Monday, April 20, 2015

Introduction to using ZAP with Docker

By Samuli Elomaa

 + 

For those who are not familiar with Docker. Docker is an application container, which works bit similar to "user mode Linux" or LXC containers, allowing users to deploy applications inside containers containing full virtualized OS install while having isolated container which can easily be deployed as needed.

The build process for the docker images is as simple as downloading the ascii-file containing the configuration along with specific OS-commands and running "docker build" -command, or just use the existing images with simple "docker pull" -command in order to download pre-made images from the docker hub.

In order to support zap usage on docker environments, the ZAP project has pre-made images available allowing easy use and deployment of Stable and Weekly versions of ZAP through docker.

What can you do with ZAP docker images?

For me the main advantages are:
  • Integrating ZAP as part of docker based build/deploy CI-process in order to run non-interactive ZAP active scanning against other docker containers within the same cloud.
  • Quickly deploying ZAP to a docker friendly datacenter in order to use ZAP for scanning applications behind firewalls.
  • Having the latest ZAP stable/weekly release inside an isolated container in your personal workstation.

How to get started:

First you need to have the docker tool installed. You can do this by following instructions at the docker website. Or if you are using debian compatible OS, you can just type "apt-get install docker.io".

Once you have docker installed you can pull the latest zap docker image from owasp's docker image repository (hosted by docker hub).
docker pull owasp/zap2docker-stable
Or for weekly images:
docker pull owasp/zap2docker-weekly
This will download and install the zap docker images from docker project's image hub. Alternatively you can build your own with the docker files located at build/docker directory of the zap source code archive.

How to access the ZAP running inside the docker

  • ZAP GUI (via VNC)
  • ZAPR for script/CI-friendly automatic active scanning without user interaction.
  • ZAP API

1. GUI via VNC

The easiest way to access the ZAP GUI is via the embedded vnc-server:
docker run -u zap -p 5900:5900 -p 8080:8080 -i owasp/zap2docker-stable x11vnc --forever --usepw --create
This will first ask you to set VNC server password, once done it will startup the VNC session. Which you can connect with your VNC client (eg. in the example its localhost and tcp port 5900). In order to reach the ZAP proxy from your web browser just set your http proxy point to your docker host's IP (or localhost) and TCP port 8080, when you are done you can just kill the docker image with ctrl+c.

For downloading the report files from the docker image, you can use the data volume mounting option: -v localdir:/home/zap/ , altough this does have problems when using systems like boot2docker. Please see the following site for more detailed information regarding managing data in docker containers: https://docs.docker.com/userguide/dockervolumes/

2. ZAPR

Zapr is ruby script for ZAP which allows non-interactive active scanning for desired targets, which is nice for things like cronjobs or shell-script jobs. Notice that the summary report from Zapr is printed to the console after running the docker command.
docker run -u zap -i owasp/zap2docker-stable zapr --debug --summary http://target

3. API or headless mode

The best way to integrate ZAP as part of your CI-scripts (if you use Java or Python) is through the API:
docker run -p 8090:8090 -i owasp/zap2docker-stable zap.sh -daemon -port 8090 -host 0.0.0.0
When this is run, you can access the ZAP API from localhost/host-ip at tcp port 8090. Eg. http://127.0.0.1:8090/ or http://dockerip:8090/

See more details regarding the ZAP api usage here: https://code.google.com/p/zaproxy/wiki/ApiDetails

For the Docker help, the docker project has nice Docker User guide at: https://docs.docker.com/userguide/

Happy Hacking!

Tuesday, April 14, 2015

OWASP ZAP 2.4.0

ZAP is an OWASP Flagship project, and is currently the most active open source web application security tool.

A major new release of ZAP, 2.4.0 is now available: http://code.google.com/p/zaproxy/wiki/Downloads?tm=2

For a quick introduction to the new release see this video:



Some of the most significant changes include:

‘Attack’ Mode

A new ‘attack’ mode has been added that means that applications that you have specified are in scope are actively scanned as they are discovered.

Advanced Fuzzing

A completely new fuzzing dialog has been introduced that allows multiple injection points to be attacked at the same time, as well as introducing new attack payloads including the option to use scripts for generating the payloads as well as pre and post attack manipulation and analysis.

Scan Policies

Scan policies define exactly which rules are run as part of an active scan.
They also define how these rules run influencing how many requests are made and how likely potential issues are to be flagged.
The new Scan Policy Manager dialog allows you to create, import and export as many scan policies as you need. You select any scan policy when you start an active scan and also specify the one used by the new attack mode.
Scan policy dialog boxes allow sorting by any column, and include a quality column (indicating if individual scanners are Release, Beta, or Alpha quality).

Scan Dialogs with Advanced Options

New Active Scan and Spider dialogs have replaced the increasing number of right click 'Attack' options. These provide easy access to all of the most common options and optionally a wide range of advanced options.

Hiding Unused Tabs

By default only the essential tabs are now shown when ZAP starts up.
The remaining tabs are revealed when they are used (e.g. for the spider and active scanner) or when you display them via the special tab on the far right of each window with the green '+' icon. This special tab disappears if there are no hidden tabs.
Tabs can be closed via a small 'x' icon which is shown when the tab is selected.
Tabs can also be 'pinned' using a small 'pin' icon that is also shown when the tab is selected - pinned tabs will be shown when ZAP next starts up.

New Add-ons

Two significant new ‘alpha’ quality add-ons are available:
  • Access Control Testing: adds the ability to automate many aspects of access control testing.
  • Sequence Scanning: adds the ability to scan 'sequences' of web pages, in other words pages that must be visited in a strict order in order to work correctly.
These can both be downloaded from the ZAP Marketplace.

New Scan Rules

A number of significant new ‘alpha’ quality scanners are available:
  • Relative Path Confusion: Allows ZAP to scan for issues that may result in XSS, by detecting if the browser can be fooled into interpreting HTML as CSS.
  • Proxy Disclosure: Allows ZAP to detect forward and reverse proxies between the ZAP instance and the origin web server / application server.
  • Storability / Cacheability: Allows ZAP to passively determine whether a page is storable by a shared cache, and whether it can be served from that cache in response to a similar request. This is useful from both a privacy and application performance perspective. The scanner follows RFC 7234.
Support has also been added for Direct Web Remoting as an input vector for all scan rules.

Changed Scan Rules

  • External Redirect: This plugin’s ID has been changed from 30000 to 20019, in order to more closely align with the established groupings. (This change may be of importance to **API Users**). Additionally some minor changes have been implemented to prevent collisions between injected values and in-page content, and improve performance. (Issues: 1529 and 1569)
  • Session ID in URL Rewrite: This plugin has been updated with a minimum length check for the value of the parameters it looks for. A false positive condition was raised related to this plugin (Issue 1396) whereby sID=5 would trigger a finding. Minimum length for session IDs as this plugin interprets them is now eight (8) characters.
  • Client Browser Cache: The active scan rule TestClientBrowserCache has been removed. Checks performed by the passive scan rule CacheControlScanner have been slightly modified. (Issue 1499)

More User Interface Changes

  • The ZAP splash screen is back: It now includes new graphics, a tips & tricks module, and loading/progress info.
  • The active scan dialog show the real plugin’s progress status based on the number of nodes that need to be scanned.
  • There is a new session persistence options dialog that prompts the user for their preferred settings at startup (you can choose to “Remember” the option and not be asked again).
  • For all Alerts the Risk field (False Positive, Suspicious, Warning) has been replaced with a more appropriately defined Confidence field (False Positive, Low, Medium, High, or Confirmed).
  • Timestamps are now optionally available for the output tab.

Extended API Support

The API now supports the spidering and active scanning or multiple targets concurrently, the management of scan policies as well as even more of the ZAP functionality.

Internationalized Help Add-ons

The help files are internationalized via https://crowdin.net/project/owasp-zap-help.
If you use ZAP in one of the many languages we support, then look on the ZAP Marketplace to see if the help files for that language are available. These will include all of the available translations for that language while defaulting back to English for phrases that have not yet been translated.

Release Notes

See the Release Notes (https://code.google.com/p/zaproxy/wiki/HelpReleases2_4_0) for a full list of all of the changes included in this release.

ZAP Community - first Summit and scripts on GitHub

Although its not directly related to this release, this is too good an opportunity not to mention the very first ZAP Summit, which will take place at AppSec EU in Amsterdam on May 20th 2015 (https://www.owasp.org/index.php/ZAP_Summit_2015)
Entry is free - come along and help define the future direction of ZAP!
And we have a set of ZAP community scripts on GitHub - pull requests very welcome!

To keep up to date with ZAP related news follow @zaproxy on twitter.

Tuesday, March 31, 2015

OWASP Community Manager News Flash – March 2015


Greetings OWASP Community,

Goodbye, March. Hello, April. I realized as I am finalizing this email that it may already be April for some of you when you get this newsletter. With Springtime in the Northern Hemisphere and Autumn beginning in the Southern Hemisphere, it is a time of change (for the better) and time to reflect on your participation with OWASP activities.

Read on to find out how we can support positive changes, starting with our 2015 Strategic Goals, which focus on developing training, strengthening our chapters and maturing our projects platforms. There are many ways for you to get involved and I look forward to your participation.

Happy journeys,

Noreen Whysel
Community Manager
OWASP Foundation


Announcing the 2015 Strategic Goals

The 2015 Strategic Goals have been posted to the wiki. Thanks to all who participated in our 2015 Strategic Goals Survey. You will notice that each of these goals require the participation of the entire OWASP Community. We hope you will help out where you are able and interested.

1. Build a scalable OWASP training program that spreads security training around the world (contact Andrew van der Stock at vanderaj@owasp.org to help)

2. Strengthen OWASP chapters and increase Chapter’s abilities to spread message of OWASP through locally organized and run events. (contact Matt.Konda@owasp.orgJosh.Sokol@owasp.org orNoreen.Whysel@owasp.org to help out)

3. Mature the OWASP Projects Platform: Provide the OWASP projects community a mature project platform to encourage senior developers to participate in the various and many OWASP projects. (contact Johanna.Curiel@owasp.org to help)

View metrics, board sponsors and foundation support for each goal at:



Latest News – Updating the Chapter Leader Handbook

Whats New?

I have been working on updating the Chapter Leader Handbook and invite our community to participate in discussions around what is working and what is not working, what needs changing and what should be kept as is.

If you would like to participate, please visit the Chapter Leader Handbook at:


I have started adding comments and suggested changes to the Talk pages of each chapter. To add your comments, you will need to login to the wiki, click the "Discussion" tab at the top left of the page, and it will open an edit form where you can make suggestions, challenge suggested changes or suggest clarifications and additional content. I can copy comments or concerns reported via the mailing lists to the discussion page as well. This way comments can be tracked and addressed directly in the wiki. 

It would be helpful if you sign you name to any suggestions or comments you make. The MediaWiki platform makes this very easy: simply type four tildes in a row (~~~~) and click Save. This will automatically save your name and a timestamp so we can address specific comments.

At this time do not make any edits to the Chapter Leader Handbook pages. Unauthorized edits will be reverted to the current version.

If you have any questions, please feel free to reach out to me.

Refresher on the Mandatory Chapter Rules

We recommend that everyone take a refresher view at Chapter 2: Mandatory Chapter Rules, which contains the minimum requirements for OWASP chapter leaders. One of the areas which could see improvement is in announcing upcoming chapter meetings. The rules state that you must post upcoming meetings to the wiki and to the mailing list. Not all chapters do this consistently. Some simply point to an external forum such as Facebook or Meetup. This is not sufficient since the wiki posting and mailing lists are intended to keep the broader OWASP community informed in addition to your local group.

Think of this from the perspective so someone new to your chapter. If the most recent meeting on your wiki site is from 2011, or the only way to learn about meetings is via joining an external social media site, your visitors may seek a different group. Meeting listings on the wiki and mailing list are indicators that a chapter is active and affiliated with the global OWASP Foundation. Also, we occasionally hear from security minded folks (wouldn't you know?) who do not want to join yet another social media group just to find out when a meeting will be held. OWASP's first rule is "free and open" and the best way to keep it that way is to post all announcements to the wiki.

Finally, we receive multiple requests each week from people who want to "restart" a chapter that appears to be inactive. Failing to comply with this rule risks having your chapter labeled "inactive" and possibly handed over to someone new.


OWASP On the Move - Recent Chapter Activity

We are just a week away from the launch of LATAM 2015. We now have 10 countries participating! Registration is open for the following dates and locations:

Santiago, Chile: April, 8th-9th 2015 Patagonia, Argentina: April, 10th-11th 2015
Bucaramanga, Colombia: April, 14th 2015
Montevideo, Uruguay: April, 15th-16th 2015
Lima, Peru: April, 17th-18th 2015
Santa Cruz, Bolivia: April 17th -18th 2015
San Jose, Costa Rica: April, 21st 2015
Guatemala, Guatemala: April, 21st-22nd 2015
Buenos Aires, Argentina: April, 24th 2015
Caracas, Venezuela: April, 23rd 2015


Also Mark Miller interviewed the organizing team for AppSecEU 2015 You can find the audio file here: 2015 AppSecEU Pre Conference Update [AUDIO]. AppSecEU is May 19-22, 2015 in Amsterdam.

We have a group who are working on launching an AppSec Africa event. If you are interested, you can follow the discussion on the owasp-leaders mailing list (see link below) or visit the draft event page and add your name to the Team tab.


The New York City chapter successfully held a (mini)Project Summit at HACKNYC 2015 at the Pennsylvania Hotel, with teams working onOWASP Mobile Security Project, WIASP Incident Response Project, ASVS and Open SAMM. Community Manager, Noreen Whysel, was also on hand to teach attendees about OWASP and Application Security on Wikipedia.

New Chapters

This month, we launched new chapters in Bihar State, India; Stockholm, Sweden;a and Southern New Hampshire, USA. We are also in the process of setting up a student chapter at Lovely Professional University in Phagwara India. For information or to join these communities, please visit their chapter wiki pages:


TIP: Updating Chapter Leader Information

We realize that commitments change and your chapter may need to name a new leader. Please update your wiki pages and mailing lists with any new leader contact information and submit a request for a new owasp.org email account, if required. 

Ideally, chapter leader changes should be reported by the current leader or a member of the leadership team. If we receive a request directly from someone who intends to become a new leader, we will always contact the listed leader for verification. If a chapter is inactive and a new leader would like to take over, we favor those who have demonstrated experience with OWASP and/or application security and may reach out to the existing chapter members for discussion. Since the leader has responsibility for any funding allocated to that chapter, it is in everyone's interest that all chapter members be involved in any leadership changes.

Leader turnover is not something where we have hard and fast rules. For the most part we encourage the chapters to initiate any leadership changes internally, and provide assistance in case of a dispute. Leadership is covered in the Chapter Leader Handbook in Chapter 5: Governance. Again, we would love to hear your thoughts about chapter governance on the wiki Discussion page.


Academic Supporters

Since launching our new Academic Supporter application, we have begun to receive interest from universities in becoming supporters. This month, we welcomed the Rajsthan Institute of Engineering of Technology in Jaipur, India and the University of Vienna, Austria. If you are affiliated with either of these institutions or know people in the program, feel free to reach out to say thanks and to work on developing collaborations.

Thanks to everyone who has passed along the new Academic Supporter application form. Do let your local universities know that this opportunity exists by pointing them to the program:



Resources






Academic Supporter Information and Application:
https://www.owasp.org/index.php/Academic_Supporter
http://www.tfaforms.com/338407 (application)


Contact Me

Feel free to contact me at any time if you have a question or suggestion. To create a trackable case, please use the contact us form at http://www.tfaforms.com/308703.

Friday, March 20, 2015

OWASP March 19 Connector


OWASP Global Connector

March 19, 2015 || www.owasp.org | Contact Us | Brought to you by the OWASP Foundation
Communications

2015 Strategic Goals

OWASP Adrenaline

OWASP and the 2015 LATAM tour promoted on Mundo Hacker TV

membership

Corporate Members

Conference

AppSec EU 2015 Updates

AppSec USA 2015 Call for Training Open

OWASP SAMM Project Summit

2015 LATAM Tour

Partner and Promotional Events

chapters

New OWASP Chapters

Chapter Transitions

projects

OWASP Dependency-Track 1.0.0 Released

OWASP Vicnum Project Updated

OWASP Dependency Check 1.2.9 released

CISO Guide Translated to Spanish

Social Media

OWASP Foundation Social Media




Communications
OWASP Communications

Where do we go from here - OWASP releasing strategic goals for 2015!

by Tobias Gondrom, Chairman of the Board


Over the last years OWASP has grown and further followed our successful path improving Web and Application Security around the world. Today, our organization is in great shape and we are building up to what is promising to become a fantastic year 2015 for OWASP!
In the previous years we frequently set strategic goals to focus our global activities and to further our mission in specific and measurable ways. It is important to note that these goals are by no means a view to limit our community activity on only these goals. But rather the goals are to inspire new actions in addition to our already many ongoing great activities and to focus some of our efforts where we see great potential for OWASP and our mission to make application security more visible around the world.
This year we wanted to include more community feedback into these goals. In January, we sent out a survey to the OWASP Community asking for your thoughts on our strategic goals for 2015. And we received an amazing high turnout and feedback from over 1,100 people responding to our survey. Thank you all for that! Your feedback was extremely valuable and greatly appreciated! It guided our priorities in 2015 and beyond. And we also received a lot of messages from volunteers in the survey who want to join some of the activities on these goals. Don't worry we will get back to you on this, now.
Today we proudly release the following three strategic goals for 2015:

  • Build a scalable OWASP training program that spreads security training around the world.
  • Strengthen OWASP chapters and increase Chapter's abilities to spread the message of OWASP through locally organized and run events.
  • Mature the OWASP Projects Platform: Provide the OWASP projects community a mature project platform to encourage senior developers to participate in the various and many OWASP projects.
For More details on these goals and some of the actions we plan to do to achieve them, please take a look at our WIKI PAGE
Over the recent months and years, we already see amazing new chapter activities, project work and a lot of people from the community joining as volunteers and leaders. We are an open community organisation, and every activity is driven by you, our thousands of volunteers, members and leaders around the world. So if you have an idea how to contribute to the goals above (or any other exciting OWASP activity), we like to hear from you. If you like to join one of our many activities, please let us know, join the community list (owasp-community@lists.owasp.org, free to join for everyone) and post your interest or idea there to find other interested people to join you, or write to our community manager Noreen Whysel.
We want you to get involved!
YOU are OWASP - OWASP needs YOU!
With that, I wish all of us an amazing and exciting time ahead.
Tobias Gondrom, Chairman of the Board


OWASP Adrenaline


2014 OWASP Annual Report Call for Content

The OWASP Foundation is looking for exciting and illustrative success stories from YOU, the community for inclusion in our 2014 Annual Report. This years theme is simply: Growing, Learning, Sharing, Leading.
Tell us how you and your team worked to spread the OWASP mission [link to mission statement] in 2014. Here are some ideas but feel free to be creative!
  • How did your local/regional/global collaborate spread security awareness?
  • What types of educational outreach did you and/or your team accomplish?
  • How did you and/or your team leverage the OWASP platform to inspire non security professionals to turn their attention to application security?
  • Where did you leave a BIG OWASP footprint?
  • How did YOU benefit from the different facets of the OWASP platform?
Submit your content - articles, pictures, ideas [here] by April 14, 2015. This is your opportunity to share with the world why you participate. We want everyone to contribute! Everyone's story is important to the Foundation. Become globally famous by submitting your picture and/or brief bio so we can be sure to give you credit for your contribution. Of course, you may also request to remain anonymous if you prefer.

OWASP and 2015 LATAM Tour represented on Mundo Hacker TV

OWASP was represented on Mundo Hacker TV by Fabio Cerullo
CLICK HERE to watch the entire interview.


Membership
OWASP Membership

New Corporate Members

Renewed Corporate Members


Conference
OWASP Events

OWASP AppSec EU Updates

The Keynotes have been published and the program is taking shape!
Tuesday 19th May, 2015

Wednesday 20th May, 2015

Thursday and Friday 21st and 22nd May, 2015
Conference Days including: Keynotes, CISO, DEV, Hack, Ops, and Research talks, HackPra Allstars, Hands on sessions, and more ...

AppSec USA 2015 Call For Training Is Open

OWASP is soliciting training providers for the AppSec USA Conference.
Please submit via this Google Form.
Submission Deadline is April 15, 2015
We are interested in all topics related to Web Application Security and OWASP, in particular, but not limited to (these are just examples):

  • Secure development: frameworks, best practices, secure coding, methods, processes, SDLC
  • Vulnerability analysis: code review, pentest, static analysis
  • Threat modelling
  • Cloud Security
  • Browser Security
  • HTML5 Security
  • OWASP tools or projects in practice
  • New technologies, paradigms, tools
  • Privacy in web apps, Web services (REST, XML) and data storage
  • Operations and software security
  • Management topics in Application Security: Business Risks, Outsourcing/Offshoring, Awareness Programs, Project Management, Managing SDLC
More information on the Call for Training can be found HERE

OWASP SAMM Project Summit

Join us for the first OWASP SAMM Project Summit in Dublin March 27-28.
Friday is User Day covering talks, training, and round tables followed by a social event.
Saturday is Project Day covering the release of version 1.1, workshops, and roadmap discussions
Participate and steer one of our great flagship projects to the next level!
Details and registration can be found HERE. Follow us on twitter @OwaspSAMM

LATAM Tour 2015


    Agenda
  • Santiago, Chile: April 8-9, 2015
  • Patagonia, Argentina: April 10, 2015
  • Bucaramanga, Colombia: April 14, 2015
  • Montevideo, Uruguay: April 15-16, 2015
  • Lima, Peru: April 17-18, 2015
  • Santa Cruz, Bolivia: April 17-18, 2015
  • San Jose, Costa Rica: April 21, 2015
  • Guatemala, Guatemala: April 21-22, 2015
  • Buenos Aires, Argentina: April 23-24, 2015
  • Caracas, Venezuela: April 23-24, 2015


Partner and Promotional Events

Info Security Indonesia Conference (March 24, 2015) Jakarta, Indonesia
BlackHat Asia 2015 (March 24-27, 2015) Singapore. OWASP members receive $200 off briefings using code BRow200.
(ISC)2 SecureIreland Conference 2015 (March 31, 2015) Dublin Ireland. OWASP Members receive 20% off general event fees. Discount code OWASPISSCIRE
Cyber Security Summit Europe - Financial Sector (April 14-15, 2015) Prague, Czech Republic. OWASP Members receive 20% off general event fees. Discount code CSSOW
AppsWorld Germany 2015 (April 22-23, 2015) Berlin, Germany
AppsWorld North America 2015 (May 12-13, 2015) San Francisco, CA
SANS CyberTalent Fair (May 14-15, 2015) Virtual, online
International Conference on Cyber Security (ICCS) (May 16-17, 2015) City of Redlands, CA. OWASP members receive 25% off the general event fee. Discount code ICCSOWASP
Cloud Security World 2015 (May 19-21, 2015) New Orleans, LA..OWASP members receive a 25% discount off standard event fee. Discount code CLD15-OWASP
Hack In the Box (May 26-29, 2015) OWASP members receive 20% off by using discount code OWASP-HITB2015AMS
SC Congress Toronto (June 10 - 12, 2015) Toronto, Canada. Register with your @owasp email address and receive a discount.
EuroPython 2015 (July 20-26, 2015) Bilbao, Spain
Info Security Malaysia Conference (August 6, 2015) Kuala, Lumpur

bh europe contrast january coalfire

chapters
OWASP Chapters

New Chapters

Southern New Hampshire - Chapter Leaders - James Burroughs and Edmond Holohan
Knoxville, TN - Chapter Leader - Daniel Harvey
Bihar, India - Chapter Leader - Nishant
Northern Sweden - Chapter Leaders - Markus Örebrand and Magnus Hultdin

Chapter Transitions

Guatemala - New Chapter Leaders - Pablo Barrera and Camilo Fernandez

Busan, Korea - Chapter Leaders - Jang-Goon Sohn (Treasurer), Park Chang-Hyun, and Jang Byeong-jo

Share your chapter's successes! Submit your stories here

projects
OWASP Projects

OWASP Dependency-Track 1.0.0 Released

Dependency-Track is a webapp that allows organizations to document the use of third-party components across multiple applications and versions. Further, it provides automatic visibility into the use of components with known vulnerabilities. Dependency-Track compliments the wildly successful and highly useful Dependency-Check project by embedding its core engine and fulfilling additional use cases. It's another tool to combat the A9 problem.
You can get more information about the project and the release HERE

OWASP Vicnum Project Updated

The OWASP Vicnum Project has been updated to include a vulnerable XXE VM at http://xxe.sourceforge.net/
This VM was used in recent CTF events including the Breaking Bad challenge event at AppSec USA 2013 in NYC.
As with other vulnerable or broken apps, the basic goal of the project is to:
  • Test web application scanners
  • Test manual attack techniques
  • Test source code analysis tools
  • Look at the code that allows the vulnerabilities
  • Test web application firewalls
  • Have a little fun

OWASP Dependency Check 1.2.9 released

The OWASP Dependency-check team is pleased to announce the release of 1.2.9! This release contains general maintenance, upgrading dependent libraries, minor bug fixes, etc.
Please visit the documentation site for information on obtaining the new version (CLI, Maven Plugin, Ant, Task, Jenkins Plugin)
The changes of note are:
  • The Maven plugin was reworked to correctly process child modules when creating an aggregate project. Included in the change were several other issues end users have contacted me about.
  • Reduced false negatives with regard to some versions of Spring.
  • Fixed issue #196 - Some JAR files do not contain POM files yet a full POM is available from Central (or alternatively Nexus). Both the Central and Nexus analyzers will now look for and retrieve the POM if one has not been found locally. A result of this change is that if both the Central and Nexus analyzer are disabled there is a chance of false negatives (i.e. the dependency could not be correctly identified as vulnerable).
  • Fixed issue #185 - Maven aggregate reports now display the project name that references vulnerable dependency.
We continue to get help from the github community! This release includes PRs from Ahmet Kiyak and Hans Joachim Desserud. Thanks for all your help!

OWASP CISO Guide Translated into Spanish

You can reference it HERE.

Social Media
OWASP Social Media

OWASP Social Media Sites



Friday, February 27, 2015

OWASP Community Manager News Flash – February 2015

OWASP Community Manager News Flash #2 – February 2015

Latest News – Updated Branding Guidelines

Whats New?We have completed a review of the Branding Guidelines and posted updates to the wiki and a new downloadable PDF. The main changes were to include clear links to downloadable content, including information about file type and size and to add some clarification to identity customizations. Some of the downloadable content, particularly brochures, did not include the high-resolution version of the download, and some of this content needs to be updated. We have located and provided links to this content where possible and are working on updated versions of some materials. Keep your eye out for those.

Can I Customize the OWASP logo for my Chapter or Project?We also added an OWASP brand use case for events and conferences, which had not been included previously. In addition, we have expanded information regarding “allowable customization” of the OWASP logo for event promotion, chapter pages and social media. While the original marketing recommendations strictly limited customization to changes in color, many current customizations, including the addition of a country flag in the background and similar modifications add personality and local color to the chapter and project identity without obscuring the overall OWASP brand.

Here are examples of some customizations we liked:

Inline image 1Chapter: OWASP Atlanta
Inline image 2Chapter: OWASP Argentina
Inline image 3Events: AppSecUSA

We aren't going to post examples that don’t meet guidelines, but do ask that each chapter and project review their current social media avatars and wiki page logos and make an honest evaluation of whether your images meet the guidelines.

Please read these new branding rules carefully, and let me know if you have any comments, suggestions or questions.


OWASP On the Move - Recent Chapter Activity

Congratulations to John Patrick Lita and the OWASP Manilla Chapter. Manila hosted 900 attendees at Bulacan State University and is planning a workshop for 60 students and faculty members in March. Manila’s school tour continues on February 27 with San Sebastian College in Ca vite City. John Patrick was recently invited by DZIQ 990AM Radyo Inquirer to discuss how @OWASP can help the Philippine Government promote awareness about cyber security.

OWASP Lucknow reported hosting the biggest OWASP / DEFCON Security Meet ever held in India successfully with a record 379 Attendees! Congrats!
New Chapter OWASP Brooklyn launched on February 3rd at a maker lab in Williamsburg. Their next event will be held on Saturday, February 28th at NYU Poly and will feature Technology Transfer: Creating Cultures of Innovation. Speakers from USCENTCOM innovation office.

OWASP Cluj, another new chapter in Romania, launched on January 29 with over 100 in attendance and many interested in contributing further!


New Chapters

This month, we launched new chapters in Dehradun and Jaipur, India, Sharjah, UAE, and Sheffield, UK, as well as a student chapter in Busan, South Korea. For information or to join these communities, please visit their chapter wiki pages:



TIP: Add Your Meetings to the OWASP Event Calendar

We have noticed that the OWASP Event Calendar has been pretty quiet. Please be sure to post your events to this calendar so all can see what is going on. Visithttp://calendar.google.com. All leaders should have a shared copy available. Just click the checkbox next to “OWASP Event Calendar” under “My Calendars” in the left column. Let me know if you are having trouble adding it to your Google Calendar.


Academic Supporters

Universities are wonderful resources for local chapters. Our Academic Supporter program allows universities to support OWASP by providing space for chapters to meet and promotion and development of OWASP education materials. If you have connections with local universities and faculty members in your area, reach out to them and encourage them to join OWASP as an Academic Supporter.

We have launched a new Academic Supporter application process. The application form is now available online at http://www.tfaforms.com/338407. Do let your local universities know that this opportunity exists.


2015 Strategic Goals

Thanks to all who participated in our 2015 Strategic Goals Survey. We are tabulating responses and will continue that discussion soon. Stay tuned!


Other Resources



Academic Supporter Information and Application
https://www.owasp.org/index.php/Academic_Supporter
http://www.tfaforms.com/338407 (application)


Contact Me

Feel free to contact me at any time if you have a question or suggestion. To create a trackable case, please use the contact us form at http://www.tfaforms.com/308703.

Noreen Whysel
Community Manager

OWASP Foundation