Website update
1 view
Skip to first unread message
Andrew van der Stock
Mar 24, 2026, 6:40:41 PM (6 days ago) Mar 24
to Global-board
Hi Board,
I met with Christian after he met with Antimatter. Antimatter is back working on our site after they were paid earlier this week. They are fairly confident they can get through the last six items on their burndown list, and then they will look at the remaining penetration testing items. The current plan is to go live on or around April 15.
We will retest all penetration testing findings before going live.
Louis Griffith
Mar 24, 2026, 6:44:15 PM (6 days ago) Mar 24
to Andrew van der Stock, Global-board
Thank you for the update Andrew.
Have a great night!
Best,
--
You received this message because you are subscribed to the Google Groups "Global-board" group.
To unsubscribe from this group and stop receiving emails from it, send an email to global-board...@owasp.org.
To view this discussion visit https://groups.google.com/a/owasp.org/d/msgid/global-board/CADtrMx7HJ5jRw6V8PshRp0aRnHz6ksH5FeRPJN6GQS2JQfFtaw%40mail.gmail.com.
Sam Stepanyan
Mar 24, 2026, 7:48:24 PM (6 days ago) Mar 24
to Global-board
Board, I need to escalate and flag that the security issues I discovered on the new website in January remain unaddressed. With the original deadline, March 26the, arriving in two days, there has been no visible progress on remediation. In my opinion the current state of the new website represents an unacceptable level of risk.
Launching the new website with OWASP Top 10 vulnerabilities, including plain-text password and token storage, no MFA, no Google SSO, weak passwords such as 12345678 being accepted, stored XSS, and broken authentication and authorization flows, would be a major liability and could cause significant reputational damage to OWASP.
Based on my 20 years of experience of teaching secure coding and ASVS implementation, remediating these issues on a website with thousands of pages is not a 14-day task. It requires a re-design of the identity management logic, implementation of strict input validation throughout the source code and thorough regression testing.
Another big problem with the new site is broken/outdated content and formatting issues on Chapter and Project pages - this is being raised almost weekly on the OWASP Leaders list and Slack.
I strongly recommend that we postpone the go-live until a proper remediation roadmap is prepared and executed and verified step-by-step against our own OWASP ASVS and API Security standards.
Andrew, I am happy to volunteer my spare time to assist in explaining these issues to the vendor and advise on remediation.
Sam
Launching the new website with OWASP Top 10 vulnerabilities, including plain-text password and token storage, no MFA, no Google SSO, weak passwords such as 12345678 being accepted, stored XSS, and broken authentication and authorization flows, would be a major liability and could cause significant reputational damage to OWASP.
Based on my 20 years of experience of teaching secure coding and ASVS implementation, remediating these issues on a website with thousands of pages is not a 14-day task. It requires a re-design of the identity management logic, implementation of strict input validation throughout the source code and thorough regression testing.
Another big problem with the new site is broken/outdated content and formatting issues on Chapter and Project pages - this is being raised almost weekly on the OWASP Leaders list and Slack.
I strongly recommend that we postpone the go-live until a proper remediation roadmap is prepared and executed and verified step-by-step against our own OWASP ASVS and API Security standards.
Andrew, I am happy to volunteer my spare time to assist in explaining these issues to the vendor and advise on remediation.
Sam
--
You received this message because you are subscribed to the Google Groups "Global-board" group.
To unsubscribe from this group and stop receiving emails from it, send an email to global-board...@owasp.org.
To view this discussion visit https://groups.google.com/a/owasp.org/d/msgid/global-board/CADtrMx7HJ5jRw6V8PshRp0aRnHz6ksH5FeRPJN6GQS2JQfFtaw%40mail.gmail.com.
--
Sam Stepanyan
OWASP London Chapter Leader
OWASP Global Board Member
sam.st...@owasp.org
https://owasp.org/london
Follow OWASP London Chapter on Twitter/X: @owasplondon
"Like" us on Facebook: https://www.facebook.com/OWASPLondon
Watch video recordings of our events on YouTube: https://www.youtube.com/OWASPLondon
Consider giving back and supporting the open community by becoming an OWASP member today!
Sam Stepanyan
OWASP London Chapter Leader
OWASP Global Board Member
sam.st...@owasp.org
https://owasp.org/london
Follow OWASP London Chapter on Twitter/X: @owasplondon
"Like" us on Facebook: https://www.facebook.com/OWASPLondon
Watch video recordings of our events on YouTube: https://www.youtube.com/OWASPLondon
Consider giving back and supporting the open community by becoming an OWASP member today!
Steve Springett
Mar 24, 2026, 9:04:28 PM (6 days ago) Mar 24
to Sam Stepanyan, Global-board
The go live date is April 15th. Are you suggesting we postpone it further?
— Steve
Sam Stepanyan
Mar 25, 2026, 6:09:54 PM (5 days ago) Mar 25
to Steve Springett, Global-board
I am suggesting we postpone it until we have confirmed that the known OWASP Top 10 security issues are all fixed, we have a professional CREST-certified penetration test done and the website is OWASP ASVS-compliant.
The content should also be updated - at the moment the most pages (including Chapters and Projects and even the Board page!) are out of date.Sam
Reply all
Reply to author
Forward
0 new messages