Monday, July 17, 2017

July 2017 Corporate Members


July 2017 Corporate Member

We would like to thank Peach for supporting the OWASP Foundation.  
Peach has contributed this month by joining OWASP as a new Corporate Member.  

Details about Corporate Membership can be found here.


Contributor Corporate Member

Peach Tech provides advanced security testing solutions and leading-edge products, such as the innovative + automated Peach APISecurity: Peach API Security intelligently executes a series of fuzz tests and passive security tests on your web APIs. Comprehensive test results empower your team to mitigate security vulnerabilities. Each uncovered vulnerability includes actionable data. Peach APISecurity supports many CI systems and test suites, and transforms unit tests into security tests. We also developed the robust fuzzing platform Peach Fuzzer. We customize testing strategies for security-minded clients engaged in all stages of development. Leverage the power of Peach Tech to secure your world.

For more information, please visit: https://www.peach.tech/





Want your company name here? 
Find out how by visiting our Corporate Member information page, or contact Kelly Santalucia, our Membership & Business Liaison today!  


Thank you to all of our Premier and Contributor Corporate Members for your support!

Wednesday, July 5, 2017

2017 WASPY Nominees Have Been Announced!




We are excited to announce the 2017 WASPY Award nominees have been announced!

We had a tremendous amount of nominations this year. Thank you for nominating your favorite WASPY!

Best Community Supporter Category Nominees Are...
Aatral Arasu
Sean Auriti
Nicole Becher
Ken Belva
Tony Clarke
Dinis Cruz
Christian Folini
Joaquin Fuentes
Brendan Gormley
Tanya Janca
Jeremy Long
Akash Mahajan
Dhiraj Mishra
Denise Murtagh-Dunne
Owen Pendlebury
Mick Ryan
Sriram Shyam 
Michelle Simpson
Steve Springett
John Vargas
Tara Williams

Best Mission Outreach Category Nominees Are...
Aatral Arasu
Sean Auriti
Tony Clarke
Christopher Frenz
Joaquin Fuentes
Tanya Janca
Kitisak Jirawannakool
James Manico
Mateo Martinez
Mark Miller
Dhiraj Mishra
Owen Pendlebury
Sriram Shyam
Noreen Whysel

Best Innovator Category Nominees Are...
Aatral Arasu
Sean Auriti
Glenn & Riccardo ten Cate
Mark Deenihan
Seba Deleersnyder
Christopher Frenz
Joaquin Fuentes
Brian Glas
Evin Hernandez
Jeremy Long
Daniel Miessler
Dhiraj Mishra
Bernhard Mueller
Steve Springett
thc202



Best of luck to all the nominees!

More information about the WASPY Awards can be found here.















Monday, July 3, 2017

OWASP Code Sprint 2017 - Student Selections


OWASP Foundation is pleased to announce the student selections for the OWASP Code Sprint 2017 There were 32 student proposals submitted and it was a very challenging decision to only select 14 Student Slots.

Below are the Student Selections by Project:

OWASP Hackademic Project 
Student Selection:  Pavlos Zianos

OWASP DefectDojo Project
Student Selection: Eric Anderson

OWASP Appsensor Project
Student Selection: Rutuja Surve

OWASP Security Knowledge Framework  Project
Student Selections:  Wojciech ReguĊ‚a & Heeraj H Nair

OWASP ZCS Tool Project
Student Selection: Nikhil R

OWASP ZAP Project
Student Selections: Anamika Das & Blay Kevin Cedric Achi

OWASP Bug Logging Tool
Student Selections: Mohit Anand, Raghav Jajodia & Siddharth Goyal, Sourav Badami

OWASP OWTF Project
Student Selections: Anshul Singhal & Tikam Alma


More Mentors Welcomed
Do you want to become a mentor for a student?
Choose a participating OWASP project from the OWASP Code Sprint 2017 

Thank you to all the students that have submitted applications.

Program Leaders:
Kontantinos Papapanagiotou
Fabio Cerullo
Spyros Gasteratos

Claudia Aviles Casanovas, Project Coordinator

Sunday, July 2, 2017

OWASP Operations Update for July 2017

Welcome to the operations update for July 2017, the ongoing series of updates on what's happening at the OWASP Foundation.  Last month's post is available here.

In a bit of a departure from previous formats, we're starting with an announcement you may have already heard - OWASP Foundation employee #1 and #2 have left OWASP.  Alison (November 2007) and Kate (May 2008) had their last days at OWASP on Friday, June 30th.  The entire OWASP community owes a huge debt of gratitude to these two employees who helped turn a scrappy group of AppSec people into the thriving community that is OWASP today.  They've dealt with problems great and small while always keeping the OWASP core values in mind and seen drastic changes from:

  • Discovering there wasn't a signed contract for a venue a week out of start of AppSec USA 2008 in NYC
      to
  • Hosting AppSec conferences in the US, EU, LATAM, APAC and many, many regional events
      or
  • Staff growing from an accountant to 8 (and now back to 6)
      or
  • Spreadsheets to Salesforce to over 10,000 community submitted cases worked
I"m not sure how you do this in a blog, but here goes:  <silence>moment</silence> 

Please thank them for all their hard work over a decade and, if you see them in person, treat them to the beverage of their choice.  Now back to our regularly scheduled blog post...

OWASP IT Infrastructure Hosting - Modernizing and migrating the OWASP infrastructure 
  • Remaining hosts at Rackspace: OWASP wiki, Mailman server, Virtual-host server providing redirects and static content
    • These are on hold until staff is back to full strength
  • For the current status, see last month's update.
The Website Reboot - aka TWR - a major effort to update and modernize the OWASP web presence
  • Phase 1 is complete
  • Phase 2, 3 and 4 are in process
  • These are oh hold until staff is back to full strength
  • For the current status, see last month's update.
The OWASP Communication Plan 
  • Discourse as a replacement for Mailman
    • On hold until staff is back to full strength
    • For the current status, see last month's update
  • Beta program for the Foundation's Global Meetup account continues
OWASP 2017 Strategic Goal 
  • TLDR: Host 4 trainings worldwide of ~500 attendees geared toward developers and entry-level security professionals - further details on the wiki.
  • 4 locations finalized: Israel, Tokyo, Boston, Bangalore
  • Call for Trainers anticipated to launch mid-July
Association Management System (AMS)_Upgrade 
  • Highly complex multi-step process taking 8 to 12 weeks
  • 95%+ complete
    • Membership, Renewals, Conference Registration, Multi-currency support, reduced need for discount codes and many more improvements
  • A few minor issues, tweaks, changes and bugs to work through before 100% complete
Projects 
  • AppSec USA 2017
    • CFP and CFT closed - Speakers and Trainers notified by July 5th
    • Final schedule upload to Shcd.org is nearly complete
    • Loads of final details being hammered out
  • AppSec EU 2018
    • Finalizing Gantt Chart
    • Conference budget built out
    • Multiple RFPs out for bid
  • AppSec APAC 2018 - proposal under review
Membership 
  • 59 Corporate Members
    • $180,000 (45% of yearly goal)
  • 2,733 Individual Members
    • $69,335 (63% of yearly goal)
  • 2017 WASPY Awards
    • Call for nominees closed on June 30th
    • 32 submissions excluding any last minute additions
  • 2017 Global Board of Directors Elections
    • 16 candidates as of June 30th
    • Milestone reminders are being sent to the community
  • Developer Summit at AppSec USA 2017
    • Looking for trainer/volunteers to present at this event!
  • Blackhat USA 2017
    • Kelly and Matt will be attending at the OWASP booth representing the OWASP staff
    • Volunteer slots have all been filled to help with the booth
    • Swag and other booth items ordered and will be shipped to the event
Community  
  • The first of several volunteer portal surveys is going out early July
  • Presentation from the Leaders Meeting at AppSec EU 2017
  • OWASP Summit in London retrospective
    • EU chapter leaders raised concerns about chapter legal status in the EU
    • EU VAT/tax issues were also raised
    • Storage of physical assets of chapters is a growing concern
    • Leaders would like reimbursement system to include standardized budget codes
  • OWASP LATAM
    • Spanish translation of the chapter orientation is in progress
Serving the Community 

Per the request of the OWASP Board, we've included these charts of the staff's interaction with the broader OWASP community via submitted cases to the Foundation.  We passed the 10,000 case mark in early 2017.

Cases for 2017


As always, the OWASP staff are here to make the OWASP community even stronger.  If you have a question, concern or need something please let us know by using the 'Contact Us' form.  Also, feel free to attend, suggest or otherwise engage the OWASP Foundation further at the July 5th Board meeting.

Your friendly neighborhood OWASP staff:
  Kate, Kelly, Alison, Laura, Claudia, Tiffany, Dawn and Matt

Monday, June 19, 2017

June 2017 Corporate Members


June 2017 Corporate Members

We would like to thank the following companies for supporting the OWASP Foundation.  
The companies listed below have contributed this month by either renewing their existing 
Corporate Membership or joining OWASP as a new Corporate Member.  

Details about Corporate Membership can be found here.


Contributor Corporate Members


Headquartered in downtown Manhattan, CipherTechs, Inc. is a privately held information security services provider. We focus on delivering security solutions for businesses harnessing the power of Internet communications. We audit, design and implement information security solutions in areas of IP networking, firewalls, application security, risk assessment, traffic management, encryption, redundancy and strong authentication. For more information, please visit http://www.ciphertechs.com.


Sonatype secures modern software development by fixing at-risk applications, automating policy throughout the lifecycle and identifying hidden risks in your applications. Sonatype's Component Lifecycle Management identifies and tracks OSS components, automates and enforces policy, and prevents the use of flawed components throughout the software lifecycle. Ask about free risk assessments. More information about Sonatype can be found here http://www.sonatype.com.

We are a software company and community of passionate, purpose-led individuals. We think disruptively to deliver technology that addresses our clients’ toughest challenges, all while seeking to revolutionize the IT industry and create positive social change. ThoughtWorks' 3,000 professionals serve clients from offices in Australia, Brazil, Canada, China, Ecuador, Germany, India, Italy, Singapore, South Africa, Turkey, Uganda, the United Kingdom and the United States. ThoughtWorks releases a regular technology radar, a study that looks at the key trends that impact the software development and business strategies. The Radar helps companies stay on top of topics that are constantly evolving, such as security, and offers insight and practical tools to build secure systems at every stage of the development process. For more information, please visit http://www.thoughtworks.com/




Want your company name here? 
Find out how by visiting our Corporate Member information page, or contact Kelly Santalucia, our Membership & Business Liaison today!  


Thank you to all of our Premier and Contributor Corporate Members for your support!


Friday, June 16, 2017

AppSec USA 2017 Developer Summit Call for Session Volunteers



AppSec USA 2017 Developer Summit 

We are excited to announce that OWASP will once again be holding a two day Developer Summit at AppSecUSA 2017 on September 19 & 20, 2017. OWASP is providing a structured platform for Developers two days prior to the AppSec USA 2017 conference. The Developer Summit will consist of sessions geared toward learning about security vulnerabilities.

If you have an interesting topic and would like to volunteer to host a training session, please SUBMIT HERE.  For topic ideas, you can reference the AppSec Eu 2017 DevSummit agenda. There are limited funds available to help offset the selected presenters travel and one night hotel accommodations.  

The Call for Presenters will close on July 14, 2017. Individuals will be notified on or before July 21, 2017 if their session was chosen. Please note: a conference ticket is NOT included, however you may purchase one separately. 

There is no charge to attend the Developer Summit, so come join us! We do ask that if you plan on attending that you do SIGN UP so we have an estimated headcount to be sure we have enough space and food.

More details and the agenda are coming soon!
Questions? Please submit them here.

Thursday, June 15, 2017

OWASP Code Sprint 2017 - Applications Extended to June 18th!!




Student application submissions are now extended to JUNE 18th: APPLY HERE 

Goal:
The OWASP Code Sprint 2017 is a program that aims to provide incentives to students to contribute to OWASP projects. By participating in the OWASP Code Sprint 2017 a student can get real life experience while contributing to an open source project. A student who successfully completes the program will receive $1500.

Help OWASP Invite Students: 

Program Leaders:
Kontantinos Papapanagiotou
Fabio Cerullo
Spyros Gasteratos

Claudia Aviles Casanovas, Project Coordinator

Wednesday, June 7, 2017



Nominations are NOW being accepted for the 2017 WASPY Awards!

Every day, week, month and year OWASP volunteers contribute countless hours of their own personal time to OWASP to help make the cyber world a safer place.  Some of these volunteers are well known in the OWASP community, while many others fly under the radar with only their local community seeing the stunning work they are doing. WASPY awards strive to recognize our unsung contributors and make their contributions to the community visible.

The WASPY Awards offer 3 categories for you to nominate 3 different "unsung heros" that you feel best fits each category description based on the individual's contributions to the OWASP Foundation.



To learn more about the awards, and to nominate your favorite WASPYs please visit: https://www.owasp.org/index.php/WASPY_Awards_2017

Friday, June 2, 2017

OWASP Operations Update for June 2017

Welcome to the operations update for June 2017, the ongoing series of updates on what's happening at the OWASP Foundation.  Last month's post is available here.

Major efforts, status of those and important changes from the last time:

OWASP IT Infrastructure Hosting - Modernizing and migration the OWASP infrastructure after Rackspace ended their donation of hosting.

  • Remaining hosts at Rackspace
    • OWASP Wiki
      • Servers for the wiki will be migrating to AWS - held for AppSec EU and hiring a new IT Contractor after the last left for a startup - wishing them success in their new gig.
      • New IT Contractor started on June 1
    • Mailman server
      • Will be decommissioned after a gradual, phased migration to Discourse of the existing, active lists.  More on Discourse below.
      • Mail archives will be moved to a new server with the same URL structure
    • Virtual-host server providing redirects and static website content
      • Ansible created to deploy virtual-hosts for either redirects or static sites by adding a few lines to a config file
      • Ansible tested on the *.appseccalifornia.org domains successfully
The Website Reboot - aka TWR - A major effort to update and modernize OWASP's web presence
  • Phase 1 - Complete
  • Phase 2 - Wiki style updates
    • RFP for the wiki style upgrade is currently being drafted
    • RFP will include a responsive MediaWiki theme plus CSS and associated style guide
    • Style guide will be used to style other OWASP web site such as Discourse, the blog, etc.
  • Phase 3 - Single Sign-on
    • SSO using @owasp.org identities will be POC'ed during the AMS migration
  • Phase 4 - Wiki content and organization
    • Internal R&D completed. RFP will be drafted after Phase 2 (Style) RFP
The OWASP Communication Plan 
  • Discourse as a replacement for Mailman
    • Dev instance deployed to assist with REST API automation efforts
    • Test instance deployed to alpha test structure and organization of content
    • Leader Sandbox being deployed to allow leader experimentation and to test SSO with @owasp.org and other identity providers (Github, Twitter, Facebook, ...)
  • Beta program for the Foundation's Global Meetup account continues
OWASP 2017 Strategic Goal 
  • TLDR: Host 4 trainings worldwide of ~500 attendees geared toward developers and entry-level security professionals - further details on the wiki.
  • 4 locations finalized
    • Israel - mid-October
    • Tokyo - late September
    • Boston - October
    • Bangalore - November
  • Call for Trainers content has been created, call for trainers will launch in June
Association Management System (AMS) upgrade 
  • Highly complex, multi-step process taking 8 to 12 weeks
    • Accounting module - Complete
    • Membership module - in process, waiting for custom dev work to complete
    • Events Module - in process, will be used for AppSec USA 2017 registrations
  • Current and future benefits
    • Multi-currency support in a single registration system
    • Significant improvement for event registration and membership renewals especially for OWASP Leaders
    • Reduced use of discount codes for registrations e.g. no more leaders code
    • Ability to modify an existing registration e.g. add training to an existing conference registration
    • Membership renewals - new 2 click process
    • Membership renewals - optional auto-renewals
    • Better insight for Chapter/Project leaders on the status of their efforts
      • Simplified Chapter/Project leader merchandise requests
    • Unified and streamlined funding and reimbursement requests
Projects 
Events 
  • OWASP Summit in London - there's still time to register and attend
  • AppSec USA 2017 - Orlando
    • CFP Round 1 complete - speakers and trainers notified
    • CFP Round 2 has begun - ends June 15th
    • Project Summit in Orlando at AppSec USA 2017 - Sign-ups now open!
    • Sponsorships to date: $335,000 - info on opportunities 
  • AppSec EU 2017 in Belfast was a fantastic event
  • OWASP at Blackhat USA 2017
  • WASPY Awards are right around the corner - start thinking of our awesome unsung heroes you'd like to nominate
Community
  • Successful group orientations in Japanese and Spanish for Chapter leaders
    • Fast growing languages among OWASP Chapters
    • Native language chapter organizations were coordinated successfully
  • Leader Workshop at AppSec EU
    • Major upcoming changes were discussed with leaders at that conference
    • Couldn't attend? See the blog post for the details you missed.
Serving the Community 

Per the request of the OWASP Board, we've included a chart of the staff's interaction with the broader OWASP community via submitted cases to the Foundation. We continue to push beyond the 10,000 total case envelope.

Cases for 2017


As always, the OWASP staff are here to make the OWASP community even stronger.  If you have a question, concern or need something please let us know using the 'Contact Us' form. Also, feel free to attend, suggest or otherwise engage with the OWASP Foundation further at the June 7th Board Meeting.

Your friendly neighborhood OWASP staff:
    Kate, Kelly, Alison, Laura, Claudia, Tiffany, Dawn and Matt 

Thursday, June 1, 2017

OWASP iGoat Tool Project - Restart


Project Leader: Swaroop Yermalkar (@swaroopsy)

iGoat is a learning tool for iOS developers (iPhone, iPad, etc.) and mobile app pentesters. It was inspired by the WebGoat project, and has a similar conceptual flow to it. As such, iGoat is a safe environment where iOS developers can learn about the major security pitfalls they face as well as how to avoid them. It is made up of a series of lessons that each teach a single (but vital) security lesson.
The lessons are laid out in the following steps:
  1. Brief introduction to the problem.
  2. Verify the problem by exploiting it.
  3. Brief description of available remediations to the problem.
  4. Fix the problem by correcting and rebuilding the iGoat program.
*Step 4 is optional, but highly recommended for all iOS developers. Assistance is available within iGoat if you don't know how to fix a specific problem.

iGoat Version 3.0 Release

  1. Updated SQLCipher to latest version
  2. Removed project specific compilation warnings
  3. Removed crashing code for server side exercises.
  4. Updated project details in project github page.
  5. Added multiple exercises including:
    • Broken Cryptography
    • Insecure Storage in Plist
    • Insecure Storage in NSUserDefaults
    • Side Channel Data Leaks via Device Logs
    • Cross Site Scripting

Requirements:
To build and run iGoat, you'll need a Mac running OS X (real or virtual machine), with XCode installed. Best thing about iGoat is you can run it on iOS Simulator and also on iPhone / iPad / iPod.

Call for contributors:
We invite the OWASP community to download and try iGoat, and we welcome your suggestions for improvements. We're always looking for willing participants to contribute to the project as well! To contribute to iGoat project, please contact Swaroop (swaroop.yermalkar@owasp.org or @swaroopsy )

How to contribute?

  • You can add new exercises (Oauth Attacks, Crypto Attacks, Third Party Library Issues etc)
  • Testing iGoat on iPhone, iPad and checking if any issues
  • Remove compilation warnings
  • Suggest us new attacks
  • Writing blogs / article about iGoat
  • Spreading iGoat :)

Screenshots:

  1. Broken Cryptography


In this exercise, you're going to identify insecure mechanism for storing sensitive data locally. You will observe encryption key hard coded in code using which you can decrypt sensitive data into plain text. For more information, Refer: (https://www.owasp.org/index.php/Mobile_Top_10_2014-M6)

Please provide feedback to Swaroop Yermalker or use the contact us form.