Website update
13 views
Skip to first unread message
Andrew van der Stock
Mar 24, 2026, 6:40:41 PMMar 24
to Global-board
Hi Board,
I met with Christian after he met with Antimatter. Antimatter is back working on our site after they were paid earlier this week. They are fairly confident they can get through the last six items on their burndown list, and then they will look at the remaining penetration testing items. The current plan is to go live on or around April 15.
We will retest all penetration testing findings before going live.
Louis Griffith
Mar 24, 2026, 6:44:15 PMMar 24
to Andrew van der Stock, Global-board
Thank you for the update Andrew.
Have a great night!
Best,
--
You received this message because you are subscribed to the Google Groups "Global-board" group.
To unsubscribe from this group and stop receiving emails from it, send an email to global-board...@owasp.org.
To view this discussion visit https://groups.google.com/a/owasp.org/d/msgid/global-board/CADtrMx7HJ5jRw6V8PshRp0aRnHz6ksH5FeRPJN6GQS2JQfFtaw%40mail.gmail.com.
Sam Stepanyan
Mar 24, 2026, 7:48:24 PMMar 24
to Global-board
Board, I need to escalate and flag that the security issues I discovered on the new website in January remain unaddressed. With the original deadline, March 26the, arriving in two days, there has been no visible progress on remediation. In my opinion the current state of the new website represents an unacceptable level of risk.
Launching the new website with OWASP Top 10 vulnerabilities, including plain-text password and token storage, no MFA, no Google SSO, weak passwords such as 12345678 being accepted, stored XSS, and broken authentication and authorization flows, would be a major liability and could cause significant reputational damage to OWASP.
Based on my 20 years of experience of teaching secure coding and ASVS implementation, remediating these issues on a website with thousands of pages is not a 14-day task. It requires a re-design of the identity management logic, implementation of strict input validation throughout the source code and thorough regression testing.
Another big problem with the new site is broken/outdated content and formatting issues on Chapter and Project pages - this is being raised almost weekly on the OWASP Leaders list and Slack.
I strongly recommend that we postpone the go-live until a proper remediation roadmap is prepared and executed and verified step-by-step against our own OWASP ASVS and API Security standards.
Andrew, I am happy to volunteer my spare time to assist in explaining these issues to the vendor and advise on remediation.
Sam
Launching the new website with OWASP Top 10 vulnerabilities, including plain-text password and token storage, no MFA, no Google SSO, weak passwords such as 12345678 being accepted, stored XSS, and broken authentication and authorization flows, would be a major liability and could cause significant reputational damage to OWASP.
Based on my 20 years of experience of teaching secure coding and ASVS implementation, remediating these issues on a website with thousands of pages is not a 14-day task. It requires a re-design of the identity management logic, implementation of strict input validation throughout the source code and thorough regression testing.
Another big problem with the new site is broken/outdated content and formatting issues on Chapter and Project pages - this is being raised almost weekly on the OWASP Leaders list and Slack.
I strongly recommend that we postpone the go-live until a proper remediation roadmap is prepared and executed and verified step-by-step against our own OWASP ASVS and API Security standards.
Andrew, I am happy to volunteer my spare time to assist in explaining these issues to the vendor and advise on remediation.
Sam
--
You received this message because you are subscribed to the Google Groups "Global-board" group.
To unsubscribe from this group and stop receiving emails from it, send an email to global-board...@owasp.org.
To view this discussion visit https://groups.google.com/a/owasp.org/d/msgid/global-board/CADtrMx7HJ5jRw6V8PshRp0aRnHz6ksH5FeRPJN6GQS2JQfFtaw%40mail.gmail.com.
--
Sam Stepanyan
OWASP London Chapter Leader
OWASP Global Board Member
sam.st...@owasp.org
https://owasp.org/london
Follow OWASP London Chapter on Twitter/X: @owasplondon
"Like" us on Facebook: https://www.facebook.com/OWASPLondon
Watch video recordings of our events on YouTube: https://www.youtube.com/OWASPLondon
Consider giving back and supporting the open community by becoming an OWASP member today!
Sam Stepanyan
OWASP London Chapter Leader
OWASP Global Board Member
sam.st...@owasp.org
https://owasp.org/london
Follow OWASP London Chapter on Twitter/X: @owasplondon
"Like" us on Facebook: https://www.facebook.com/OWASPLondon
Watch video recordings of our events on YouTube: https://www.youtube.com/OWASPLondon
Consider giving back and supporting the open community by becoming an OWASP member today!
Steve Springett
Mar 24, 2026, 9:04:28 PMMar 24
to Sam Stepanyan, Global-board
The go live date is April 15th. Are you suggesting we postpone it further?
— Steve
Sam Stepanyan
Mar 25, 2026, 6:09:54 PMMar 25
to Steve Springett, Global-board
I am suggesting we postpone it until we have confirmed that the known OWASP Top 10 security issues are all fixed, we have a professional CREST-certified penetration test done and the website is OWASP ASVS-compliant.
The content should also be updated - at the moment the most pages (including Chapters and Projects and even the Board page!) are out of date.Sam
Andrew van der Stock
Mar 31, 2026, 8:20:20 PMMar 31
to Global-board, Sam Stepanyan, Global-board, Steve Springett
Hi all,
I met with Christian earlier today. All of the known issues have been addressed, including an update to the way the site renders HTML where leaders can update their content. Christian is meeting with Paul to go over any last minute feedback. I've asked for the following changes:
- A Board / Governance page that has buttons to take you to the existing Board and Policy websites, and a place for us to include our financials and audit reports.
- A Committees / Working group page that has sub-pages like the Projects or Chapters that allows Committees and Working Groups to have their own landing pages.
- And an enquiry to find out if they have fixed the clear text storage of passwords. I've given Christian the OWASP Password Storage Cheat Sheet if they haven't yet fixed this. Once we know it's fixed, I'll be asking that we reset everyone's passwords, because it's not ok to store passwords in the clear.
As per Sam's suggestion above, I've sent a quote request to one of his preferred penetration testers that has CREST certification. I've given them authorization to properly scope an assessment, and to let us know how long it will last and when they can schedule us in.
thanks,
Andrew
To unsubscribe from this group and stop receiving emails from it, send an email to global-board+unsubscribe@owasp.org.
--
----
Sam Stepanyan
OWASP London Chapter Leader
OWASP Global Board Member
sam.st...@owasp.org
https://owasp.org/london
Follow OWASP London Chapter on Twitter/X: @owasplondon
"Like" us on Facebook: https://www.facebook.com/OWASPLondon
Watch video recordings of our events on YouTube: https://www.youtube.com/OWASPLondon
Consider giving back and supporting the open community by becoming an OWASP member today!
You received this message because you are subscribed to the Google Groups "Global-board" group.
To unsubscribe from this group and stop receiving emails from it, send an email to global-board+unsubscribe@owasp.org.
Louis Griffith
Mar 31, 2026, 9:19:08 PMMar 31
to Andrew van der Stock, Global-board, Sam Stepanyan, Steve Springett
Thank you for the update Andrew.
Ricardo
To unsubscribe from this group and stop receiving emails from it, send an email to global-board...@owasp.org.
--
----
Sam Stepanyan
OWASP London Chapter Leader
OWASP Global Board Member
sam.st...@owasp.org
https://owasp.org/london
Follow OWASP London Chapter on Twitter/X: @owasplondon
"Like" us on Facebook: https://www.facebook.com/OWASPLondon
Watch video recordings of our events on YouTube: https://www.youtube.com/OWASPLondon
Consider giving back and supporting the open community by becoming an OWASP member today!
You received this message because you are subscribed to the Google Groups "Global-board" group.
To unsubscribe from this group and stop receiving emails from it, send an email to global-board...@owasp.org.
----
Sam Stepanyan
OWASP London Chapter Leader
OWASP Global Board Member
sam.st...@owasp.org
https://owasp.org/london
Follow OWASP London Chapter on Twitter/X: @owasplondon
"Like" us on Facebook: https://www.facebook.com/OWASPLondon
Watch video recordings of our events on YouTube: https://www.youtube.com/OWASPLondon
Consider giving back and supporting the open community by becoming an OWASP member today!
--
You received this message because you are subscribed to the Google Groups "Global-board" group.
To unsubscribe from this group and stop receiving emails from it, send an email to global-board...@owasp.org.
To view this discussion visit https://groups.google.com/a/owasp.org/d/msgid/global-board/fe5862b8-4659-44d7-92e8-c45eb3f85e76n%40owasp.org.
Reply all
Reply to author
Forward
0 new messages