Tuesday, July 22, 2014

OWASP Committees 2.0

OWASP Committees 2.0 Operational Model

Passed by a vote of the OWASP Board of Directors on July 16, 2014.

I. Introduction

There is a disconnect amongst OWASP Leadership in terms of determining who is empowered to make decisions for our organization. It is our belief that the Board has expressed the desire to empower our leaders, but has, at times, questioned the decisions made. The goal of the plan which follows is to empower all OWASP leaders who have an idea that merits action with the ability to act.

II. High-Level Proposal

OWASP will once again reinstate a committee structure for participation in key aspects of our organization. This may include Chapters, Projects, Conferences, Governance, and other topics to be determined later. The key difference between the proposed committees and those of OWASP past will be in the empowerment to take action. OWASP Committees may, at any time, conduct a vote to enact change within the stated scope of the committee without prior approval from the Board.

III. Committee Creation

At any point in time, a community member may propose a new committee via the OWASP Leaders List stating their rationale and desired scope for creating a new committee. After a community discussion, with perceived majority support and no major arguments against, the OWASP Board of Directors will establish whether there is a conflict of interest with any existing committees and whether the formation of that committee is in line with with OWASP goals. If no conflict is determined to exist, the Board will initiate a public call for OWASP members interested in committee membership, via the OWASP Community mailing list, with a seven day time window. So long as the committee receives at least five OWASP members applicants, the Board will vote on the committee creation. A majority vote of support from the Board is sufficient for establishment of a new committee with all OWASP member applicants being granted committee membership.

IV. Committee Scope

The scope of an OWASP committee is established during the initial proposal for the new committee. In the event that a community member believes that a committee has taken actions outside of it’s scope or would like to adjust the scope of a committee, then they may state their rationale and desired response via the OWASP Leaders List. After a community discussion, the OWASP Board of Directors will establish the validity of any scope disagreement or proposed scope amendment. A majority vote of the Board of Directors is required to modify the scope of any OWASP committee.

V. Committee Membership

Any community member is welcome to participate in and provide feedback to an OWASP committee. Committee membership (voting privileges and leadership responsibilities), however, is limited to those who meet the following criteria:
1) Individual must be an OWASP member in good standing. 2) Individual must have the written endorsement of either a current committee member or an OWASP Board member. 3) Individual must demonstrate a history of at least three months participation in the committee for which they are applying for membership.
Any person who satisfies the above criteria may, by way of the public committee communication medium outlined in section VIII below, request to be granted membership to the committee. The committee will then conduct a vote on the applicant, via the same medium, and if the majority of members agree, they will be granted committee membership as well.
Active committees are responsible for conducting a poll of members, at least every six months, asking each if they would like to continue to serve on the committee. Committee members who respond “No” or who do not respond at all during a seven day time window will be removed from membership.
A member of a committee leadership team may have their membership removed for reasons of inactivity over a period of at least six months or misconduct by a unanimous vote of the remaining members of the committee.
If at any point in time, for any reason, committee membership is less than five people, then the committee leadership must initiate a public call for OWASP members interested in committee membership with a seven day time window. All qualified applicants must be accepted to join the committee as committee members. If there are not at least five committee members at the end of the seven day window, the committee will automatically be removed due to a lack of participating interest with that committee’s functions being reassumed by the OWASP Board of Directors.
Committee members are required to report any infractions of OWASP Foundation policies and procedures to the OWASP Board of Directors.

VI. OWASP Staff Participation

The OWASP Foundation will provide a designated staff member to support each active committee from an operational perspective. The staff member may participate in the committee as a community member, but will not serve as a voting member of the leadership team due to a potential conflict of interest. Participating staff are required to report any infractions of OWASP Foundation policies and procedures, by the committee, to the OWASP Board of Directors. The committee leadership team will be invited to provide feedback for the assessment of their assigned staff member by being invited to provide an annual evaluation of their committee related activities, capability and professionalism.

VII. OWASP Board Participation

Members of the OWASP Board of Directors are allowed to become committee members, but participate as normal committee members with no special powers either expressed or implied. While Board member participation in committees is encouraged, Board members must refrain from taking an active leadership role for the committee.

VIII. Committee Communication

All committees are required to hold their discussions in the open in order to enable participation by any member of the community. All official committee discussions (written and verbal) must be archived in a publicly accessible location so that the community may observe committee actions at any point in time. Use of the OWASP Force Portal for Committees is strongly encouraged as it provides logical conversation grouping, an archive of conversations, document attachment capability, participation metrics, and more, but other technologies may be used as long as it is agreed upon by all committee members and all relevant information is linked from the respective Committee wiki page. Committees that wish to solicit assistance from outside participants for committee activities are strongly encouraged to do so using the OWASP Initiatives framework.
Committees are required to notify the OWASP Community, via the OWASP Leaders List, in writing of any official votes and provide a written summary of actions taken on a minimum of a monthly basis. Committee decisions are considered official once a record has been published to the community. The Board is responsible for reviewing committee actions and ensuring that the committee is acting within it’s pre-defined scope and in accordance with the OWASP Foundation Bylaws as well as all other applicable policies and procedures.

IX. Committee Organization

All committees are responsible for being self-organized. The includes determining their own leadership structure, coordinating committee meeting schedules at least monthly, taking and publishing notes of committee meetings, assembling monthly action summaries, culling inactive committee members, and ensuring compliance within the defined scope and various OWASP policies and procedures.

X. Committee Removal

If at any point in time an OWASP Leader believes that a committee is no longer necessary or that the scope of one committee conflicts with the scope of another, they may bring up this concern via the OWASP Leaders List. After a community discussion, the OWASP Board of Directors will hold a vote on the committee removal. A ⅔ majority vote of the Board is required for the removal of a committee.

XI. Empowerment

As the goal of this proposal is the empower our leaders to be able to take action on behalf of the organization, no Board vote is necessary for any initiative of the committee provided that the following is true:
1) The action is within the stated scope of the committee.
2) If money is required, the action follows the guidelines set forth in the Community Engagement Funding document.
3) No contracts are being executed by the committee on behalf of the OWASP Foundation.
4) The action is in line with the OWASP Foundation Code of Ethics and is pursuant to OWASP’s mission.
If any of these is not true, then the OWASP Board of Directors should be consulted for approval prior to the committees execution.

XII. Accountability

Because the committee is acting on behalf of the OWASP Foundation, but as a separate entity from the OWASP Board, the committee members are expected to conduct their actions with regard to the OWASP Mission, the OWASP Code of Ethics, and the Board’s annual strategic goals. The committee and it’s members will ultimately be held accountable for any actions that are not in line with these key principles or that are outside of the pre-determined scope of the committee. Perceived violations should be brought to the attention of the OWASP Leaders List along with all substantiating evidence. After a community discussion, the Board may veto the actions of the committee by a majority vote of the Board of Directors.

XIII. Conclusion

We believe that empowering our volunteers to take action is core to the execution of OWASP’s mission. With the above committee structure, we believe that the right pieces will be in place to provide the organization with effective governance as well as checks and balances to ensure unbiased operation. We hope that you will agree that executing on this is in the bests interests of the future of the OWASP Foundation.

Tuesday, July 15, 2014

AppSec USA 2014 Offers World-Class Training Sessions

“Something that looks like a protocol but does not accomplish a task is not a protocol—it’s a waste of time.” 
― Bruce Schneier, Applied Cryptography

You won’t want to miss Bruce Scheier’s keynote at the AppSec USA 2014 conference September 16-19 in Denver.  But you also can’t afford to miss AppSec USA’s two full days of training sessions featuring top experts collaborating with you and your peers on the latest application security challenges and industry trends.

Register today for AppSec USA and the training sessions at http://2014.appsecusa.org/

Below are the brief overviews of AppSec USA’s 2014 training sessions. Click the links to learn more about the session and presenters.

Presented by Secure Ideas
The advanced web penetration testing course is designed to be a hands-on course that will expand both internal and external security personnel testing knowledge.

Presented by Blindspot Security LLC
This course is designed to provide attendees with the core concepts required to make informed decisions about what cryptographic primitives and APIs are safest to use in practice. The content will include approximately 50% lecture and 50% labs or other exercises to reinforce the concepts presented.

Presented by Mandiant, a FireEye Company
This course provides a rapid introduction to the tools and methodologies used to perform malware analysis on executables found on Windows systems using a practical, hands-on approach. 

Presented by Tobias Gondrom
Managing and improving your global information security organization; Leverage OWASP and common best practices to improve your security programs and organization; Achieving cost-effective application security; Bringing it all together on the management level.

Presented by Albero Solutions
This course aims at providing all web developers deep hands-on knowledge on the OWASP Top 10 web application vulnerabilities list.

Presented by Recurity Labs
After the training the participants will be able to assess, audit and exploit Ruby on Rails applications. This includes knowledge about the inner workings of the framework itself as well as a set of decent payloads for practical demonstration of vulnerabilities.
Presented by Aspect Security

This hands-on course enables students to understand how easily mobile devices and applications can be attacked. They will learn how to identify, avoid and remediate common vulnerabilities by walking through a threat analysis and learning critical security areas such as those identified in the OWASP Top Ten Mobile Risks and Controls.

Tuesday, July 8, 2014

OWASP July 8, 2014 Connector

OWASP Global Connector
July 9, 2014 | | www.owasp.org | Contact Us | Brought to you by the OWASP Foundation
owasp projects

Featured OWASP Project

OWASP Java Encoder Project
The OWASP Java Encoder is a Java 1.5+ simple-to-use drop-in high-performance encoder class with no dependencies and little baggage. This project will help Java web developers defend against Cross Site Scripting! The OWASP Java Encoder library is intended for quick contextual encoding with very little overhead, either in performance or usage. To get started, simply add the encoder-1.1.1.jar, import org.owasp.encoder.Encode and start encoding.
For more information, please contact the Project Leaders, Jeff Ichnowski and Jim Manico

New OWASP Projects

OWASP Faux Bank
Faux Bank has all 10 of the top vulnerabilities implemented, as well as fixes for these vulnerabilities. The idea is that developers can see a real-world system with vulnerabilities, so that they can see what to look for and how to write secure code. The OWASP Faux Bank wiki page can be found here. For more information, please contact the Project Leader, Davie Elliott.
OWASP Store Sheep Project
OWASP Store Sheep is a work in progress application do demonstrate security concepts relating to Windows Store Apps. Store Sheep is a training app for Developers wishing to learn to securely code a Windows Store ('Metro Style') App, and Testers wanting to learn to test one. It contains a number of security vulnerabilities with explanations and fixes for them. The project page for the OWASP Store Sheep project can be found here. For more information, please contact the Project Leader, Marion McCune.
OWASP SonarQube Project
OWASP Sonarqube Project consist to deliver a set of "standard" profile for security, like OWASP Top10 profile, ASVS profiles, PCI-DSS profile,ISO 27034ASC profile, ....who can be used by team with the support of OWASP Community. More than 20 programming languages are covered through plugins including Java, C#, C/C++, PL/SQL, Cobol, ABAP. The OWASP SonarQube Project is looking to expand the offered languages, and is looking for language experts in .NET, PHP and any other language. The project page for the OWASP SonarQube Project can be found here. For more information, please contact the Project Leaders, Sebastien Gioria. and Freddy Mallet
OWASP URL Checker is an open source scrip-table tool to scan websites for URL's which may lead to information divulging, exploits and common attack patterns. This tool will check a user defined website for potentially exploitable/ vulnerable URL's by comparing them against the URL extensions in the database. The project page for the OWASP URL Checker can be found here. For more information, please contact the Project Leader, Craig Fox.

Project Announcements

OWASP Security Shepherd New Version
The new version of the OWASP Security Shepherd Project was released earlier this month. The project now has 50 lessons and challenges based on risks from both the Top Ten Mobile and Web App Security Risk lists. OWASP Security Shepherd is perfect for those who are looking to learn about appsec for the first time or are well seasoned in the arts of pen-testing and are looking for a challenge.
More information can be found ON THE WIKI PAGE or you can contact the project leader Mark Denihan
Research Assistant Needed for the Developer guide
The Developer Guide Project is looking for an honors student or masters student to replicate the 1979 paper by Morris and Thompson. It has been many years since we've had statistically sound research into the basic properties of the password. Morris and Thompson introduced countermeasures that we still use today (30 day password rotation, min six character passwords) that made sense for a PDP 11/870 back in 1979. The project leaders would like a cryptographer research student or masters student to help look into session tokens, particularly RESTful API tokens. The basic topic would be a short paper on the necessary properties to protect against session prediction, session recovery, side channel attacks against sessions, and investigate a few sample session issuers, such as RESTful API in common use.
If you are interested in helping the Developer Guide, please contact Andrew van der Stock.

New Set of Architectural Security Principles
The Reverse Engineering and Code Modification Prevention project has released a set of architectural security principles that enforce integrity preservation in mobile apps. This is an updated list of principles / controls that security architects will find useful when enforcing code integrity within their mobile apps.
For the complete list of the integrity controls and underlying security principles, check out the Architectural Principles sub-project.
New Dependency Check Version 1.2.3 Out Now
On June 28th, the OWASP Dependency Check released version 1.2.3. Dependency Check can be used to analyze an applications dependent libraries (Java and .NET) to identify and report on any known, published vulnerabilities related to the libraries being used. The tool will be demoed during the Black Hat Arsenal in Las Vegas on Wednesday, August 6th.
You can find the newest release of the OWASP Dependency Check on the project page.
Social Media

OWASP Foundation Social Media

Google +

WASPY Award Nominations are Complete

Every year a group of individuals including researchers, developers, security professionals, and others work to ensure the security of web applications. Some of these individuals are featured in news stories or at conferences as recognized experts. But there are many other 'unsung heroes' that work every day to improve web application security and yet are rarely recognized.
The Web Application Security People of the Year (WASPY) Awards is the OWASP Community's opportunity to recognize those individuals who have made an impact by leveraging the OWASP platform.
Best Chapter Leader
  • Sebastien Deleersnyder - Belgium
  • Jonathan Marcil - Montreal
  • Riotaro Okada - Japan
  • Ron Perris - Orange County
  • Sen Ueno - Japan

Best Project Leader
  • Tokuji Akamine - OWASP XSecurity Project
  • Spyros Gasteratos - OWASP Hacademic Challenges Project
  • Achim Hoffman - OWASP O-Saft
  • Jeremy Long - OWASP Dependency Check
  • John Melton - OWASP AppSensor
  • Matteo Meucci - OWASP Testing Project
Best Mission Outreach
  • AppSec USA 2013 Team - AppSec USA 2013
  • Jonathan Marcil - OWASP Videos
  • Mostafa Siraj - Cairo Chapter
Best New Community Supporter
  • AppSec APAC 2014 Team - AppSec Asia Pac 2014
  • Robert Dracea - AppSec Asia Pac 2014 - Japan
  • Beth Guth - South New Jersey
  • Takanori Nakanowatari - AppSec Asia Pac 2014 - Japan
Congratulations to all the nominees! You can read the full write up on each persons accomplishments on the 2014 WASPY Awards Wiki Page
Honorary Membership applications now being accepted.
CLICK HERE to find out if you qualify for Honorary Membership Deadline to submit your application is September 30, 2014.

Global AppSec Events in 2014

AppSec USA 2014 (September 16 - 19, Denver, CO)

Upcoming Regional Events

MSP Day of Talks (July 21, 20014, Minneappolis, MN)
BASC (October 18, Boston, MA)
LASCON 2014 (October 21 - 24, Austin, TX)

Partner and Promotional Events

OWASP has partnered with these great events in beginning of 2014 to grow our community and build awareness around software security. If you want to learn more about OWASP's involvement or will be attending and want to help out contact us
Secure Asia 2014, (July 23-24), Bejing, China.
BlackHat (August 2-7), Las Vegas, NV. OWASP Members receive $200 off BH briefings with code: owaBR200off.
BSides LV, (August 5-6), Las Vegas, NV.
EC-Council TakeDown Con, (August 14-19), Huntsville, AL.
Fraud Summit Toronto, (Sept 8, 2014) Toronto, Canada.
(ISC)2 Security Congress, (Sept 22 - Oct 2), Today's employers are seeking software developers that have the knowledge and expertise to build secure, hacker-resistant software. Do you have what it takes? Prove it with a Certified Secure Software Lifecycle Professional (CSSLP®) certification from (ISC)2 . Validate your competence in secure software development in new and evolving environments, including the cloud, mobile and more. Watch the CSSLP webcast series to get started. Atlanta, GA.
EC-Council Hacker Halted(October 12-17, 2014) Atlanta, GA
ISSA International Conference (October 22-23), 2014, Orlando, FL

3rd Annual CISO Asia Summit and Roundtable (November 5-9), 2014, Singapore
Suits & Spooks, (December 14), Singapore.
International Conference on Cyber Security, (January 5-8, 2014), New York, NY.

Just for Fun

We would like to congratulate Javier Coirolo for submitting the first correct response to last issue's puzzle. Thank you everyone who submitted responses.
Click here to view last issue's puzzle
Here is this issue's challenge...
A chicken farmer has figured out that a hen and a half can lay an egg and a half in a day and a half. How many hens does the farmer need to produce one dozen eggs in six days?
Send your answers to our comment desk for a chance to win a prize. Winners will be announced in the next connector.


Request for Comment: Committees 2.0 Structure

The model outlined below represents a potential implementation of the idea currently being described as OWASP Committees 2.0. We aim to leverage the lessons learned from our previous committee model to create a new model that grows our leadership circles and empowers our leaders for more rapid action, while still ensuring that their activities stay true to OWASP's core values. It is still a work-in-progress, but represents the contributions from the OWASP Board, the OWASP Executive Director, OWASP Staff, Dinis Cruz, Johanna Curiel, and various others.
Click here to review the document.
This is your opportunity to have a voice in the future of OWASP governance. We look forward to hearing your thoughts on this proposal.

2014 Global Board of Directors Election

Please visit our 2014 Board Elections page for frequent updates. Our Call for Candidates is only open until August 15! Please submit your candidacy here.
Once confirmed, the candidates will conduct individual interviews answering questions from the community. Anyone can submit a question(s), vote up or vote down existing questions. The top 5 to 6 questions will then be used for each candidate's interview. If you have a question you would like to submit, please do so here.
For a complete Election Time line, Click Here

Global Board of Directors Meeting Times

Interested in what is going on with the Board of Directors? Board meetings are open to the public, and upcoming meetings as well as agendas are posted to the Board wiki page
Upcoming 2014 Meetings
  • July 9, 2014 9am-10am PST
  • August 13, 2014, 9am-10am PST
  • September 10, 2014, 9am-10am PST
  • September 16, 2014, 6pm - 9pm MST (in person at AppSec USA
Reminder: Discussing Governance at OWASP
We have an open mailing list for discussing the overall topic of governance at OWASP. Click Here to browse the list archives.


OWASP Winter Code Sprint
We are thrilled to announce the launch of OWASP Winter Code Sprint (OWCS) for this upcoming Autumn/Winter (Sept 14-March 15).
What is OWCS?
The OWCS is a program to involve students with Security projects. By participating in OCWS a student can get real life experience while contributing to an open source project and getting university credits.
How it works
Any OWASP project that will give you university credits can participate in OCWS. Each project will be guided by an OWASP expert along with a professor. Students are graded by their University, based on success criteria identified at the beginning of the project.
Projects are focused on developing security tools. It is required that the code any student produces for those projects will be released as Open Source. Universities are free to specify their own requirements to projects, such as written reports. OWASP does not influence the way grades are allocated. The OWASP advisers will provide any information professors need in order to grade their students.
How to participate?
As a Student:
  1. Review the list of OWASP Projects currently prticipating in OWCS
  2. Get in touch with the OWASP Project mentor of your choice
  3. Agree on deliverables with OWASP mentor and university professor
  4. Work away during Autumn/Winter 2014
  5. Rise to Open Source Development Glory!
As a Professor:
  1. Review the list of OWASP Projects currently prticipating in OWCS
  2. Get in touch with the OWASP Project mentor of your choice
  3. Promote the participating OWASP Projects among students
  4. Review student progress with help from OWASP mentors
  5. Grade student work according to university scoring system
  6. Provide student grade results to OWASP mentor/s
CLICK HERE for more information

OWASP Meet and Greet at BlackHat USA

What does this mean? Chapter and Project leaders that are already planning on attendingBlackHat USA 2014 can sign up for a 2 hour slot (or more) to promote their chapter and/or project at the OWASP booth. This will allow conference goers that may only know you via email to put a face to a name. It will also provide you visibility to thousands of individuals to promote your chapter and/or project.
We have a limited amount of "Expo Only" passes available if you were not planning on attending BlackHat but will be in Las Vegas on Wednesday, August 6 and/or Thursday, August 7 and want to promote your chapter/project at the OWASP booth.
Leaders will be showcased for the time(s) you select and the leader with the most visitors over the two days will win a prize!
To help us promote your chapter and/or project, please fill in the time(s) that best accommodates your schedule to be showcased at the OWASP BlackHat booth here.
BSides 2014 Las Vegas Tuesday, August 5 - Wednesday, August 6
Anyone that will be in Las Vegas and would like to help promote OWASP at our BSides booth is welcomed! Please select the time(s) that best fit your schedule to volunteer at the OWASP booth here. The volunteer with the most visitors over the course of the two days will win a prize!

Another Staff Update - GK's Last Day

OWASP Leaders -

Our Community Manager, GK Southwick, gave her 2 week notice to OWASP on June 27, 2014.  GK's  last day will be this upcoming Friday, July 11.  

Although GK has only been with us a short time, we appreciate the hard work and dedication she has had in trying to make headway in managing requests for new and existing chapters, starting a revamp of our merchandise request process and ensuring that community members' merchandise requests are answered in a timely fashion, and assisting with volunteer initiatives.

We wish GK best of luck in her future endeavors, including her great contributions to the AppSec community through her involvement with B-Sides Las Vegas and many other industry events.

OWASP will be re-hiring for the community manager position shortly.  Stay tuned for updates on the application process and hiring timeline.

Sarah Baso

Monday, July 7, 2014

AppSec USA 2014 - Denver, CO September 16-19

As you know, AppSec USA 2014 is going to be held in Denver, CO September 16-19. 

If you have not registered yet, be sure to do so HERE

Do not forget that chapter leaders can attend the conference free of charge by using a discount code when registering.  Additionally, there are discount codes for the leaders to join training sessions (ask us for these codes). 

We truly appreciate your help with promoting AppSec US 2014, and hope to see you in Denver.

Best regards,

Laura Grau
Global Conference Manager
OWASP Foundation