[Owasp-ireland] OWASP Ireland News - August 27th, 2010

Fri Aug 27 09:07:07 EDT 2010

*****************************************************
OWASP Ireland News           August 27th, 2010
*****************************************************

1. OWASP Ireland 2010 Countdown: Third Challenge to win an entry ticket!

2. Visa offers new guidance on securing payment applications

3. Microsoft SDL and the Creative Commons

4. HTML5 Raises New Security Issues

5. SAMM and the Financial Services Industry

6. New Horizons Ireland: Special Offer to OWASP Members & Raffle to Free 
Training Course

------------------------------------------------------------------------

1. OWASP Ireland 2010 Countdown: Third Challenge to win an entry ticket!

We are approaching fast to the biggest Application Security Conference in 
Ireland.

And to make it more exciting we are releasing the following challenge to 
win a FREE ticket!

String uN = ctx.getAuthenticatedUserName();
String paramName = request.getParameter("paramName");
String query = "SELECT * FROM items WHERE owner = '"  + uN + "' AND 
paramName = '" + paramName + "'";

ResultSet rs = stmt.execute(query);

You have to answer the following two questions:

1) What is the fundamental issue with this construct?
2) What is the potential vulnerability?

All answers should be sent to ireland at owasp.org. 

Thanks and best of luck!

You could get all the details about this event including updated agenda, 
keynote speakers, training available, etc in the URL below:

http://www.owasp.org/index.php/OWASP_IRELAND_2010

Did you know? 

By attending OWASP Ireland 2010 you automatically become an OWASP member 
for a year. This applies to all non-members who register to the 
conference.

3. Visa offers new guidance on securing payment applications

Visa on Tuesday announced a set of security best practices for vendors of 
payment applications and for the systems integrators and resellers 
responsible for implementing and managing them.

More on this story: 
http://usa.visa.com/download/merchants/bulletin_payment_app_companies_best_practices.pdf

4. Microsoft SDL and the Creative Commons

I am happy to announce that from this point forward, Microsoft will be 
making their publicly available SDL documentation and other SDL process 
content available to the development community under a Creative Commons 
license. 

By changing the license terms, they are now allowing people and 
organizations to copy, distribute and transmit the documentation to 
others; this means that you can now incorporate content from the SDL 
documents we release under Creative Commons into your internal process 
documentation – subject to the terms specified by the Creative Commons 
license mentioned above. 

You can learn more about the specifics of that license here: 
http://creativecommons.org/licenses/by-nc-sa/3.0/ 

Note that they do not intend to change the licensing for any of the SDL 
tools released by Microsoft – those will continue to use existing 
Microsoft licenses.

Their first two documents for release under a Creative Commons license 
will be the English versions of the “Simplified Implementation of the 
Microsoft SDL” whitepaper and the Microsoft Security Development Lifecycle 
(SDL) - Version 5.0 paper that illustrates how Microsoft applies the SDL 
to our own products and services.  Those releases will be completed over 
the next few weeks. 

Check out Microsoft’s blog page here: 
http://blogs.msdn.com/b/sdl/archive/2010/08/26/microsoft-sdl-and-the-creative-commons.aspx

5. HTML5 Raises New Security Issues

When it comes to new security issues, the security team for the Firefox 
browser have the new version of the Web HyperText Markup Language, HTML5, 
foremost on the mind. 

"Web apps are becoming incredibly rich with HTML5. The browser is starting 
to manage full-bore applications and not just Web pages," said Sid Stamm, 
who works on Firefox security issues for the Mozilla Foundation. Stamm was 
speaking at the Usenix Security Symposium, held last week in Washington 
D.C. 

You could find the full article here: 
http://www.cio.com/article/print/604563

6. SAMM and the Financial Services Industry

The financial services industry is the perfect work stream for frameworks 
like SAMM. Financial services are widely known as the an area which 
invests heavily in areas such as information security, it’s heavily 
regulated (some say not heavily enough) and  a daily challenge to FS is to 
maintain leading edge security but manage costs and usability whilst also 
being compliant with industry regulations,  corporate governance and 
local/regional/global  legislation.

SAMM covers four domains which in turn have sub domains. These four 
“pillars” attempt to examine all aspects of software development, all 
external catalysts which may result in either making security more robust 
or result in weakness.

The beauty of SAMM is its simplicity.

You could find the full article here: 
http://www.opensamm.org/2010/08/samm-and-the-financial-services-industry/

6. New Horizons Ireland: Special Offer & Raffle to Free Training Course

OWASP Ireland had reached an agreement with New Horizons Ireland to offer
its members important discounts to their full range of training courses.

With over 300 centers in 60 countries, New Horizons is the world’s largest
independent IT training company. New Horizons Ireland - Dublin and Galway 
-
delivers a full range of computer training courses; from basic application
and desktop productivity tools to complex and integrated business systems.
Please feel free to visit their website in the URL below for further
details:

http://www.newhorizonsireland.ie

The following courses are currently available on the public schedule:

http://www.newhorizonsireland.ie/LocalWeb/Ireland/Mentored-Learning-Courses.aspx

They also offer the following courses live online:

http://www.newhorizonsireland.ie/LocalWeb/Ireland/OLLCourses.aspx

OWASP members could benefit from a 20% discount on all their courses. In
order to avail this special offer, you need to use the following code when
registering to a training course in their website:

*OWASPIRL*

OWASP IRELAND 2010: SPECIAL RAFFLE

And to celebrate this agreement, OWASP Ireland will raffle 1 place to the
training below absolutely FREE of charge to those who register before 3rd
September to AppSec Ireland 2010. This has been generously given by New
Horizons Ireland and it will be delivered at their Dublin offices in the
near future.

6460 Visual Studio 2008 Connected Systems: Windows Presentation Foundation
http://www.newhorizons.com/LocalWeb/popup/ClassInfo.aspx?ClassID=300003490&ILT=300003490&OLA=&OLL=&ML=&GroupID=462&Mode=3&scheduleclassid=MSM6460

I hope you find this useful to develop your professional career further.

Kind regards,

Fabio Cerullo

************************************************************************************************************************************
The professional association of OWASP Foundation Inc., is always free and 
open to anyone interested in learning more about application security. 
Prior to participating with OWASP please review the Chapter Rules and the 
OWASP overview for some background. As a 501(3)c non-profit professional 
association your support and sponsorship of a meeting venue and/or 
refreshments is tax-deductible and all financial contributions can be made 
online using the online chapter donation button. We encourage organization 
and individual supporters of our ethics & principals to become a voting 
MEMBER. More information on how to become a member could be found here: 
http://www.owasp.org/Membership
************************************************************************************************************************************

******************************************************
This document is strictly confidential and is intended for use by the addressee unless otherwise indicated.

This email has been scanned by an external email security system.

Allied Irish Banks

AIB and AIB Group are registered business names of Allied Irish Banks p.l.c. Allied Irish Banks, p.l.c. is regulated by the Financial Regulator.  Registered Office: Bankcentre, Ballsbridge, Dublin 4. Tel: + 353 1 6600311; Registered in Ireland: Registered No. 24173

Please consider the environment before printing this e-mail. 
******************************************************
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-ireland/attachments/20100827/37f10292/attachment.html 