Tuesday, August 19, 2014

OWASP August 19 Connector


OWASP Global Connector
August 19, 2014 | | www.owasp.org | Contact Us | Brought to you by the OWASP Foundation
owasp projects

Featured OWASP Project

OWASP Web Spa Project
The OWASP WebSpa Project is a Java web knocking tool for sending a single HTTP/S request to your web server in order to authorize the execution of a premeditated Operating System (O/S) command. It provides a cryptographically protected "open sesame" mechanism on the web application layer, comparable to well-known port-knocking techniques.
For more information, please contact the Project Leader, Oliver Merki.

New OWASP Projects

OWASP Rainbow Maker Project
OWASP Rainbow Maker is a tool aimed to break hash signatures. It allows testers to insert a hash value and possible keywords and values that might used by the application to create it, then it tried multiple combinations to find the format used to generate the hash value. For more information, please contact the Project Leader, Tal Melamed.
OWASP KALP Mobile Project
OWASP KALP Mobile App Project is for OWASP users around the world who want to access the Top Ten vulnerabilities on the go (on their mobile), download the Top Ten and Email it. This is light weight information of OWASP Top Ten. This will be an android application fetching database of vulnerabilities from OWASP server. Any new additions to cheat sheets and prevention cheat sheets will automatically accessible on the mobile app. For more information, please contact the Project Leader, Kishor Sonawane.

Project Announcements

From Daniel Cuthbert, Co-Project Leader of the OWASP Application Security Verification Standard Project
It gives me immense pleasure to finally release version 2 of the Standard for all to enjoy. The community feedback on this has been overwhelming and it's great to see so many of you investing time and effort into what Sahba and I feel is an incredibly important OWASP project.
As with all standards, I'm sure this will be made better as people use it and we welcome the additions.
Again, a huge thanks to all the contributors who helped shape version 2 and I cannot wait to hear how this is being used.
It can be downloaded from the ASVS page HERE
Documentation Volunteers Needed for the OWASP Mantra OS
The OWASP Mantra OS is looking for one or two volunteers to assist with documentation for the next release of Mantra OS. OWASP Mantra OS is a secure sandboxed operating system built for application testing and fast secure computing, built on a Ubuntu Core.
If you are interested in helping the OWASP Mantra OS Dharma release, contact project leader, Greg Disney-Leugers
Social Media

OWASP Foundation Social Media

LinkedIn
Twitter
Google +
Facebook
Ning
StackOverflow
membership

Thank you to our new and renewed Corporate Members:

  • HP - Premier Level
  • Ranorex, and
  • Arxan
Honorary Membership applications now being accepted.
CLICK HERE to find out if you qualify for Honorary Membership Deadline to submit your application is September 30, 2014.
.
conferences

Global AppSec Events in 2014

AppSec USA 2014 (September 16 - 19, Denver, CO)

Upcoming Regional Events

AppSec Israel 2014 (September 2, 2014, Herzliya. Israel
Boston Application Security Conference (BASC) (October 18, 2014, Cambridge, MA)


LASCON 2014 (October 21 - 24, Austin, TX)

Partner and Promotional Events

OWASP has partnered with these great events in beginning of 2014 to grow our community and build awareness around software security. If you want to learn more about OWASP's involvement or will be attending and want to help out contact us
Fraud Summit Toronto, (Sept 8, 2014) Toronto, Canada.
(ISC)2 Security Congress, (Sept 22 - Oct 2), OWASP Members save $355 off of the non-(ISC)2 Member Full Conference Pass. Attendees can expect over 80 educational sessions designed to strengthen cybersecurity defenders, focus on current and emerging issues, best practices, and challenges facing cybersecurity leaders.
EC-Council Hacker Halted(October 12-17, 2014) Atlanta, GA
ISSA International Conference (October 22-23), 2014, Orlando, FL
Suits & Spooks, (December 14), Singapore.

OWASP LATAM HANGOUT - Proyecto de Seguridad Movil (en espanol)

When: Wed August 27, 2014, 12:pm - 1pm (EDT)
Where: Google Hangout Link
Who: Mauricio Urizar Franco y Walter Cuestas Agramonte
What: Complete details of the talk and profiles of the presenters can be found on the Global OWASP Calendar.
contrast
communication

2014 Global Board of Directors Election

2014 Board Elections page Our Call for Candidates is now closed! Below is a list of the 2014 candidates

  • Abbas Naderi Afooshteh
  • Israel Bryski
  • Bil Corry
  • Rowland Johnson
  • Tahir Khan
  • Timur Khrotko
  • Matthew Konda
  • Jim Manico
  • Mateo Martinez
  • Nigel Phair
  • Andrew van der Stock
  • Tom Brennan (withdrawn)
CLICK HERE to view the candidates bio and "why me?" information in a Google Document
CLICK HERE to view the OWASP Election page
The next step is, the candidates will conduct individual interviews answering questions from the community. Anyone can submit a question(s), vote up or vote down existing questions. The top 5 to 6 questions will then be used for each candidate's interview. If you have a question you would like to submit, please do so here.
For a complete Election Time line, Click Here

2014 WASPY (Web Application Security People of the Year)


Member voting is open until Friday, August 22, 2014

OWASP members should have received a notification and a link to cast your vote from our voting provider, Simply Voting. This is YOUR opportunity to recognize another in our community for their outstanding efforts, so be sure to congratulate all the nominees and cast your vote for the one nominee in each category who will be publicly recognized in during an awards ceremony at AppSec USA in Denver.
You can read all about the nominees HERE
OAS and OWASP

OAS and OWASP Sign Agreement on Cyber Security

The General Secretariat of the Organization of American States (OAS) recently signed a Memorandum of Understanding with the Open Web Application Security Project (OWASP) to facilitate a closer level of collaboration on the issue of cyber security and allow each partner to reach a broader audience.
CLICK HERE to read the complete press release!

Just for Fun

Congratulations to Robin Wood who was the first person to solve last week's challenge: Answer: The Rose Red City is 7 billion years old.
Click here to view last issue's puzzle
Here is this issue's challenge...
Imagine that you have some wooden cubes.
You also have six paint tins each containing a different color of paint.
You paint a cube using a different color for each of the six faces.
How many different cubes can be painted using the same set of six colors?
Remember that two cubes are different only when it is not possible, by turning one, to make it correspondent with the other.
Send your answers to our comment desk for a chance to win a prize. Winners will be announced in the next connector.



Monday, August 18, 2014

OWASP ASVS 2.0 (Application Security Verification Standard)


OWASP Community,

It gives me immense pleasure to finally release version 2 of the OWASP Application Security Verification Standard for all to enjoy. The community feedback on this has been overwhelming and it's great to see so many of you investing time and effort into what Sahba and I feel is an incredibly important OWASP project. 

As with all standards, I'm sure this will be made better as people use it and we welcome the additions and feedback. 



Again, a huge thanks to all the contributors who helped shape version 2 and I cannot wait to hear how this is being used. 

Regards,

Friday, August 15, 2014


OWASP AppSec USA 2014 Adds Leading Global Experts to List of Speakers


Are you registered for the upcoming OWASP conference? We are excited to be getting closer to the OWASP AppSec USA event and we have now announced our roster of keynote speakers. 


The premier software security conference for developers, auditors, risk managers, technologists and entrepreneurs will take place at the Denver Marriott City Center, Sept. 16-19. Below are the keynotes:

       Bruce Schneier, CIO, Co3 Systems, Inc. is an American cryptographer, computer security and privacy specialist, and writer. He is the author of several books on general security topics, computer security and cryptography. (Sept. 18, 8:00 a.m.)

       Renee Guttmann, vice president, Accuvant Office of the CISO is an accomplished global information security and privacy executive with a proven track record of establishing internationally recognized information security programs for Fortune 500 companies. She is the former CISO of Coca-Cola. (Sept. 18, 4:30 p.m.)

       Gary McGraw, CTO, Cigital is a recognized authority on software security, an author of eight books on software security topics and is an editor of a software security series as well as several peer-reviewed papers. (Sept. 19, 8:00 a.m.)

       In addition to keynote sessions, AppSec USA will offer several interactive events. For the first time ever, the conference will feature  “Code Brew,” a home-brewing contest judged by brewers from some of Colorado’s top craft breweries, and two full days of training featuring five tracks including developers, builders, breakers, defenders, and a hands on skills lab.

To find out more about OWASP AppSec USA 2014, participate in “Code Brew”, or REGISTER for the conference, please visit www.2014.appsecusa.org/2014/


Wednesday, August 13, 2014

Call for Speakers: OWASP Ghana Cybersecurity Conference

Maa chi, maa ha, maa jo, OWASP Community, eti sen?

The OWASP Ghana Cybersecurity Conference will take place in Accra, Ghana this December for the second year in a row! The event dates are December 10 - 11, 2014. It amazes me that there are so many places on planet earth where OWASP is active in some way.

If you are interested in speaking at this conference, please contact Theo Sagoe at theodore.sagoe at owasp.org or visit https://www.owasp.org/index.php/Ghana#tab=About for more information.

I was lucky enough to be one of the speakers at the first OWASP Ghana conference in west Africa. It was quite an amazing experience. It's rare where you get the chance to attend a security conference in the morning and do some seine beach fishing with a large team of locals early that evening. They fish the whole ocean at once, it was quite amazing. :)

I hope you consider attending or speaking! Please contact theodore.sagoe at owasp.org if interested.

Me daa si,

- Jim Manico

THIS FRIDAY is the DEADLINE to SUBMIT your CANDIDACY for the 2014 OWASP BOARD OF DIRECTORS

Just a reminder that this FRIDAY, AUGUST 15 is the DEADLINE to submit your candidacy for the 2014 OWASP Global Board Of Directors.  

For Information including eligibility requirements, primary responsibilities, election timeline and other important information, please visit our election page. 

Thursday, July 31, 2014

Videos from AppSec Europe 2014

At last AppSec Europe, OWASP Media Project with the help of M√ľnster University of Applied Sciences IT Security Lab has put 40 videos online for 70 hours of content. This includes the whole live stream of three tracks each two days of the conference during a YouTube Streaming Event and on an alternate German stream. The week after, we made a playlist of all the 33 individual talk that were recorded.





Now for some stats, covering from June 25th 2014 to July 25th 2014.



We are at 2,074 views and 20,228 of estimated watched minutes.

As for the subscribers, we are at 1,572 and we gained 294 of them during the AppSecEU efforts.

The average view duration is 13:55 minutes. Since we have 6 videos that last more than 6 hour for each track of streaming, that number is a little boosted.

Most of the views comes from the live event. For the record, we had around 60 people watching at peak.



The most popular tracks were:
Security Management & Training Track
940 views 18,050 minutes watched 19:12 avg
http://youtu.be/6Ydi0_i70nA


Frameworks and Theories Track
427 views 5,917 minutes watched 13:51 avg
http://youtu.be/F7eCP08nacI


Mobile Track
560 views 6,684 minutes watched 11:56 avg
http://youtu.be/VIS9fXZXJ44


Notables popular videos are:
Simon Bennetts - OWASP ZAP Advanced Features
226 views 1,603 minutes watched 7:05 avg
http://youtu.be/SmY8D8VTWdI


Hemil Shah - Smart Storage Scanning for Mobile Apps - Attacks and Exploit
159 views 601 minutes watched 3:46 avg
http://youtu.be/5X4d-7HzxXQ


Lorenzo Cavallaro - Keynote - Copper Droid On the Reconstruction of Android Malware Behaviors
500 views 2,547 minutes watched 5:05 avg
http://youtu.be/_FcLyBKK0GI

Finally, the countries with the top viewership:
United States17%
United Kingdom 16%
Germany9.0%
India8.7%

We were watched in 84 countries in total. A heat map of view counts enable us to see all locations:


OWASP Media Project has done another big step with this streaming event for a conference. Since last AppSecUSA we also managed to gather at the same place the Global Webinars and the OWASP Community Update. With all this we are now at more than 150 videos with 1,572 subscribers for a total of 63,669 views.

The next step with be AppSecUSA 2014. We'll try to setup live streaming as well as having the recordings for you in a timely fashion.

Thanks to all who contributed and helped with OWASP Media Project!

Visit us and subscribe:



July 30, 2014 OWASP Global Connector


OWASP Global Connector
July 31, 2014 | | www.owasp.org | Contact Us | Brought to you by the OWASP Foundation
owasp projects

Featured OWASP Project

OWASP Proactive Controls
The OWASP Top Ten Proactive Controls is a list of security techniques that should be included in every software development project. They are ordered by order of importance, with control number 1 being the most important. This document was written by developers for developers to assist those new to secure development.
For more information, please contact the Project Leaders, Jim Manico or Jim Bird

New OWASP Project

OWASP Top Trumps for Projects
If you haven't played Top Trumps, it's a simple game that can be learned in 30 seconds. It is as addicting as it is fun, with the added advantage of being educational in the process. Each card in the deck represents a real world OWASP project with 6 attributes that can be used to challenge other projects. The purpose of this project is to raise awareness of all OWASP projects in a fun and community oriented way. For more information, please contact the Project Leader, Mark Miller.

Project Announcements

Technical Reviewers Needed!
The Code Review Guide Project is forming a dedicated team of technical reviewers. They are looking for a small group of individuals for this task, around 5 developers. Please let Please contact Gary Robinson or Larry Conklin know what your qualifications are, and they will get back with you on specific work tasks.
Developers Needed!
The Code Review Guide Project is also seeking developers who have examples in PHP, Ruby on Rails, HTML5, Drupal, Coldfusion, CodeIgniter, Java Spring and Structs. The examples they need are for SQL injection, framework issues, iss configuration errors, XSS and other issues that a code reviewer would raise a red flag if the reviewer sees one of these examples in the code being reviewed. If would be great if the example bad code has an example of how the code should be written in a secure manner. This is an exciting team that is doing something that has a very real impact on the larger software developer comm unity. Please contact Gary Robinson or Larry Conklin
Projects Task Force Code Analysis Reports
Over the past week, Johanna Curiel has been putting together code analysis reports for flagship candidate projects. The results of these reports will be posted on the Projects Task Force page in this week and next. Click Here for more information on the task force and it's progress.
Social Media

OWASP Foundation Social Media

LinkedIn
Twitter
Google +
Facebook
Ning
StackOverflow
membership

Thank you to our new Corporate Members:

  • SMARTRAC TECHNOLOGY GMBH, and
  • Solutions II, Inc
Honorary Membership applications now being accepted.
CLICK HERE to find out if you qualify for Honorary Membership Deadline to submit your application is September 30, 2014.
.
conferences

Global AppSec Events in 2014

AppSec USA 2014 (September 16 - 19, Denver, CO)

Upcoming Regional Events

OWASP Korea Day 2014 Workshop (June 17, 2014, Seoul, South Korea)
LASCON 2014 (October 21 - 24, Austin, TX)

Partner and Promotional Events

OWASP has partnered with these great events in beginning of 2014 to grow our community and build awareness around software security. If you want to learn more about OWASP's involvement or will be attending and want to help out contact us
BlackHat (August 2-7), Las Vegas, NV. OWASP Members receive $200 off BH briefings with code: owaBR200off.
BSides LV, (August 5-6), Las Vegas, NV.
OWASP is looking for volunteers to help promote OWASP at BSides. Earn a Full BH conference pass by volunteering a total of 8 hours at BSides. Contact Kelly Santalucia for details.
EC-Council TakeDown Con, (August 14-19), Huntsville, AL.
Fraud Summit Toronto, (Sept 8, 2014) Toronto, Canada.
(ISC)2 Security Congress, (Sept 22 - Oct 2), OWASP Members save $355 off of the non-(ISC)2 Member Full Conference Pass. Attendees can expect over 80 educational sessions designed to strengthen cybersecurity defenders, focus on current and emerging issues, best practices, and challenges facing cybersecurity leaders.
EC-Council Hacker Halted(October 12-17, 2014) Atlanta, GA
ISSA International Conference (October 22-23), 2014, Orlando, FL
Suits & Spooks, (December 14), Singapore.
contrast
communication

2014 WASPY (Web Application Security People of the Year)

Member voting will begin Friday, August 8, 2014

The third annual WASPY awards voting will begin August 8th. OWASP members will be receiving a notification and a link to cast your vote from our voting provider, Simply Voting. This is YOUR opportunity to recognize another in our community for their outstanding efforts, so be sure to congratulate all the nominees and cast your vote for the one nominee in each category who will be publicly recognized in during an awards ceremony at AppSec USA in Denver.
You can read all about the nominees HERE

2014 Global Board of Directors Election

Please visit our 2014 Board Elections page for frequent updates. Our Call for Candidates is only open until August 15! Please submit your candidacy here.
Once confirmed, the candidates will conduct individual interviews answering questions from the community. Anyone can submit a question(s), vote up or vote down existing questions. The top 5 to 6 questions will then be used for each candidate's interview. If you have a question you would like to submit, please do so here.
For a complete Election Time line, Click Here

OWASP Community Manager Position - Open for applicants


Are you interested in working for OWASP and supporting volunteer efforts around the world? Consider applying for our Community Manager position.
OWASP Community Manager
Full Time, Salaried
The OWASP Community Manager is responsible for coordination and oversight of volunteer opportunities and initiatives for the OWASP community. Furthermore, this position will focus on providing operational support to OWASP Chapters globally and is responsible overseeing and disseminating the organization's policies, objectives, and initiatives as they relate to OWASP Chapters.
Details about the position and how to apply
Please help us spread the word about the position by posting to your chapter/project lists, adding to applicable job boards, or forwarding to any individuals that you think would be interested.

Just for Fun

Congratulations to Steven Avery who was the first person to solve last week's challenge: 93 hens to produce 12 eggs in 6 days
Click here to view last issue's puzzle
Here is this issue's challenge...
A rose-red city is half as old as Time. One billion years ago the city's age Was just two-fifths of what Time's age will be A billion years from now.
Send your answers to our comment desk for a chance to win a prize. Winners will be announced in the next connector.
Can you comput how old the crimson city is today?
isc2 register