Monday, November 17, 2014

Chapters, Projects, Taxes and 378,223.12


This week the OWASP Foundation had to file the United States business taxes -- for the last (10) years it has been insightful watching OWASP grow for me

##For your bookmark the transparent details of these legal filings will be posted here shortly:

As a leader however I did however want to draw your attention to  $378,223.12.  Yes, OWASP Chapters around the world have funds of $378,223.12 US ear-marked at HQ OWASP. 

As a chapter leader you can redeem that money anytime with a receipt that follows the OWASP Chapter Handbook

As a global and legal charity I wanted to draw your attention to this. It is very important that chapters (and OWASP Foundation) USE their funds to further the actual mission of OWASP.  As each chapter conducts it's end of year wrap up meetings and 2015 planning, consider your chapters plan to invest in social events/outreach, work with Academia to build the next generation and/or retrain existing workforce, incentive using scholarships on projects, build support invest in maker-spaces, host mini-summits, project code-camps, research, <insert your great idea> its ok to experiment that is how OWASP was built.

https://docs.google.com/a/proactiverisk.com/spreadsheet/pub?hl=en_US&hl=en_US&key=0Atu4kyR3ljftdEdQWTczbUxoMUFnWmlTODZ2ZFZvaXc&output=html


=====

Need a FUN idea and current topic for your next chapter meeting?  How about Internet of Things (IoT)

Ask this question: 
 "Since homeowners aren’t experts in technology and security is NOT a Top 10 list, what are the attack surfaces did you think about while watching this video

>> PLAY THIS VIDEO <<


http://www.youtube.com/watch?v=2T934EyrTJI

Then after you have a interactive dialog and captured useful data "edit" the wiki" and help out on this NEW project and important project.  Think of other consumer and medical devices that are being connected to the internet

https://www.owasp.org/index.php/OWASP_Internet_of_Things_Top_Ten_Project

*Bonus points for this "hack" http://www.cnbc.com/id/101343245# sellers made $


## WANT TO INCLUDE A CARD GAME TOO THAT YOU CAN DO WITH GOOD SCOTCH?

OWASP brings you Cornucopia. <insert owasp band music>   OWASP Cornucopia is NOW AVAILABLE in 100% OWASP Branded Decks: (give them to your chapter members, give them to your co-workers, play cards in the park)

https://www.owasp.org/index.php/OWASP_Cornucopia

As a chapter leader you can also spend some of that $378,223.12 and buy some decks (pack of 10)  to hand out at your meetings and regional events.  To get them it is EASY, they can now be requested and charged back to your local chapter.
https://www.owasp.org/index.php/OWASP_Merchandise   then consider what other projects can benefit from the local chapter energy. 

In closing, over the last 10 years it has been great to see OWASP grow grow and grow like bamboo, the future is BRIGHT at OWASP locally and globally welcome to the new board members 

Semper Fi,

Tom Brennan
OWASP Foundation | Global Vice Chairman

Wednesday, November 5, 2014

Tuesday, November 4, 2014

OWASP Connector - November 4


OWASP Global Connector
November 4, 2014 | | www.owasp.org | Contact Us | Brought to you by the OWASP Foundation
Communications

2014 Global Board of Directors Election

The 2014 OWASP Global Board of Directors election has completed.
Please help us in welcoming the newly appointed board members. Their term will take affect January 1, 2015.


  • Jim Manico
  • Andrew van der Stock
  • Matthew Konda
  • We would like to thank all of the candidates for their time and energy they invested into this campaign.
  • Jim Manico - 382 votes
  • Andrew van der Stock - 302 votes
  • Matthew Konda - 204 votes
  • Bil Corry - 165 votes
  • Mateo Martinez - 143 votes
  • Israel Bryski - 131 votes
  • Tahir Khan - 92 votes
  • Nigel Phair - 72 votes
  • Timur Khrotko - 69 votes
  • Abbas Naderi Afooshte - 57 votes
  • Voter Summary
    • Total - 738
    • Abstain - 73
    • 738 of 1991 electors voted in this ballot
    • New Jersey Institute of Technology College of Computing Sciences
      Tom Brennan, outgoing board member has been appointed to The Alumni and Industry Advisory Board CCS Capstone Program at New Jersey Institute of Technology. NJIT provides a unique environment of real-world leaning to university, high school, and middle school students. This environment does not only integrate real world practices and resources into academic curricula but also integrates academic education into real world to add substantial value to existing real world projects.

      membership

      Thank you to our renewed Corporate Member:

      • Gotham Digital Science
      industry

      2014 CISO Survey

      TAKE THE SURVEY HERE
      OWASP is preparing the Global CISO report for 2014.

      We are conducting a survey among CISOs and senior information security managers with the aim of providing new insights about the state of application security across various industry sectors.
      This will help us align our efforts to better help solving the problems of that you face.
      Deadline for submission of the completed survey is November 10th 2014.
      TAKE THE SURVEY HERE
      conferences

      Global AppSec Events in 2014

      LATAM Tour 2015
      AppSec EU/Research 2015 (May 18 - 21, 2015, Amsterdam, NL)
      Call For Papers, Trainings, and Research are all now open - CLICK HERE FOR DEADLINES AND LINKS
      AppSec USA 2015 (September 22 - 25, 2015, San Francisco, CA)

      Upcoming Regional Events

      OWASP Asia Tour 2014
      German OWASP Day (December 9, Hamburg, Germany)
      AppSec California (January 26-29, 2015, Santa Monica, CA)
      NYC OWASP HACKNYC 2015 (March 18 - 19, 2015, NYC, NY)
      LASCON 2015 (October 19 - 22, 2015, Austin, TX)

      Partner and Promotional Events

      OWASP has partnered with these great events in beginning of 2014 to grow our community and build awareness around software security. If you want to learn more about OWASP's involvement or will be attending and want to help out contact us
      Infor Risk 360 (November 4 - 7, 2014) Kuala Lumpur
      Application Security Forum Western Switzerland (November 4 - 6, 2014) Geneva, Switzerland
      3rd Annual CISO Asia Summit & Roundtable (November 5 - 7, 2014) Singapore
      SECUREAMSTERDAM 2014 (Nov 6) Amsterdam, NE
      Fraud Summit - Orlando (November 6) Orlando, FL
      Hackfest The Return 2014 (November 7 - 8, 2014) Quebec, Canada
      Secure Dubai (November 17, 2014) Dubai, UAE
      Fraud Summit - Dallas (November 18) Dallas, TX
      CS Congress Chicago (November 18) Chicago, IL.
      National Cyber Security Career Fair (November 20 - 21, 2014)
      International Conference on Corporate Espionage & Industrial Security (December 1 - 2, 2015) Ottawa, Canada
      ICCS (January 5 - 8, 2015) New York, NY
      CodeMash Conference (January 6 - 9, 2015) Sandusky, OH
      SC Congress London (March 3, 2015) London, UK
      SC Congress Toronto (June 10 - 12, 2015) Toronto, Canada
      Projects

      New OWASP Projects

      OWASP KALP Project

      OWASP KALP Mobile Project is for the users around the world who want to access the Top Ten vulnerabilities on the go (on their mobile), download the Top Ten and Email it. This is light weight information of OWASP Top Ten. Any new additions to cheat sheets and prevention cheat sheets will automatically accessible on the mobile app.

      OWASP ASVS Assessment Tool

      OWASP ASVS Assessment Tool (OWAAT) is a tool, used to verify Web applications security conformance to the OWASP Application Security Verification Standard (ASVS). OWAAT is a Web-based tool and provides team work capabilities. It allows to create multiple assessment projects and assign assessment tasks to different users.

      OWASP Visual Crime Scene and Security Incident Education Project

      OWASP ASVS Assessment Tool (OWAAT) is a tool, used to verify Web applications security conformance to the OWASP Application Security Verification Standard (ASVS). OWAAT is a Web-based tool and provides team work capabilities. It allows to create multiple assessment projects and assign assessment tasks to different users.


      chapter

      NEW OWASP CHAPTERS


      • Lithuania - Europe
      • Estonia - Europe
      • Georgetown University Student Chapter - North America

      REACTIVATED CHAPTERS


      • Russia - Europe
      • Seattle - India
      Social Media

      OWASP Foundation Social Media

      OWASP YouTube Channel
      LinkedIn
      Twitter
      Google +
      Facebook
      Ning
      StackOverflow
      CLICK HERE for information on advertising in the next connector




      Thursday, October 23, 2014

      OWASP Connector


      OWASP Global Connector
      October 23, 2014 | | www.owasp.org | Contact Us | Brought to you by the OWASP Foundation
      Communications

      2014 Global Board of Directors Election

      Election FAQ
      Q. Who is eligible to vote?
      A. All paid or honorary members who's membership was active on 9/30/2014 should have already received their ballot via email.
      Q. I'm a member. Why didn't I get a ballot?
      A. Possible Causes:

      • For Individual Members - at the date the 'eligible voter' list was created (30 September 2014) your membership had not been renewed.
      • For Honorary Members - Honorary membership status must be actively renewed each year. If your honorary membership expired, and you did not actively renew by the 'eligible voter' date you were not included on the list.
      • Unsubscribe Issue. The voting instructions and link to ballot were sent out by the Simply Voting application. If you previously chose "Unsubscribe" to other emails sent from OWASP via Simply Voting, then you were 'not sent' the voter instruction email by the unsubscribe rule.

      Q. I didn't get notification to renew or did not realize I needed to renew. I still want to vote! What do I do?
      A.

      • The current voting period will remain open and it will be extended until October 31, 2014. We know that 1,956 names were on the list who received voting instructions and 463 (23%) have already voted.
      • For the 'missed members': We will open a special 'grace period' for the people who did not renew their membership in the 90 days before the Sept. 30, 2014 eligibility cutoff. Some may have done this by choice, others claim they did not receive renewal information.
      • Anyone who renews during this grace period ending Oct. 24 will become eligible to vote in the 2014 OWASP Board election. They will be sent the same voting instructions as the original 1,956. It will include the notice that voting is extended through the week of Oct. 27 - 31.
      • If you were a member as of 9/30/2014 but have not yet received your ballot please Contact Us.
      • Membership renewal Information
      • Honorary Membership Application

      membership

      Thank you to our new Corporate Member:

      • (ISC)2
      conferences

      Global AppSec Events in 2014

      LATAM Tour 2015 (April 6 - 24, 2015) More details coming soon
      AppSec EU/Research 2015 (May 18 - 21, 2015, Amsterdam, NL)
      CALL FOR PAPERS AND CALL FOR TRAINERS ARE NOW OPEN - Submission Deadline is December 31, 2014
      AppSec USA 2015 (September 22 - 25, 2015, San Francisco, CA)

      Upcoming Regional Events

      OWASP Romania InfoSec Conference 2014 (October 24, Bucharest, Romania)
      OWASP Tampa Day 2014 (November 3, Tampa, FL)
      German OWASP Day (December 9, Hamburg, Germany)
      AppSec California (January 26-29, 2015, Santa Monica, CA)
      NYC OWASP HACKNYC 2015 (March 18 - 19, 2015, NYC, NY)
      LASCON 2015 (October 19 - 22, 2015, Austin, TX)

      Partner and Promotional Events

      OWASP has partnered with these great events in beginning of 2014 to grow our community and build awareness around software security. If you want to learn more about OWASP's involvement or will be attending and want to help out contact us
      Fraud Summit - New York (October 21, 2014) New York, NY
      Global APT Defense Summit (October 22, 2014) New York, NY
      ISSA International Conference (October 22 - 23, 2014) Orlando, FL
      Infor Risk 360 (November 4 - 7, 2014) Kuala Lumpur
      Application Security Forum Western Switzerland (November 4 - 6, 2014) Geneva, Switzerland
      3rd Annual CISO Asia Summit & Roundtable (November 5 - 7, 2014) Singapore
      SECUREAMSTERDAM 2014 (Nov 6) Amsterdam, NE
      Fraud Summit - Orlando (November 6) Orlando, FL
      Hackfest The Return 2014 (November 7 - 8, 2014) Quebec, Canada
      Secure Dubai (November 17, 2014) Dubai, UAE
      Fraud Summit - Dallas (November 18) Dallas, TX
      CS Congress Chicago (November 18) Chicago, IL.
      National Cyber Security Career Fair (November 20 - 21, 2014)
      International Conference on Corporate Espionage & Industrial Security (December 1 - 2, 2015) Ottawa, Canada
      ICCS (January 5 - 8, 2015) New York, NY
      CodeMash Conference (January 6 - 9, 2015) Sandusky, OH
      SC Congress London (March 3, 2015) London, UK
      SC Congress Toronto (June 10 - 12, 2015) Toronto, Canada
      education
      globe

      OWASP en Espanol

      Los invitamos a nuestro proximo evento webcast en espaƱol a ser realizado el dia miƩrcoles 29 de Octubre a las 19 horas de Madrid (GMT+2).
      Charla: El Proyecto GoLISMERO: Como auditar aplicativos web de manera facil
      CLICK AQUI para mas detalles.


      chapter

      REACTIVATED CHAPTERS


      • Clju - Europe
      • Ahmedabad - India
      Social Media

      OWASP Foundation Social Media

      OWASP YouTube Channel
      LinkedIn
      Twitter
      Google +
      Facebook
      Ning
      StackOverflow
      contrast
      CLICK HERE for information on advertising in the next connector



      Monday, October 13, 2014

      Report of complaint against OWASP Board members

      Report of complaint against OWASP Board members

      Community Update:  OWASP Complaint & Resolution per Whistle Blower Policy

      October 10. 2014.   Early this year a complaint was filed against several members of the
      OWASP board by a former OWASP employee. The complaint was raised internally in April,
      2014 and an official complaint was also filed with the Arizona EEOC in June 2014.

      Purpose: The Purpose of this update is to provide the OWASP community with transparency
      about this issue, to summarize the actions taken by the OWASP Compliance Officer and Board
      of Directors, and to demonstrate our commitment to our Code of Conduct and Whistle Blower
      Policy and our respect for privacy concerns of all members of our community.

      Summary of Complaint & Resolution:

      The complaint cited several concerns including:
      Issue 1: Complaint against a single Board member for breach of the OWASP Code of Conduct.

      Issue 2: Complaint against OWASP Foundation for discrimination for Sex and National origin. 
      This was later filed with the Arizona EEOC (Equal Employment Opportunity Commission). 

      Issue 3: Complaint against 3 individual Board members for discrimination due to sexual or
      national origin and a complaint against 1 of those for misuse of OWASP funds.

      OWASP Investigation Process
      OWASP has established several policies to handle situations like this including whistleblower
      policy, privacy policy, anti-retaliation policy and a code of conduct policy. The role of the
      Compliance Officer is to objectively investigate the issue, reach out to all parties involved,
      create a statement of facts and provide this report to the board. The board reviews this
      confidential information and then makes a determination of action. Additional information on the
      OWASP policies can be found here.

      During the investigation the Compliance Officer interviewed each of the people named in the
      complaint (listed below), the foundation employee in charge of accounting and bookkeeping,
      and the chairman of the board.

      The former OWASP employee who made the claim declined to be interviewed or provide any
      additional information or evidence beyond the original accusations.

      These claims were handled in several parallel processes. First, per standard human resource
      policies and the OWASP whistleblower policy these claims were reviewed by OWASP. Second,
      the OWASP legal counsel was notified and asked to investigate the nature of the complaint to
      protect the privacy of the individual as well as individual Board members. 

      Since several Board members were named in the complaint, the OWASP Compliance officer
      was assigned the task of interviewing all concerning parties, and providing a neutral, 3rd party
      report based on those interviews. Also, legal counsel was asked to prepare for discussions with
      Report of complaint against OWASP Board members the Arizona EEOC.  Legal counsel was asked for recommendations concerning the complaint against the Foundation, as well as against individual Board Members of OWASP based on evidence they gained from interviews and research.

      Resolution by Claim
      1.  The claim against 1 Board member for breach of OWASP code of conduct was
      determined to be valid.  Disparaging remarks against an OWASP employee were made
      on a public forum.  The Board member has apologized on the public forum.  

      Outcome - The OWASP Compliance Officer has reviewed this situation and
      believes no further action is necessary against the individual Board Member. The
      violation of the code of conduct has been recorded and a public apology was
      issued. It has also been noted that any future violations of the code of conduct
      would require an escalation in response.

      2.  The claim filed with the Arizona EEOC against the OWASP Foundation for discrimination
      was declined because OWASP employs less than the required number of employees
      covered by the statutes. 
      Interviews and investigation by the OWASP Compliance Officer determined the claim to
      be unfounded due to lack of evidence and witnesses. 

      3.  The claim against 3 Board members for discrimination and against 1 Board Member for
      misuse of OWASP funds was determined to be unfounded.  No evidence was brought
      forward to validate the complaints of the claimant.

      The OWASP Board has recognized the seriousness of the accusations and therefore to ensure
      that all OWASP board members are acutely aware of their responsibilities and expectations
      when dealing with members of the OWASP staff, community or the public, the board has agreed
      that all OWASP board members will complete annual anti-harassment training. This will be
      required of all board members starting with the 2015 board.

      In summary, there is no outstanding or ongoing legal activity against OWASP related to these
      events. The Compliance Officer noted that during the early stages of this complaint, the
      OWASP Board operated in a fragmentary and occasionally unprofessional manner.  Additional
      training for Board members on Human Resource practice and policy is scheduled to help
      eliminate this problem going forward. The balance of this document describes the detail findings
      of our independent Compliance Officer and it is intended to provide transparency and bring
      closure to this issue for our community.

      Detail Report on the Nature of the Complaint and Results of Compliance Officer
      Investigations:

      Claim of inappropriate public review of staff performance, violating the Board Code of Conduct
      Investigation confirmed that Jim Manico did violate the Board Code of Conduct, section Board
      Conduct with Foundation Staff that states: 

      Never publicly criticize an individual employee - Board should never express concerns
      about the performance of a Foundation employee in public. Comments about staff
      performance should only be made to the Executive Director through private
      correspondence or conversation. 

      Jim violated this code of conduct when he sent emails to a public mailing list in March, 2014 that
      criticized her performance (Thread: OWASP Project Manager Report: March 28, 2014). Board
      leadership reminded Jim of his obligations under the Code of Conduct.  On April 4th, Jim
      publicly apologized for this comments on the same public mailing list.

      Outcome: The board agrees with the assessment of the Compliance Officer and Jim sincerely
      regrets having made the comment.  The violation of the code of conduct has been recorded and
      a public apology was issued. No further action is necessary.  It has also been noted that any
      future violations of the code of conduct would require an escalation in response.

      Claim of discrimination, that negative actions and retaliation were taken due to her gender and
      national origin  

      Claimed against Jim Manico, Eoin Keary and Josh Sokol both individually and as
      representatives of the OWASP Foundation.  An EEOC complaint was filed with the State of
      Arizona on June 5, 2014. On September 5, 2014 the EEOC complaint was closed with the 
      status “The Respondent employs less than the required number of employees or is not
      otherwise covered by the statutes.”

      Investigation by the Compliance officer confirmed that the claim was unfounded due to lack of
      evidence or witnesses. Nevertheless, the compliance officer was requested to investigate this
      claim. The compliance officer’s investigation of all available information and interviews did not
      reveal any actions of retaliation or any actions relating to gender or national origin.
      Outcome: Claim was unfounded, no action necessary.  

      Complaint against 3 individual Board members for discrimination due to sexual or national origin
      and a complaint against 1 of those for misuse of OWASP funds.

      This Complaint has been made via email on a public OWASP mailing list and is broken down
      into 3 separate claims:

      • Issue 1:  Claim of breach of Code of Conduct and inappropriate sexual comments by Jim Manico.
      Investigation by the compliance officer stated that the claimed sexual comment was part of a
      verbal conversation that took place between both parties in a public setting, at an evening
      cocktail party, with others present. 
      Report of complaint against OWASP Board members
      As noted above the former OWASP employee declined to provide additional information other
      than the claimed inappropriate comment. As a result the claim of verbally sexual harassment
      cannot be judged properly without the both parties state the context of the occasion of the
      statement and the preceding that evening.

      Outcome: To ensure that all OWASP board members are acutely aware of their responsibilities
      and expectations when dealing with members of the operations team, OWASP community and
      the public, the board has agreed that all OWASP board members will complete annual anti-harassment training. This will be required of all board members starting with the 2015 board.
      This training requirement is in addition to all current required onboarding activities listed here.

      • Issue 2: Discrimination of the former employee due the employee’s sexual or national origin or retaliation by Josh Sokol, Jim Manico and Eoin Keary.
      Investigation by the Compliance Officer of the claims of discrimination by interviewing the
      involved parties, reviewing conversations between the employee and the accused Board
      members as well as OWASP members who have worked with the accused Board members. 

      As noted above the former OWASP employee declined to provide additional information other
      than the claimed discrimination. As a result it is not possible to validate the reasons why the
      former employee felt discriminated or any specific actions of discrimination by the accused
      board members.

      Outcome: There has been no proof of any of discrimination by the accused OWASP board
      members towards the employee.

      • Issue 3:  Claim of financial mismanagement of OWASP funds against Eoin Keary.
      Investigation by the Compliance Officer about access to funds and actual use of those funds
      confirmed that this claim was unfounded.  Interviews with the involved parties show the
      complaint was based on a misunderstanding about OWASP financial policy by the claimant. 
      Eoin Keary does not have access to any of the financial systems and the OWASP foundation
      funds are only accessible to OWASP President, Treasurer, Executive Director and Bookkeeper. 
      A two-person, two-step approval process is required for release of payments. 

      Outcome: This claim was has proven unfounded. There has been no indication or proof Eion
      tried to circumvent or bypass the process described above, nor other financial mismanagement
      from his side.

      Voting for the 2014 BoD Starts TODAY!



      OWASP 2014 Board of Directors Election starts TODAY! Be sure to cast your vote!