Tuesday, November 29, 2016

November 2016

We would like to thank the following companies for supporting the OWASP Foundation. The companies listed below have contributed this month by either renewing their existing Corporate Membership or joining OWASP as a new Corporate Member. Details about Corporate Membership can be found here.

Premier Corporate Member

Fortify is the only solution that secures and protects code throughout the entire development lifecycle of any type of software—from development to testing, release to production and every iteration in between. Fortify static, dynamic, interactive, and runtime security testing technologies are available on demand or through several licensing models, offering organizations the flexibility needed to build an end-to-end software security assurance program. To learn more, please visit: http://www8.hp.com/us/en/software-solutions/application-security/index.html

Contributor Corporate Members

For more information, please visit: https://www.smartrac-group.com/

Synopsys, Inc. (Nasdaq: SNPS) is the Silicon to Software™ partner for innovative companies developing the electronic products and software applications we rely on every day. As the world's 15th largest software company, Synopsys has a long history of being a global leader in electronic design automation (EDA) and semiconductor IP and is also growing its leadership in software quality and security solutions. Whether you're a system-on-chip (SoC) designer creating advanced semiconductors, or a software developer writing applications that require the highest quality and security, Synopsys has the solutions needed to deliver innovative, high-quality, secure products. Learn more at www.synopsys.com.

Verizon Digital Media Services is the industry’s only single, end-to-end digital media platform that can prepare, deliver, display and enable the monetization of online content. The platform is built on the world’s largest, most connected network, and has over 90 points of presence on five continents, ensuring high-quality viewing of digital content on any device, anytime, anywhere. The company provides the foundational components in the websites, apps and OTT video services for many of the world’s largest publishers, media companies and enterprises. Verizon Digital Media Services is part of AOL Inc. Learn more about how Verizon Digital Media Services continues to change the way the world watches at www.verizondigitalmedia.com.

Want your name here? Find out how by visiting our Corporate Member information page, or contact Kelly Santalucia today!  Thanks to all of our Premier and Contributor Corporate Members for your support in 2016!

Thursday, November 24, 2016

Opportunities to Present at OWASP AppSec Europe

AppSec Europe seeks to bring together developers and security professionals at all points in their careers to be the thriving global community that drives visibility and evolution in the safety and security of the world’s software.  We understand that robust security requires diversity of thought and practitioners.  We also know that a conference that meets the needs of our community must provide a buffet of learning and teaching experiences.  We are currently seeking submissions for the following in conference events:

  • Arsenal: Do you have an opensource tool to share with the world?  The AppSec Arsenal is the place to stand out from the crowd and demo your open source tool to potential users and collaborators. Successful applicants will have grown beyond proof of concept and represent a range of tools from the well known, to the newly established; the point-solution to the broad.  Watch for submission updates.

  • Lightning Training:  Important training comes in all sizes.  Our Lightning training sessions are the perfect 1-2 hour training on the go.  Your Lightning training session will be free to the public and can be in lecture or hands on mode. This a great place teach a concept swiftly, or allow new trainers to get experience. Apply for your Lightning training now!

  • Lightning Talks: Simplicity is beautiful and provocative ideas don't necessarily take an hour to express. Lighting Talks are the place to share everything from exciting vulnerabilities, to humorous lessons learned, to new ways of securing an application in 10-15 minuets.  Share your idea on the OWASP stage!

  • Activities: Conferences aren't all talk, sometimes you just need to DO! So whether it’s a Capture the Flag event, an Escape room, lock picking demonstrations or something else we want to facilitate your Activity. Preference given to those activities with a with a more security focused theme.  You can submit your Activity for May 11/12 here.

Pre-Conference Training:  AppSec Europe hosts paid single and multi-day training on the days leading up to the conference. Hands on training is strongly preferred to read more about our Training guidelines please read this previous blog post.

Deadline for proposals:  January 2, 2017
Notification to trainers: January 23, 2017
Training: May 8, 9, 10

Present at our Conference:  The deadline for presenting at our conference is coming up! We are looking for “the next”, cutting edge research in the context of web applications, secure development, security management and privacy. Academic researchers and industry practitioners have the opportunity to share their latest findings with the rest of the community, including coverage via our media channels. We will consider particularly good presentations that have been submitted elsewhere. 

Submission deadline: January 9th, 2017
Notification of acceptance: February 6th, 2017
Conference days: May 11th – 12th 2017

Monday, November 14, 2016

Statement on Matt Harrigan and The Gateway Pundit

Jim Hoft of The Gateway Pundit ran an article discussing threats made on Facebook by Matthew Harrigan to Donald Trump which incorrectly identified Harrigan as a current OWASP Board Member.  Harrigan is not now, nor was he ever on the OWASP Global Board of Directors.  The evidence Hoft used for this assertion was Harrigan's LinkedIn profile which correctly shows that he served as a board member for the San Diego Chapter  from July 2009 to 2011.  Harrigan does not currently lead any OWASP chapter.  OWASP has asked The Gateway Pundit and Jim Hoft to correct the article and retract the statement. 

OWASP is a worldwide open source security non-profit and as such does not take any political stance whatsoever.  From time to time OWASP can speak on issues directly concerning application and cyber security. OWASP's Code of Conduct directly forbids threats and harassment of any kind in OWASP spaces and OWASP does not condone such behavior elsewhere.  

Friday, November 4, 2016

Your 2017 Board has been elected!

Thank you to every one who voted in the 2017 Board of Directors election, your choice of representation matters. The OWASP Board consists of seven volunteers elected on alternating years to serve a two year term. These unpaid volunteers dedicate themselves to the organizational mission and playing a pivotal role in the software security community.  Members of the Global Board of Directors are responsible for setting the strategic direction of the organization and ensuring the financial integrity of the Foundation. 

Our thanks to everyone who stood for the board this year, your willingness to take on time consuming duties to further OWASP's mission is greatly appreciated.  OWASP is lucky to have such talented and active volunteers and we look forward to continuing to work with you. 

We are glad to announce that our new board members are:
Andrew J van der Stock                 Matt Konda                    Johanna Curiel

For more information please take a moment to read their Bios and Statements of Purpose and listen to their interviews.

Thank you to Jonathan Carter for your service on the board in this last year. 

Full Election results:

Friday, October 28, 2016

AppSec California; Sun, Sand, Security


We are excited to invite you to join us on the beach for the 4th Annual AppSec California.

What: A unique Southern California OWASP event on the beach dedicated to raising the bar in application security
When: January 23-25, 2017
Where: On the beach at the Annenberg Beach House, 415 Pacific Coast Hwy, Santa Monica, CA 90402

AppSec California combines a dynamic mix of training and education delivered by some of the industry’s top experts in secure application development and web application security.

Information security professionals, developers, and QA and testing professionals from around the world will gather at the Annenberg Beach House where they will participate in full-day trainings, enjoy invigorating and inspiring talks, engage in thought-provoking conversations, and make new friends.

Call for Papers is Open!

Would you like to present at AppSec California? We know you have great things to share, and the AppSec Cali Call for Papers team would love to hear from you. OWASP AppSec conferences are true security conferences, with expected talks and presentations all around (web) application security. Non-technical talks are welcome too.

Interested in Sponsoring AppSec California?

AppSec California may be the best opportunity you will ever have to meet hundreds of key decision makers in IT & Information Security. Join us January 24-25, 2017 to get new leads to help you generate new business.

First Keynote Speaker Announced: RSA CTO Zulfikar "Zully" Ramzan

Dr. Zulfikar Ramzan serves as the Chief Technology Officer of RSA. In this role, he is responsible for leading the development of the company's technology strategy and bringing to market the innovations that help protect RSA customers from the growing number of advanced threats.

Early Bird Pricing Ends October 31

Registration for the 2 Day Conference (Jan 24 and 25) is only $200, and 2 Day Conference + Training is only $600. These prices only last until the end of October.

We'll be sharing more details and announcement in the coming weeks. For more real time updates, follow us on twitter.

Thanks, and we look forward to seeing you in January!

Caleb Queern and the AppSec California Planning Team

Wednesday, October 26, 2016

AppSecEu 2017 Call for Presentations and Training Now Open

The call for presentations and trainings are now open for AppSecEu 2017, which will take place in Belfast from May 8th to 12th 2017. OWASP's Global AppSec events serve a diverse audience of security professionals at all stages of their careers. We seek interesting perspectives and training to drive visibility and evolution in the safety and security of the world’s software.

Our topics of interest for talks include, but are not limited to the following:
  • Novel web vulnerabilities and countermeasures
  • New technologies, paradigms, tools
  • OWASP tools or projects in practice
  • Secure development: frameworks, best practices, secure coding, methods, processes, SDLC
  • Browser security
  • Mobile security and security for the mobile web
  • Cloud security
  • REST/SOAP security
  • Security of frameworks
  • Large-scale security assessments of web applications and services
  • Privacy risks in the web and the cloud
  • Management topics in Application Security: Business Risks, Awareness Programs, Project Management, Managing SDLC
OWASP Trainings should be practical in nature--hands-on class will receive stronger consideration.  Topics of interest for include but are not limited to:
  • Secure development: frameworks, best practices, secure coding, methods, processes, SDLC
  • Vulnerability analysis: code review, pentest, static analysis
  • Threat modelling
  • Mobile security
  • Cloud security
  • Browser security
  • HTML5 security
  • OWASP tools or projects in practice
  • New technologies, paradigms, tools
  • Privacy in web apps, Web services (REST, XML) and data storage
  • Operations and software security
  • Management topics in Application Security: Business Risks, Outsourcing/Offshoring, Awareness Programs, Project Management, Managing SDLC
While we understand that your submission might be a work in progress, we strongly encourage that all submissions be as thorough as possible to allow us to make the best decision.  The program committee will review your submission based on a descriptive abstract of your intended presentation. Feel free to attach a preliminary version of your presentation if available, or any other supporting materials.  Please review your proposal thoroughly as accepted abstracts and bios submitted will be published 1:1 on our site. If your presentation is accepted for inclusion in the conference program, you are free to submit a white paper describing your work, to be added to the website.                                                                                   
To ensure the best talks available are presented at AppSec Europe we are incorporating blind reading as part of our process. This means that names and job titles will be removed when the paper's abstract is being reviewed. Submissions for training will not be read blind.  All speakers will be given access to speaker mentorship, we especially encourage first time speakers to take advantage of this service.
Marketing and sales pitches will not be accepted in the talks or trainings.

Submit a Presentation
  • Submission deadline: January 9th, 2017
  • Notification of acceptance: February 6th, 2017
  • Conference days: May 11th – 12th 2017

Submit a Training
  • Deadline for proposals:  January 2, 2017
  • Notification to training providers: January 23, 2017
  • Training: May 8, 9, 10

Tuesday, October 25, 2016

Waratek Supports the OWASP Foundation as a Premier Corporate Member

Bel Air, MD – October 25, 2016 – The Open Web Application Security Project (OWASP), a worldwide not-for-profit charitable organization focused on improving the security of software, is pleased to welcome Waratek, a pioneer in the next generation application security solutions known as Runtime Application Self-Protection (RASP), as a Premier Corporate Member of OWASP.   

OWASP is an open community of over 46,000 participants dedicated to enabling organizations to conceive, develop, acquire, operate, and maintain applications that can be trusted. All of the OWASP tools, documents, forums, and chapters are free and open to anyone interested in improving application security.  OWASP does not endorse or recommend commercial products or services. Instead, we allow our community to remain vendor neutral with the collective wisdom of the best individual minds in application security worldwide.

Waratek, winner of the 2015 RSA Innovation Sandbox Award, is based on the belief that traditional security approaches are not enough to protect applications and customer data from today’s threats. Waratek’s solutions are based on virtualizing the runtime to provide protection against known and unknown vulnerabilities in current and legacy software.

“At a time when malicious attacks are intensifying and organizations increasingly rely on applications with known and vulnerabilities to fulfill their missions, OWASP is a vital part of defending the integrity of businesses and institutions,”  commented Waratek CEO Brian Maccaba. “We need strong DevOps and AppSec communities to ensure the safety and security of commerce.  We’re proud to help OWASP fulfill that role.”

Waratek’s support of OWASP included sponsorship of our recent OWASP AppSec USA 2016 Conference that took place in Washington,DC.  In a few weeks, all of the conference talks will be available for free on the conference site.

“OWASP receives one-third of its funding from Corporate Members and we are thrilled to have Waratek, Inc. as a Premier Corporate member,” stated Kelly Santalucia, Membership & Business Liaison of the OWASP Foundation. “Waratek’s contributions toward our AppSec USA 2016 event demonstrated strong support for our global initiatives, and we are hopeful that others will follow their lead in giving back to the community.”

The Open Web Application Security Project (OWASP) is dedicated to making application
security visible by empowering individuals and organizations to make informed decisions
about true software security risks. As a 501(c)(3) not-for-profit worldwide charitable  organization, OWASP does not endorse or recommend commercial products or services. Instead, we allow our community to remain vendor-neutral with the collective
wisdom of the best individual minds in software security worldwide.

For more information, visit: www.owasp.org or follow us at: @owasp.

About Waratek

Waratek is a pioneer in the next generation of application security solutions known as Runtime Application Self-Protection or RASP.  Based on virtualization, Waratek’s solution is highly accurate, easy to install, simple to operate and does not slow application performance – while providing protection against known and unknown vulnerabilities in current and legacy software.

Waratek is based in Atlanta, Georgia and Dublin, Ireland.  For more information visit www.waratek.com or follow us @Waratek.