Monday, September 26, 2016

ISSA Names OWASP the Security Organization of the Year

ISSA has named OWASP their Organization of the Year for 2016.  We humbly thank our incredible volunteers for making this possible through all of their hard work on OWASP Projects and in OWASP Chapters.  With such great people helping us create a more secure world we can't go wrong!

Congratulations to all of the other amazing winners, some of whom are also wonderful OWASP volunteers:

Chapter of the Year (100-200 Members):  ISSA Minnesota Chapter

Chapter of the Year (200+ Members): ISSA Capitol of Texas Chapter

Honor Roll: Richard Greenberg & Joel Weise

Organization of the Year: OWASP

Security Professional of the Year: Albert Marcella

Volunteer of the Year: Constance Matthews & Colleen Murphy

Hall of Fame: Gerald Combs & Jim Reavis

President’s Award for Public Service: Howard Schmidt

We cannot wait to see you in November at the Awards Luncheon  and ISSA Conference in Dallas. 

If you are interested in joining our thriving global community to drive visibility and evolution in the safety and security of the world’s software become a member and check out our projects or find your local chapter.

OWASP Bucharest AppSec Conference 2016 - October 6th

OWASP Bucharest team is happy to announce the OWASP Bucharest AppSec Conference 2016, a one day Security and Hacking Conference dedicated to the application security.
It will take place on 6th of October, 2016 - Bucharest, Romania at Sheraton Bucharest Hotel.
  • Conference talks are free however, you need to register.
The event will be in English, with cutting-edge topics presented by renowned security professionals: Daniel Kefer, Adrian Hada, Jacco van Tujil, Andrei Daniel Oprisan.

  • Workshops:
OWASP Top 10 vulnerabilities – discover, exploit, remediate
Increase the participants’ awareness on the most common web application vulnerabilities and their associated risks.
Each type of vulnerability will be discussed and the attendees will practice manual discovery and exploitation techniques.

Secure Web Applications in Java
Learning how to build secure coding and secure code review skills, uncover and protect against some of the most common vulnerabilities in Java code.

Shellcode Development and Exploiting
Learn how to create shellcodes and how to construct basic attack vectors using shellcodes. Obtain a better understanding about how programs and processes work.
Trainers:  Razvan Deaconescu; Mihai Țigănuș

Practical Cryptography on the Internet
The training will feature many guided hands-on activities such as creating certificate hierarchies, configuring custom certificates on clients and servers, modifying security policies, impersonating “seemingly secure” identities, downgrading connections, and extracting information from secure HTTPS sessions
Trainers: Sergiu Costea

  • CTF (Capture The Flag)
Capture The Flag contests are popular ways to hone your practical security skills by solving challenges on topics such as web, crypto, reverse, exploiting.
We invite everyone passionate about practical security at the OWASP AppSec 2016 CTF, where you and your team will solve challenges on web, reverse and exploiting.
In order to participate in the CTF competition, please register here:
The prizes will be as follows:
  • 1st place: 1024 euros
  • 2nd place: 512 euros
  • 3rd place: 256 euros
More information about the agenda can be found at:
You can register at:

We look forward to seeing you at this event!

Friday, September 16, 2016

Interview with the Board Candidates Pts 1&2 of 4 ETA: All four parts are now available.

Every year as part of the OWASP Board of Directors election OWASP holds a call for questions from the community.  The top four questions are then selected to be recorded in individual interviews on the OWASP Podcast to give members insight into the candidate's priorities and philosophies.  This year the most requested questions were:
1. What kind of action plan do you have in mind to help motivate the participation of Developers into OWASP community?
2. What would you do to improve OWASP's image regarding vendor neutrality?
3. What has been the greatest accomplishment of OWASP Foundation and what is its biggest failure?
4. What is more important to you as a candidate 1) Members 2) Projects 3) Conferences 4) Chapters and why?
Each episode of the podcast will be released on our Soundcloud account and then linked on the elections page.  Parts one and two are available now, as are the can candidates' biographies and statements of intent.

Don't forget that only paid and honorary members can vote, so join before September 30, 2015!

Edited to add Parts three and four.

Tuesday, September 13, 2016

Why we Need Women in Security Careers

Cross-posted from the AppSec USA blog
Security is one of the largest and most critical industries right now. In 2015, more than $75 billion was pumped into the industry to solve the most pressing security challenges – that’s up from $3.5 billion only 10 years prior, and is expected to reach $1 trillion by 2020. Yet, as the industry grows exponentially the workforce gap continues to widen. According to a recent study published by (ISC)2 and Frost & Sullivan, the workforce gap in the security industry is expected to reach 1.5 billion people by 2020. Even more alarming is the small percentage of women currently in the field – 10 percent!
The solution to filling the workforce gap seems simple – hire more women. It’s not that easy though. There are multiple barriers that prevent women from entering the field, including lack of education in primary schools and college, insufficient communication about job opportunities, and minimal internal training to encourage women to learn the skills needed for career changes and advancements.
OWASP’s Women in AppSec (WIA) initiative is aware of these barriers and is actively changing the status quo about women in security through research, education and mentorships. WIA encourages female students at the undergraduate and graduate levels, instructors, military personnel transitioning out of service, and professional working women to expand their skills and pursue a career in application and/or information security.
How You Can be Part of the Initiative
WIA has exciting events in store for AppSecUSA 2016 taking place in Washington, DC, October 11-14. Join us for unique opportunities to network with like-minded industry professionals and discuss the future of WIA events around the globe. Events include:
  • Networking Reception: Meet like-minded industry professionals and make connections to help launch or expand your career in the security industry
    October 12 @ 5:00pm
    Renaissance Hotel
  • Mentoring Luncheon: Engage with mentors in the field and learn from experts what it takes to develop your career
    October 13 @ 12:00pm
    Renaissance Hotel
  • Planning Meeting: Join forces with others committed to the WIA initiative and share ideas for events at future conferences
    October 14 @9:30am
    Renaissance Hotel
WIA is offering sponsorships for women transitioning from development and security-based jobs in the military to attend AppSecUSA 2016. To be eligible, you must be leaving the military within the next six months or have been out of the military for less than one year. To apply for a sponsorship, click HERE.
To register for WIA-hosted events at AppSecUSA 2016 visit the website at:
We hope you’ll join us in breaking barriers for women at AppSecUSA 2016!

Thursday, August 25, 2016

Results of the 2016 WASPY Awards

Thank you to everyone who voted in the 2016 WASPY Awards!  The voting for the 2016 WASPY Awards has closed. The winners have been notified, and the results are posted here

Congratulations to all of the individuals who were nominated, and a special Congratulations to our winners: 

Jeremy Long Open/Leading Category
Eoin Keary Integrity/Learning Category
Owen Pendlebury Innovation/Sharing Category
Kathy Thaxton Global/Growing Category

The award ceremony will be held at the AppSecUSA 2016 conference in Washington, DC. More specific details will be posted to the conference site, so please check back frequently. 

As always, thank you for your support!

Friday, August 19, 2016

OWASP Calls for Papers

Summer is a HOT time for OWASP!  Check out these active CFPs:

OWASP Cyber Security Conference in Morocco
The first OWASP regional conference in Africa, this two day conference in No includes a day of training and will take place in Marrakesh. Submissions are due by September 17th.

They encourage and prioritize submissions covering research and new work impacting:
  • Secure Engineering: secure coding, static analysis, intelligent application threat modelling with real use case, web frameworks security, countermeasures, SDLC, DevOps, etc.
  • Cognitive Security (Machine Learning and Big Data applied to find cyber security threats with high accuracy precision)
  • Mobile security: Development and/or testing devices and the mobile web
  • Cloud security: Offensive and defensive considerations for cloud-based web applications
  • Infrastructure security: Database security, VoIP, hardware, identity management
  • Penetration testing: Methodologies, tools, exploit development, evasion techniques, OSINT, etc.
  • Emerging web technologies and associated security considerations
  • Applied Cryptography: Relevant research, new models, algorithm usage, interesting attacks, and other applications.
  • Incident response: Threat detection, triage, malware analysis, forensics, rootkit detection
  • OWASP tools and projects in practice
  • Policy and legal: Legislation, privacy, regulations and compliance, C-level considerations, etc.
  • Cool hacks and other fun stuff: cryptography, social engineering, etc.

To submit a proposal, please submit an abstract of your intended presentation (500 to 4000 characters), a brief biography (150 to 800 characters), a head shot, and a signed copy of the speaker agreement. Talks without all required information may not be considered. Your planned presentation time is limited to a maximum of 15 minutes (excluding ~5 minutes for discussion and change of speaker). Feel free to attach a preliminary version of your presentation if available. Any proposal submitted is subject to a democratic vote by the program committee. Keep in mind: The better your description of the talk, the better picture the program committee will have to review your submission. Please proofread your submission; after approval your abstract, biography, and head shot will be published verbatim into the program and website.

OWASP Bucharest AppSec Conference 2016
This annual one day security and hacking conference is FREE.  It takes place on October 6th at the Sheridan Bucharest hotel.  You can register and submit your presentation here.  

Their audience includes:
  • Application Developers
  • Application Testers and Quality Assurance
  • Application Project Management and Staff
  • Chief Information Officers, Chief Information Security Officers, Chief Technology Officers, Deputies, Associates and Staff
  • Chief Financial Officers, Auditors, and Staff Responsible for IT Security Oversight and Compliance
  • Security Managers and Staff
  • Executives, Managers, and Staff Responsible for IT Security Governance
  • IT Professionals interested in improving IT Security
  • Anyone interested in learning about or promoting Web Application Security

Rugged DevOps
The CFP for Rugged DevOps closed on the 18th, but their presentations will be hosted as part of AppSecUSA 2016 in Washington DC.   If you are a security practitioner interested in working with DevOps automation concepts and methodologies as part of the software development lifecycle this event is for you!                                                        Washington DC, October 11 - 14

OWASP Armenia is hosting their annual conference September 16- 17th in Yerevan at the American University of Armenia.  You can apply to their CFP here they are accepting talks from 20 min to 1 hour as well as 2 or 4 hour trainings.

The annual event will host trainings on the 24th, and the conference on the 25th of November in Leuven, Belgium. Submissions close September 11th and can be made here. Topics should focus on the technical and social aspects of security, they will encourage and prioritize submissions covering research and new work impacting:

  • Secure development of web applications.
  • Security testing of web applications.
  • Security of DevOps processes, architectures, and tools.
  • Security of applications designed for mobile devices.
  • Security of Internet of Things devices and platforms.
  • Cloud platform security
  • Browser security
  • HTML5 security
  • OWASP tools or projects in practice

To submit a proposal, please submit an abstract of your intended presentation (500 to 4000 characters), a brief biography (150 to 800 characters) and a head shot (combine multiple files in one zip file). Your planned presentation time is 40 minutes (excluding ~5 minutes for discussion and change of speaker). Feel free to attach a preliminary version of your presentation if available. Any proposal submitted is subject to a democratic vote by the program committee. Keep in mind: The better your description of the talk, the better picture the program committee will have to review your submission.

ASC Mobile & IoT Security Summit 2016
The OWASP China Chapter is co-hosting the  ASC Mobile & IoT Security Summit 2016 October 25th-26th, 2016 in Shenzhen, China.  Submissions close Aug. 31st.  The event will have three focus areas:
Part One-- Mobile & IoT Security Forum
  • Mobile device & Mobile connectivity platform Security Technology
  • Mobile, Web and Cloud Security
  • Application Security Testing and Latest Attacks and Protection
  • Privacy Protection in web based apps
  • Chip Security
Part Two-- Incident Response Sub Forum
  • Incident Response Tools and Procedures
  • Data Protection
  • Vulnerabilities Handing Solutions
  • Incident Response System Building
  • Automatic Security Operation
Part Three—S-SDLC Sub Forum
  • S-SDLC processes, architectures, and tools
  • Security assessment in S-SDLC (Code review, penetration testing, etc.)
  • Security development processes
  • S-SDLC in Agile Development

Events Looking for OWASP Presentations:

OWASP Quebec and OWASP Montreal will be hosting a booth at the annual HackFest∞ November 1st through 5th.  They are looking for a speaker to talk about OWASP.  You can apply to HackFest∞ here.

Rochester Security Summit
A general InfoSec conference taking place October 5th and 6th. RSS features a keynote by Jeremiah Grossman and a dedicated OWASP Track.  They are looking for great OWASP AppSec presentations  The CFP has been extended, you can follow up here.

Friday, August 12, 2016

Dear OWASP Members,

Wednesday we sent out the ballots for the 2016 WASPY Awards to all members who were current prior to June 20, 2016.  Some of you received a ballot addressed with an incorrect first name.

During the process of collecting and uploading the individual contact information into the voting platform, there was a mail merge glitch when the de-dupe function was triggered. This resulted in some members receiving an email which was not addressed to them. Immediate action was taken to corrected the issue.

The incorrect names did not affect your ballot as ballots are associated with the member’s email address not their name. None of the votes have been compromised and members only received one email with a link to their ballot. The link to the ballot is a unique link specifically generated for each individual and is NOT to be shared with anyone.

On behalf of the OWASP Foundation we apologize for any inconvenience this may have caused you.  

Sincerely, OWASP Staff