OWASP Foundation | August 2016 Connector
The OWASP Foundation
|
|
|
|
|
Global OWASP Foundation Board of Directors ElectionElections for the 3 available board member seats for the 2017-2019 term will be held in October. Board members are unpaid volunteers responsible for setting the strategic direction of the organization and ensuring the financial integrity of the OWASP Foundation. Detailed information on meeting requirements, roles and responsibilities within the board, term limits, and elections is found in the OWASP Foundation bylaws. You can follow the past Board meetings and learn about the current focus of the board on the Board page. The current slate of candidates have been interviewed by Mark Miller who asked the top questions submitted by the community in the Call for Questions. Every paid and honorary member of OWASP will have one vote per each of the three sets in the election. Members must have be registered by September 30, 2016, so join today! You can learn more about your candidates by clicking on their name (listed in alphabetical order by first name):
We are thrilled to announce that Matt Tesauro has joined the OWASP Foundation staff as our Senior Project Engineer. Matt has been involved in InfoSec for more than 15 years and a volunteer with OWASP since 2008 when he created the OWASP Live CD Project for the first OWASP Summer of Code. He evolved this project into the OWASP WTE flagship project which he still runs. Additionally, Matt also co-leads the OWASP AppSec Pipeline project and is a former OWASP Foundation Board member. The primary focus of his new role is to reinvigorate the OWASP Projects and bring automation and workflow improvements based on Agile and DevOps principles. Matt will be splitting his time 60/40 between proactive process improvements and operational items. As part of his interview process, Matt was asked to provide his preliminary thoughts on improving OWASP projects; check out his Vision for Change. The end goal is a healthy stable of projects which are simple for project leaders to contribute to and easy for the AppSec community at large to use. You can read the entire blog post HERE OWASP Projects and activities are often the subject of webcasts and podcasts. Sit back and relax as you watch and listen to these recent episodes. Security as Part of DevOps and Development |
|
|
|
OWASP Core Rule Set - New Release!The OWASP Core Rule Set team is proud to announce the first of two planned release candidates for the upcoming OWASP ModSecurity Core Rule Set v3.0.0. This new release represents a huge step forward in terms of both capabilities and protections including:
Please see the CHANGES document for a detailed list of new features
and improvements. The intent is for the Core Rules project used as a baseline security feature, effectively fighting OWASP TOP 10 weaknesses with few side effects. As such CRS attempt to cut down on false positives in the default install. This RC1 therefore offers an opportunity for individuals to provide feedback and to report any other issues they may face. CRS is no longer aimed at ModSecurity experts. This is the Core Rules for the rest of us. Please use the CRS GitHub or the Core Rules mailing list to tell us about your experiences, including false positives or other issues with this release candidate. Our current timeline is to seek public feedback on RC1 for the next month, followed by an RC2 and subsequently a release. For more information, please see the blog post accompanying this release. OWASP Juice Shop Tool Project is is an intentionally insecure webapp for security trainings written entirely in Javascript which encompasses the entire OWASP Top Ten and other severe security flaws. Written in Node.js, Express and AngularJS, Juice shop is the first application written entirely in JavaScript listed in the OWASP VWA Directory.
The application contains 28+ challenges of varying difficulty where the user is supposed to exploit the underlying vulnerabilities. The hacking progress is tracked on a scoreboard. Finding this scoreboard is actually one of the (easy) challenges!
Apart from the hacker and awareness training use case, pentesting proxies or security scanners can use Juice Shop as a "guinea pig"-application to check how well their tools cope with Javascript-heavy application frontends and REST APIs. The OWASP Snakes & Ladders Project has released v1.10EN of "OWASP Snakes and Ladders - Web Applications". Snakes & Ladders is a simple educational board game for all sizes of people, promoting awareness of application security controls and risks, and in particular knowledge of other OWASP documents and tools. This release updates the virtuous behaviors (ladders) to the secure coding practices defined in the 2016 version of the OWASP Top Ten Proactive Controls. The print-ready PDF is free to download. We will produce other language versions as translations are provided. In the meantime, please see v1.02 files for Deutsch, Español, Français, Português Brasileiro, 日本語 and 中文 There is also a v1.02 edition for Mobile Apps. The OWASP dependency-check team is pleased to announce the release of version 1.4.0! See the release notes for more information.
In addition to the 1.4.0 release an SBT dependency-check plugin was created (thanks Alexander)! The 2016 Google Summer of Code is coming to a close. As part of our participation OWASP was given the opportunity and funding to have 2 mentors attend the 2016 GSoC Mentor Summit. Congratulations to our raffle winners Konstantinos Papapanagiotou and Andres Morales. Watch for the GSoC wrap up blog post coming soon! We are proud to announce the OWASP Project Summit USA 2016 taking place at AppSecUSA 2016 October 11th and 12th. Part working session, part roundtable, the project summit is an open forum setting for ideas, innovations, gain contributors and share feedback for projects to advance to the next level. You can add your own hot topics to the discussion
Any individual interested in learning about projects or would like to work on a project prior to the conference is welcome to come join at no charge.
Participating Projects will receive financial support through the reimbursement process. Each project can receive $750 for air travel assistance and 2 nights of accommodations during the Project Summit. Project leaders receive a free ticket to the conference.
Participating projects must have been active in the last 9 months, have complete and updated wiki page with clear road map, submit specific agenda and deliverables. Must sign up by September 23. Munir Njiru presented his project OWASP Mth3l3m3nt Framework at Africahackon 2016.
| |
|
|
OWASP AppSec USA 2016
OWASP's 13th Annual AppSecUSA Conference is just two months away, and we have exciting event details to share. AppSec USA 2016 is taking place in Washington, DC, October 11-14. The event is comprised of two days of training sessions followed by a two-day conference where software security leaders, researchers and technologists discuss cutting-edge ideas, initiatives and technological advancements to secure web applications. This is also an opportunity for C-level executives focused on improving the security posture of their organization to discuss key challenges and priorities around their security programs, and learn about the latest in security technology innovation. This year's conference includes four inspirational keynote speakers who are challenging traditions, including:
In addition to the above key notes, there will be multiple other program sessions taking place with renowned speakers from well-known companies, including: Scott Behrens, senior application security engineer for Netflix, Christian Frichot of LinkedIn, Chris Gates, senior security engineer for Uber, Brian Manifold, software/security engineer for Cisco and many more.
For more information about AppSecUSA 2016, including the complete program and speakers, or to register online, please visit the website. Summertime is a HOT time for OWASP! Check out this blog post listing all the open CFP. Regional and Local EventsArmSec: September 16 - September 17, 2016, ArmeniaBoston Application Security Conference (BASC): October 1, 2016, Boston, MA OWASP Bucharest AppSec Conference: October 6, 2016, Bucharest, Romania Lonestar Application Security Conference (LASCON): November 1 - November 4, 2016, Austin, TX OWASP Middle East Cyber Security Conference, 2017: May 3 - May 4, 2017, Dubai, UAE Partner and Promotional EventsOWASP will have a booth at JavaOne 2016 in San Francisco, CA, September 18 - 22, 2016. All project leaders are invited to apply for the opportunity to demo their project at the event. Winners will receive a ticket to the event (valued at $2,000) and $500 to defray travel costs. There are only 2 spots available so hurry and apply! Applications must be submitted by September 1st. We also have unlimited staff passes available for anyone who wishes to staff the booth and explore the expo area. To take advantage of these passes please contact Kelly Santalucia and Claudia Aviles-Casanovas.
ONE2ONE SUMMIT: September 14 - September 17, 2016, Colombia |
|
|
|
Notable Chapter ActivityThe OWASP Taguig Chapter held a Tech Training Session covering Understanding CSRF, Email Harvesting and Phishing Frameworks, Sandboxing, and Malware Analysis. The audience was a mix of civilian and military members. This is part of the inter-chapter research and development that our Filipino chapters are conducting. Their topics include: Malware Intelligence, Static Malware Analysis, and Automated Multi-scanner Malware.
The Jaipur chapter hosted OWASP-Jaipur Cyber Square Summit at The LNM Institute of Information Technology on 28th August, 2016. The event attracted 300 people from all over India to its 10 talks.
Vlad Cotenescu, Andrei Jurca and Cosmin Ilie and Oana Cornea, members of the Bucharest chapter represented OWASP at the 2016 Dev Talks in Bucharest. Their team acquainted developers with strategic projects such as OWASP Zed Attack Proxy, OWASP Testing Guide, OWASP OWTF and OWASP Dependency Check. Thanks for to for the awesome developer outreach!
Share Your Stories! We at the OWASP Global Foundation are looking forward to hearing about more such events in future. Share your chapter's successes! Submit your stories to sup...@owasp.org OWASP Membership is a great way to contribute to our local chapters and projects. A portion of your membership can be allocated to the chapter and/or project of your choice. Please show your support for OWASP Projects and Chapters by becoming an Individual or Corporate member today! |
|
|
|
New Contributing Corporate Members
Renewed Corporate Members (Premier Level)
Renewed Corporate Members
Your name here? Find out how by visiting our Corporate Supporters information page. Thanks to all of our Premier and Contributing Corporate Members for your support in 2015! |
|
|
|
OWASP Social Media Site |
|
|
Click to view this email in a browser
If you no longer wish to receive these emails, please reply to this message with "Unsubscribe" in the subject line or simply click on the following link: Unsubscribe |
|
The OWASP Foundation 1200-C Agora Drive #232 Bel Air, Maryland 21014 US
|
