Monday, November 20, 2017

Your 2018 Board has been elected

Thank you to everyone who voted in the Board of Directors election!

The OWASP Board consists of seven volunteers elected on alternating years to serve a two year term. These unpaid volunteers dedicate themselves to the organizational mission and playing a pivotal role in the software security community.  Members of the Global Board of Directors are responsible for setting the strategic direction of the organization and ensuring the financial integrity of the Foundation.

Our thanks to everyone who stood for the board this year, your willingness to take on time consuming duties to further OWASP's mission is greatly appreciated.  OWASP is fortunate to have such talented and active volunteers and we look forward to continuing to work with you.

Please help me in welcoming your new board members:

Chenxi Wang
Owen Pendlebury
Sherif Mansour
Greg Anderson

To listen to the newly chosen board member interviews, please visit our Election page.

Come January 1, 2018 these four new board members will begin their two year term. They will be joining our existing board members, Matt Konda, Andrew van der Stock and Martin Knobloch.

Full Election results:


OWASP is pleased to announce the release of the OWASP Top 10 - 2017

After a difficult gestation, the OWASP Top 10 Final is out.

You can get it from here:   https://github.com/OWASP/Top10/tree/master/2017

As many of you know, there was a lot of passion within the application security community about the OWASP Top 10 2017 RC1, so it was critical that we worked with the community to firm up the data and obtain a consensus view of how to proceed.

After the change of leadership from Dave Wichers and Jeff Williams to Andrew van der Stock in late May 2017, we added diversity to the leadership team, by adding Neil Smithline, Torsten Gigler, and Brian Glas. Each of the leaders brings their own experience and point of view to the OWASP Top 10, making it far stronger. I couldn't have done this by myself, and it would have been a far weaker document if it was just little old me. I thank my co-leaders from the bottom of my heart. I also thank the founding leadership of Dave Wichers and Jeff Williams for creating the OWASP Top 10, and trusting in us to get this done.

In June, Dave Wichers and Brian Glas attended the OWASP Project Summit in London, and I participated remotely. During the summit, as a community, we agreed to governance, methodology, data analysis and transparency improvements. The highlights of this are:

  • A diversity of leadership at all times (at least two unrelated leaders). This has been an incredible win for the OWASP Top 10, and I hope more OWASP Flagship projects consider doing it. 
  • The methodology was improved by confirming that we will be using risks, rather than any other metric, and agreeing to up to two items will be selected by the community for up and coming risks
  • Data analysis performed by Brian Glas, in particular how to improve the balance from largely automated findings that swamp manual findings, as well as re-opening the data call to obtain 2016 data and survey the community for the two forward looking items
  • Transparency is now aligned with OWASP's values - we work in the open at GitHub, and folks can see who suggested an improvement or issue, and how this was resolved in the text. For the first time, there is a strong traceability between the data submitted by participating data contributors and the OWASP Top 10. This means that if you want, you can fork the OWASP Top 10, re-analyze the data to suit your needs and create your own version. (Just don't call it the OWASP Top 10 :-) )

The data call was very successful. We obtained a great deal of new data covering previous years, including 2016, from a wide variety of consultancies and vendors. We have data from over 40 data contributors, 23 of which were used in the final data analysis. From those 23 data sets, the data covered over 114,000 applications, which is one of the biggest data sets on application security anywhere. And you can download it from our GitHub repo. At the last minute, we also received data from BugCrowd. The interesting thing about bug bounty programs is that kudos and payouts only occur when fully validated, and it also shows what is on the top of the list from the point of view of bug bounty programs. The bug bounty data backed up our analysis in terms of prevalence data, so we were definitely on the right track.

The survey was wildly successful. We received over 500 survey responses, so I think we can safely claim consensus on the two new items - Insecure Deserialization and Insufficient Logging and Monitoring. These two items were obviously top of mind for many this year considering the era of the mega breach is not slowing down. We discuss our methodology in more detail within the OWASP Top 10 - 2017 itself, as many will wonder why we didn't use the two top items directly. The short answer - and this should be no surprise - some of these other issues were already in the OWASP Top 10 due to prevalence data, such as XXE and access control.

OWASP Top 10 - 2017I will address some of the frequently asked questions - why have CSRF and unvalidated redirects and forwards been removed? It's time to move on. The data for these is no longer strong enough to warrant inclusion, especially when we only have 8 data supported spots with our new methodology, and these two items didn't rank in the community survey. This is actually a sign of success; the fact that CSRF is finally going away is a sign that the OWASP Top 10 has been successful at its mission. Back when I included CSRF in 2007 as a forward looking item, there was no data for it. At all. But ~ 100% of applications had CSRF at that time. Now it's less than 5% of all applications. If you use a modern framework, you're pretty much covered without doing anything. That's a huge success.

This then leads into the discussion about renumbering. We risk rated the resulting list over about a 5 hour meeting, and this is the result. I asked the Twitter community if they wanted a risk based order, a likelihood order, an impact order, or the order from previous OWASP Top 10's. Overwhelmingly risk based order won. Interestingly, the previous OWASP Top 10's kept the previous order, but this was wanted by less than 10% of respondents, compared to over 55% for risk based ordering. So that's what happened. What surprised me is that after re-risk rating many of the existing items didn't move. I was actually surprised by this, particularly in relation to SQL injection, but because we include all forms of injection (which theoretically can cover XSS), it remained at the A1:2017 position. This is because we couple three forms of likelihood (prevalence, detectability, and exploitability) and impact. We have strong prevalence data, but the others were our best judgement. You can look at what we decided upon and review our work. I encourage everyone to do so.

The last common discussion we've had is why we didn't roll up XSS into injections, because it's either HTTP, HTML, or JavaScript injection. The reality is that it would have swamped the important discussion on other injections, and the solutions for XSS are significantly different to preventing OS command injection or SQL injection. I will defend this decision until the day we see XSS gone the way of CSRF. And I can't see that day ... yet. There is hope in the form of CSP and XSS-resistant frameworks such as Ruby on Rails 3 and React, but there's a lot of code out there that is still vulnerable.

The new or heavily updated risks need little explanation:

  • We cover API as well as web apps throughout the entire Top 10. This covers mobile, single page apps, RESTful API and traditional web apps. 
  • A3:2017 Sensitive Data Exposure is now firmly about privacy and PII breaches, and not stack traces or headers.
  • A4:2017 XXE is a new data supported item, and so tools and testers need to learn how to find and test for XXE, and developers and devops need to understand how to fix it.
  • A6:2017 Misconfiguration now encompasses cloud security issues, such as open buckets.
  • A8:2017 Deserialization is a critical issue, asked for by the community. It's time to learn how to find this in tools, and for testers to understand what Java and PHP (and other serialization) looks like so it can be fixed.
  • A10:2017 Insufficient Logging and Monitoring. Many folks think this is a missing control, rather than a weakness, but as it was selected by the community, and whilst organizations still take over half a year to detect a breach - usually from external notification - we have to fix this. The way to go forward here for testers is to ask the organization if they detected whatever activity was undertaken, and if they would have responded to it without being prompted. Obviously, we are looking for testing to be undertaken through security devices, but whitelisted, so that logging, escalation and incident response can also be assessed.


These new items are modern era issues, and I hope that in the next three years, the industry can make  headway on them.

So after more than 370 closed issues and 650 commits, we are finally finished. We received a lot of feedback from the community, and we thank those who reviewed and QA'd the document extremely closely, such as Osama Elnaggar, Dirk Wetter and Jim Manico, as well as over 40 others. For a full list of reviewers, please see the acknowledgement page.

What is the future of the OWASP Top 10? I think if anything, the community's passion during this time around shows how important the OWASP Top 10 is. It is widely adopted and a lot of folks care about it very deeply. It was a time for us to listen and learn from the process, and that will result in improvements for the OWASP Top 10 - 2020.

We will be starting the data collection process much earlier, and we will improve our methodology particularly in relation the survey to provide more choices (we only had 25 CWEs). On top of that, we need to work with NIST / MITRE to keep CWE up to date, because some of the biggest up and coming (and to be fair, some of the existing) weaknesses do not have a CWE entry.

But first, we need a break. Thank you to everyone who participated to make the OWASP Top 10 a much stronger and more evidence based standard. The OWASP Top 10 - 2017 is by far the best sourced, most reviewed, application security standard out there. I encourage everyone to download it and start cracking on the new and updated items. We need translations as well, so if you want to do that, please contact us at @owasptop10 on Twitter or via GitHub.


Friday, November 17, 2017

Get your talks ready for OWASP AppSec Europe 2018!

We are glad to announce that the 2018 AppSec Europe Call for Papers and Call for Training is now open.

 

This year the special theme of OWASP AppSec Europe is: Usable Security.  We ask for you to think about how security is affected by the human aspects of users, developers and administrators? How do we design, deploy and manage a security system so that it will be used consistently and properly? What lessons can we learn from past success (or not-exactly-success...) stories in which the human factor played a major role?

 

Topics of interest include, but are not limited to:

  • Novel web vulnerabilities and countermeasures
  • New technologies, paradigms, tools
  • OWASP tools or projects in practice
  • Secure development: frameworks, best practices, secure coding, methods, processes, SDLC
  • Browser security
  • Mobile security and security for the mobile web
  • Cloud security
  • REST/SOAP security
  • Security of frameworks
  • Large-scale security assessments of web applications and services
  • Privacy risks in the web and the cloud
  • Management topics in Application Security: Business Risks, Awareness Programs, Project Management, Managing SDLC

To ensure the best talks available are presented at AppSec Europe blind reading is being incorporated as part of their process. This means that names and job titles will be removed when the paper abstract is being reviewed. All speakers will be given access to speaker mentorship. 

 

The submission deadline is January 5, 2018. Please submit your proposal through EasyChair and encourage those you want to learn from in hands on training sessions or 45 min. talks to apply as well.

Apply Today

Tuesday, November 14, 2017

See you Later Matt!

We are sad to share that Matt Tesauro has moved on from OWASP to new challenges.  

Matt has been an active community member and Project Leader for over 9 years--including a stint as OWASP Board Member 2011-2012 and a staff member since July of 2016.  While we are sad to lose Matt as a staff member, we hope to see him prosper in his new position as a Senior AppSec Engineer at Duo Security and look forward to collaborating with him for many years as an OWASP Project Leader and community member.  

See you later Matt!


OWASP CODE SPRINT 2017


At OWASP, we were thrilled to sponsor our Second OWASP Code Sprint 2017.  Our partnership with students and universities to grow OWASP Projects was a success since we participated in the GSOC programs. We received more than 29 proposals.  We were able to select 13 students who worked on a diverse range of application security projects. Below, we highlight the activity.

OWASP also provided an additional incentive and had a OWASP Raffle for an APPSEC Ticket and Funding Initiative to award on lucky student for great work done.
Congratulations Sourav Badami !



OWASP OWTF Project
Project Leaders:Abraham Aranguren,Viyat Bhalodia
Student: Anshul Singhal


Great work from Anshul Singhal by adding dynamic report generation from the database with user selected template, and code refactor to separate the UI into a separate React app from the backend.  Anshul also added report generation currently still working on code separation.  Ansul is very committed to complete the work outside the program ifwasthat is what it takes.


Feedback from Anshul: OWASP Code Sprint was a such a great experience. Viyat and Abraham both helped me a lot during whole duration. I learnt a lot in working with OWTF. Thank you OWASP for this opportunity.  


OWASP Hackademic Project
Project Leader: Spyros Gasteratos
Student: Pavlos Zianos


Pavlos Zianos worked successfully on dynamic provisioning, launching and networking of new challenges without any blocking io calls, refactored existing codebase to accept modular drivers for both docker and vagrant provisioning, flexible networking and service discovery.  


Feedback from Pavlos: OWASP Code Sprint has been a very valuable experience for me mainly because I got to bootstrap the project which gave me insight into issues that I had never experienced before. Spyros has been a very good mentor all this time.


Project Leader: Greg Anderson
Student: Eric Anderson


Eric Anderson successfully accomplished a variety of difficult assignments while contributing to OWASP’s DefectDojo Project including: feature development, debugging, and bug fixes. His assignments required professional caliber skill and dedication to complete. We are very grateful for his contributions which improved DefectDojo for our entire community. For technical details, all the information is in our public issues tracker found here.
Feedback from Eric: OWASP Code Sprint was an overall a great experience on getting an idea of how certain jobs and processes of the Cybersecurity field work and function. Learning how to use Django and Python in a professional manner was nice and cool.


Project Leaders: John Melton, David Scrobonia
Student: Rutuja Surve


Rutuja Surve successfully built web server log analysis functions for security. A minor portion of the effort was to include basic statistical metrics and evaluations. The major portion of the effort was to use machine learning, particularly clustering, to evaluate the log file with a view towards anomaly detection. Some of the analysis was based on intelligent thresholds, and some was based on pure clustering analysis.
Details can be found here.
Feedback from Rutuja: OWASP Code Sprint opportunity to learn a lot about several machine learning algorithms in Scikit Learn for analyzing web-server logs. Mentorship is excellent.


Project Leaders: Glenn ten Cate, Riccardo ten Cate
Students: Heeraj H Nair and Wojciech Reguła


Heeraj H Nair successfully added code examples for python flask and python django. Heeraj helped us update the current knowledgebase and iterated over the items to improve them. He delivered fully working apps for both code languages so we could effectively test the quality of the code with both manual testing and code reviews. Details can be found here.


Feedback from Heeraj: OWASP Code Sprint gave me the opportunity to to learn a lot of things while doing codesprint. Mentors were really awesome, they have helped me a lot. Thanks for everything OWASP


Wojciech Reguła successfully created the Ruby on Rails code examples and fixed an expert team of RoR to also help with the review. Created an RoR app for us to test the code examples. Details can be found here.
Feedback from Wojciech: Absolutely amazing program!  I learnt a lot about securing application from the other site (currently I'm a pentester and student😊). OWASP Code Sprint gave me an opportunity to test my programming skills, writing real production code, be a part of the most used security knowledge base in the future 😉 and get to know very cool people like Glenn and Riccardo! Mentoring !


Project Leader: Ali Razmjoo
Students: Nikhil R


Nikhil R successfully added +12 features, shellcodes (OSX also) and obfuscating method. commits are available in here. Great work performed!
Feedback from Nikhil: The project is perfect for learning about the win32 api and writing custom shellcode which I think would help me immensely. In the second part of the project I worked on writing more functional shellcode for windows with abilities to download and execute files. I learned a lot about writing shellcode for windows which I feel is a quite an achievement by itself apart from the open source contributions.


Project Leader:Simon Bennetts
Students: Blay Kevin Cedric Achi and Anamika Das


Anamika Das successfully implemented a new add-on for field enumeration. Its nearly there, just needs a few minor tweaks in order to be merged. Details can be found here.


Feedback from Anamika:It is a great opportunity for us to be a part of a well known organization - OWASP! My mentor Simon and Ricardo were great enthusiast! Without them, the project wouldn't have accomplished. Honestly, I have learnt a lot from them especially from Ricardo. It would be great to see more projects in security. Also, it would be great to have research based project as well (maybe not funded).


Blay Kevin Cedric Achi successfully completed and continues to work on the scope of the project deliverables.


Feedback from Blay:OWASP Code Sprint program is amazing because it helped me to work a lot, learn new things and work with amazing, passionate and influential people (Simon and Ricardo 😊). Also, it is important for student to work sometimes on Community projects.


Project Leader:Sean Auriti
Students: Sourav Badami,Mohit Anand,Raghav Jajodia and Siddharth Goyal


Sourav Badami successfully implemented Travis CI integration. (#286), Vagrant development server implementation. (#258), Implement internationalization and localization. (#351, #353), Integrate Chinese translation. (#358), Integrate French translation. (#351, #353), Integrate German translation. (#371), Integrating code compression on production site. (TBD), Reformatting code base to pass new linter definition. (#364), Integrate a debug toolbar. (#430), Speed improvements. (#443), Redesign application home. (#445), Embedded script to report bug from any website. (#454), Revamp add issue page. (#455), New issues page for adding issues and corresponding test. (#338), Minor Fixes. (#335, Bugheist/extension#1, #409, #431, #440, #451, #453, #456), Improved activity strips with carded design and hover effect. (#506), Redesigned bug hunt page form for consistency. (#516), Redesigned homepage by re-positioning featured website block and leader board section. (#532), Redesigned change password form. (#538), Redesigned login form. (#542), Design homepage from mockup final. (#549), Optimised and reformatted codebase. (#567)


Feedback from Sourav: Amazing experience to work with Sean! Worked mostly in the backend to improve codebase in terms of tests and code readability. In all, didn't got bored at all :)


Mohit Anand:  Successfully added gamification of bugheist.com by providing badges(Gold,Silver,Bronze), . User profiles would include information regarding types of bugs found., . Comment add without refresh., . Comment delete without refresh., . Added confirm before delete comment., . Comment edit without refresh., . Added cancel button when editing., . Tagging user in comments., . Added toggle to issue status button., . Updated total number of bugs., . Tagged user would be notified through email, . Reply to a comment, . Add chart in domain, . Follow/Unfollow a user, . Upvote an issue, . Added feature to send notification when an issue is liked., . Added feature to send notification when someone follows a profile., . Search users using "user:"., . Search issues using "issue:"., . Search domain using "domain:<domain_name>"., . List of users following you., . List of users you are following, . Model of likers, . Added regex for domain validation during domain edit ( #562 ), . Empty description and domain is handled while editing., . Added pagination buttons on top of pages and Added security against XSS attack (#563).


Feedback from Mohit: My first open source experience. Learnt a lot about Django and other technologies. Would love to keep contributing to the source.


Raghav Jajodia: Successfully added a search feature for issues/bugs, Add a search feature for users and domains, Improve design for allauth pages, Add copy-to-clipboard feature, Improvements to avatar upload, Pagination in required lists, Design of header, Integrate search to header, Styling the lightbox plugin, Add tiles for labels, Add Open and close issue count for each user, Make flash messages more elegant, Make issue update [Open <=> Close] asynchronous, Make issue edit asynchronous, Add tabs in /domain, Allow Search by labels, Improvement in Check-for-duplicates, Monthly summary on stats [Monthly User Signups], Popover for user details on activity-strip, Show issue type distribution in /domain, Add Pie-chart for issue distribution in /stats, Add ability to switch domain to another domain, Update the wiki with some internal code-style guidelines, Revamp comments, Add feature to "Bookmark" issues, Listing bookmarks, Listing Followers and Followings in tabs (/profile), Add option to remove a bookmark, Fix Featured section.


Feedback from Raghav: I had a really amazing experience with OWASP and Bugheist. My 3 month long involvement with Bugheist improved my understanding of Django and Cyber security. I would love to see BLT grow as an open source project. We could further improve the repository by selectively opening proper issues and improving the PR reviewing method to prevent introduction of bugs and poor quality code to  the repository.


Siddharth Goyal:Responsive cards for errors, Added onto search functionality for labels, Examples for all types of errors using added label search, Implementation of Footer (Desktop), Implementation of Footer (Mobile), Functionality to check for bug domain in report, Added graph for stats on number of bugs reported, Bug reporting on mobile, Work on activity section., Pagination for company scoreboard, Pagination of domain specific issues., List bugs by type for user profiles, New templates for emails, Color fix for charts, Issue and domain wise duplicate check, Floating Navbar for desktop/mobile, Label specific and open/close based listing of issues for users with pagination, Custom 404/500 pages.

Feedback from Siddarth: The OWASP Code Sprint 2017 program has been an absolute dream for me. The work and other people in the project have made a huge impact on my knowledge and understanding of Django, front-end and open source in general. I would love to further contribute in BLT. Also thanks to OWASP for this awesome opportunity.

Friday, November 10, 2017

October 2017 Connector

OWASP Connector

FOLLOW US


           
  COMMUNICATIONS |  PROJECTS |  EVENTS |  CHAPTERS |  MEMBERSHIP  
Wed November 8, 2017
OWASP CONNECTOR
Communications

Operations Update

The September Operations Update includes vital information about OWASP's infrastructure initiatives, project activity, and Chapters. Read it for an overview of what is happening in OWASP.


OWASP Board of Directors Election is Reopened

Dear OWASP Community,

The OWASP Global Board has become aware of an issue that affects the integrity of our ongoing Board of Directors election.

It is with respect for the integrity of our election process, due sensitivity to the impact it will cause and fairness to all our candidates and voting members, that we have decided to halt the current election and restart it with a clean slate once the issue has been corrected. We do not take this action lightly, but as a unified Board feel we have a duty to do so. We are committed to free, fair, transparent and open elections.

There are two irregularities that need to be addressed to ensure that we have fair results:

  • A candidate was left off of the ballot.
  • Some community members whose membership expired between June - October had one of two issues:
    • Their memberships did not auto-renew.
    • They did not receive proper reminders that their membership was expiring and that they need to renew.

To address this we have opened a NEW 2017 OWASP Board of Directors election. In order to ensure fair results, the previous vote tallies have been zeroed out for this totally NEW ELECTION. Whether or not you already voted, please take a few moments to cast your vote and help decide the future direction of OWASP! If you are a member in good standing with voting privileges, you should receive an invitation to vote in the election by the end of the day today, 10/19/2017. If you do not receive an email, but believe you should have, or have any other issues related to the election, please email election2017@owasp.org.

The process behind the scenes for the past two days has been scrambling to ensure that the election is set up properly and doing a second review of the setup before re-opening.

Even as the election opens, OWASP Staff are working tirelessly to make sure that anyone who should be able to vote can. Unfortunately, this continues to be a highly manual process. The anticipated process and timeline is outlined below.

  • 10/19 - open election
  • 10/26-10/31 send renewal emails
  • 11/7 - close renewals related to voting
  • 11/8 - add those who renewed to Simply Voting
  • 11/16 - close voting
  • 11/17 - notify candidates
  • 11/20 - share the results with the community

It is critically important that the community participate in this important election in which we will be choosing four new board members.

I apologize again for the inconvenience caused through this process. Thank you for your support and patience as we worked through these issues. As always, feel free to contact me or other leaders directly in addition to the address above if you have further questions or concerns.

Thank you,

Matt Konda

OWASP Board Chair

 


Let OWASP Know How You Think We Should Construct our Budget

Every year the community gets the opportunity to tell the Board of Directors where they believe we should invest by giving input into the OWASP Annual Budget. This is the time that you can ask for funds beyond the grant amount 2k per year for resources to accomplish a particular goal for your chapter or project. You can also ask the board to implement funded initiatives, additional events, or anything that you believe will make OWASP more successful in 2018.

This year requests will go through the OWASP Service Desk hosted on Jira. You can read more about the process including Deadlines and how to submit on the OWASP Wiki

OWASP Leader Workshop

The semi annual Leader Workshop covered a lot of ground this year. The first half was devoted to our ongoing plans upgrade the infrastructure at OWASP. Since the meeting we have learned of a significant problem with our Association Management System (AMS) Migration. Correcting this issue is our largest concern at the moment. The second focus we have is our transition from mailing lists to Discourse. Once on Discourse you will be able to interact with the platform solely through your email if you wish.

Your input is invaluable and we thank you for your time.

The second half of the meeting was devoted to hearing what our Leaders need from the organization. We asked you to fill out charts listing what support is needed, what concerns need to be halted, and what has been working well for you. Overall we learned that our community is worried about vendor influence in our organization, but that the community was pleased with the OWASP Project Summit, Project outputs, and the continued efforts of the staff. Importantly we heard that Leaders see a deep need for funding projects, for increased infrastructure, and for better resources such as updated templates in more formats, swifter project start times, and shared resources such as access to staff recommended technical writers and graphics.

You can watch the meeting here, and discuss your thoughts either on the OWASP blog page or on the YouTube comments section.



 
Events

AppSec USA Developer Summit

An invitation to the local community and attendees of Global AppSecs to join us for FREE security training in the days before the AppSec Global Conference, the AppSec USA 2017 Developer Summit was a huge success, drawing unprecedented crowds! 180 participants learned about threat modeling, API vulnerabilities, and hacking iOS from 4 trainers in 3 sessions held over the course of 2 days.

While our training is performed by volunteers and primarily aimed at developers and new AppSec professionals, everyone is welcome and even seasoned pros might learn something new.

Look to attend or teach at our next Developer Summit in Tel Aviv, details coming soon!

2018 AppSec Europe CfP and CfT are now OPEN



We are glad to announce that the 2018 AppSec Europe Call for Papers and Call for Training are now open.

The OWASP AppSec conference is Europe's premier venue for web applications leaders, software engineers, researchers and visionaries from all over the world. AppSec Europe gathers the application security community for a 5-day event to share and discuss novel ideas, initiatives and advancements in AppSec.  The 2018 conference will take place in Tel-Aviv from June 17th to 21st 2018, with papers/talks presented on 20th and 21st June and training from the 17th and 18th.

The special theme of OWASP AppSec EU this year is: Usable Security. How is security affected by the human aspects of users, developers and administrators? How do we design, deploy and manage a security system so that it will be used consistently and properly? What lessons can we learn from past success (or not-exactly-success...) stories in which the human factor played a major role?

Topics of interest include, but are not limited to the following:
  • Novel web vulnerabilities and countermeasures
  • New technologies, paradigms, tools
  • OWASP tools or projects in practice
  • Secure development: frameworks, best practices, secure coding, methods, processes, SDLC
  • Browser security
  • Mobile security and security for the mobile web
  • Cloud security
  • REST/SOAP security
  • Security of frameworks
  • Large-scale security assessments of web applications and services
  • Privacy risks in the web and the cloud
  • Management topics in Application Security: Business Risks, Awareness Programs, Project Management, Managing SDLC
To ensure the best talks available are presented at AppSec Europe blind reading is being incorporated as part of their process. This means that names and job titles will be removed when the paper abstract is being reviewed. All speakers will be given access to speaker mentorship. 

The submission deadline is January 5, 2018. Please submit your proposal through EasyChair and encourage your favorite trainers and speakers to apply as well.

Upcoming Events

  • AppSec Europe 2018 — June 17–21, 2018; Tel Aviv, Israel
  • AppSec USA  — Fall 2018; San Jose, CA, USA

Regional and Local Events

Training Events

  • Seminario Universitario de Ciberseguridad  — November 10, 2017; Cali, Colombia

Partner and Promotional Events

 

 
Chapters

Chapter Health Checks                                                                 

It is time again for us to conduct our annual Chapter health check.  It will go forward from 11/9 and take several weeks.  Normally the health check entails Tiffany, the community manager, checking the wiki page of every Chapter to make sure that they have made the minimum number of meetings (each chapter must host a minimum of 4 meetings to be considered active and all meetings must be posted on the wiki to be considered open) and following up with chapters who did not manage to make the minimum number of meetings or seem at risk.  During this time she offeres support about building chapter attendance, running a chapter, and raising activity as needed.  

However, this time will take a little longer as we will be reaching out to each Chapter in alphabetical order to ensure that the Chapter's information has made the AMS transition intact.  To streamline the process, please make sure that your wiki page is up to date with all of the meetings you hosted this year. This is a great opportunity to reach out with questions about activities, budgets, or other matters.


Welcome New Chapters!                                                               

We would like to welcome these new chapters:

Madurai                Sioux Falls                Ahmedabad


 


 

The OWASP Foundation, 1200C Agora Drive #232, Bel Air, Maryland, 21014, USA

Thursday, October 19, 2017

Board Election Open With Clean Slate - Please Vote



Dear OWASP Community,

The NEW 2017 OWASP Board of Directors election has been opened. In order to ensure fair results, the previous vote tallies have been zeroed out for this totally NEW ELECTION. Whether or not you already voted, please take a few moments to cast your vote and help decide the future direction of OWASP!


If you are a member in good standing with voting privileges, you should receive an invitation to vote in the election by the end of the day today, 10/19/2017.  If you do not receive an email, but believe you should have, or have any other issues related to the election, please email election2017@owasp.org.


The process behind the scenes for the past two days has been scrambling to ensure that the election is set up properly and doing a second review of the setup before re-opening.


Even as the election opens, OWASP Staff are working tirelessly to make sure that anyone who should be able to vote can.  Unfortunately, this continues to be a highly manual process.  
The anticipated process and timeline is outlined below.
  • 10/19 - open election
  • 10/23 - send renewal email to members that expired who should be able to renew & vote
  • 10/30 - close renewals related to voting (renew before 10/30 to vote in the election)
  • 11/9 - close voting
  • 11/13 - notify candidates
  • 11/14 - share the results with the community

It is critically important that the community participate in this important election in which we will be choosing four new board members.

I apologize again for the inconvenience caused through this process. Thank you for your support and patience as we worked through these issues. As always, feel free to contact me or other leaders directly in addition to the address above if you have further questions or concerns.


Thank you,

Matt Konda
OWASP Board Chair