacted for any missing or out-of-date information
  • GSOC 2017 is gearing up!
    • Application for Participation will be submitted to Google on February 9th
    • 9 projects have submitted for participation
    • More information on the GSOC 2017 Blog post
  • Volunteers Needed
    • We've got several projects under review and need your help with reviews - let us know you're up for the challenge with the Contact Us form.
  • New Project: OWASP Off The Record 4 Java Project
  • Project Handbook Update
    • The content of the project handbook is being converted to Markdown and moving to Github in February for a thorough review and update 
      • PRs and issues are encouraged and will be gladly accepted - source controled, versioned Project Handbooks, oh my!
      • Look for an announcement later in February via the Leaders List and our various social networks of the Github repo for the Project Handbook
    • Once the new content is finalized, it will be converted from Markdown and posted on the wiki.
      • Future updates will happen on Github and the wiki page will be set to the current 'stable' version
Updates on events for 2017
  • 2017 started with a successful AppSec California 2017 conference on January 23rd to 25th
  • AppSec EU - Belfast, UK
    • Sponsors: 13 exhitbits + 3 a la carte
    • 4 keynotes confirmed
    • CFP closed & CFT closed with selection finalized
    • Call for Activities open
  • AppSec USA 2017 - Orlando
    • Call for Papers & Cal for Trainings in progress - available soon
    • Initial website launched
  • Many upcoming regional, local and outreach events - find out the details on the events wiki page
Membership and Outreach
  • Membership for 2017 is starting out strong - already at 10% of the yearly goal!
    • Total individual members: 2,430
    • Total corporate members: 69
  • Updated Membership information - check it out 
  • Membership video
    • Proposal to create a membership video was approved - work on it begins on February 6th
  • Membership Model Update board vote (mentioned above) is eagerly awaited so planning of the June membership drive can continue
Community
  • Chapter Leader Handbook is ready for review 
  • Other documents ready for review
  • Search and evaluation of a marketing company is pending finalizing the 2017 OWASP Foundation budget
As always, the OWASP staff are here to make the OWASP community even stronger.  If you have a question, concern or need, let us know using the 'Contact Us' form.  Also, feel free to attend, suggest or otherwise engage the OWASP Foundation further at the February 8th Board meeting.

Your friendly neighborhood OWASP staff: 
     Kate, Kelly, Alison, Laura, Claudia, Tiffany, Dawn and Matt

Labels: ,