[Owasp-board] Volunteer NYC Metro USA

Dinis Cruz dinis at ddplus.net
Tue Jul 24 01:21:17 UTC 2007


OK, I have put some ideas about the OWASP participation on the GSW here:
https://www.owasp.org/index.php/Live_O

This is still in Draft mode, so some thinks might change before we release
the final list.

But please let me know your comments and ideas.

Best regards

Dinis Cruz
Chief OWASP Evangelist
http://www.owasp.org

On 7/16/07, Jeff Williams <jeff.williams at owasp.org> wrote:
>
> Hi,
>
> I've copied Neil Rerup, who's heading up the OWASP Communications project.
> We've got a great opportunity to reach a broad audience here.  I think we
> should work on a very clear message - something a little more specific
> than
> "build security in".
>
> How about choosing 3 key best practices that would make a real difference
> if
> people adopted them. The things that I'm thinking are both relatively easy
> and relatively impactful are...
>
>    1) CROSS-SITE SCRIPTING: 70-90% of web applications have Cross-Site
> Scripting (XSS) holes. You must *both* carefully validate input and use
> HTML
> entity encoding on all data output.
>
>    2) SQL INJECTION: If your queries are a bunch of strings and user input
> concatenated together, your database could be attacked with SQL Injection.
> Stamp out this attack by using "parameterized" queries, such as Java's
> PreparedStatement instead.
>
>    3) SESSION EXPOSURE: Your SESSIONIDs are *just* as valuable as
> usernames
> and passwords, so make sure you never expose them. Don't ever allow
> authenticated SESSIONIDs to be sent without SSL or exposed in the URL.
>
> There are lots of things we *could* push here, but I think we're better
> off
> with a tight message for a specific audience.
>
> Other ideas?
>
> --Jeff
>
> Jeff Williams, Chair
> The OWASP Foundation
> Work: 410-707-1487
> Main: 301-604-4882
> "Dedicated to finding and fighting the causes of insecure software"
>
>
> -----Original Message-----
> From: Tom Brennan [mailto:tomb at accessitgroup.com]
> Sent: Monday, July 16, 2007 8:56 AM
> To: brian.honan at bhconsulting.ie
> Cc: dinis.cruz at owasp.net; jeff.williams at owasp.org; eoinkeary at gmail.com;
> jinxpuppy at gmail.com; jtierney at nym-infragard.us
> Subject: RE: Volunteer NYC Metro USA
>
> Thank you Brian for the email.
>
> I have cc:ed Dinis Cruz the OWASP worldwide evangelist as well as owasp
> foundation chair Jeff Williams, Ireleand chapter lead Eoin and John
> Tierney
> of the NYC Metro FBI/Infragard org. (**John see attached, perhaps this
> would
> be a perfect for a join meeting at the American Stock Exchange in Sept. ?)
>
> In summary Brian, last week a email was sent to ALL worldwide chapter
> leaders asking them to get behind the GSW week and Dinis is now leading
> the
> charge on this. The concept was simple to cross promote the GSW and to ask
> OWASP chapters to have a local meeting or work with others to have a
> meeting
> the week of Sept of GSW.
>
> If there is anything I can lend a hand to/with in NYC Metro area, just let
> me know .
>
> Anyone - Comments/Thoughts to help this effort?
>
> Tom Brennan CISSP, NSA, C|EH
> Risk Practice Manager
> AccessIT Group
> Web: www.accessitgroup.com
> Office: 973-316-6016 Ext. 525
> Mobile: 973-202-0122
>
> * Note - my non-commerical email address is: jinxpuppy at gmail.com (OWASP
> and
> other non-business related items)
>
>
> -----Original Message-----
> From: Brian Honan [mailto:brian.honan at bhconsulting.ie]
> Sent: Sunday, July 15, 2007 5:11 PM
> To: Tom Brennan
> Subject: FW: Volunteer NYC Metro USA
>
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi Tom
>
> My name is Brian Honan and I am on the organising committee for this years
> Global Security Week.  Many thanks for your interest in Global Security
> Week
> and we are delighted that your OWASP chapter are willing to support the
> effort.  Based in Ireland we have had good support for the past two events
> from the Irish OWASP chapter and they have helped promote our events
> through
> their local mailing list.
>
> The aim of Global Security Week is to raise security awareness amongst the
> public and organisations about issues relating to security, primarily
> information security.  This year's theme is on the subject of privacy and
> we
> hope that a number of events will be held worldwide to promote people's
> awareness as to how to protect their privacy when online and also educate
> companies on their responsibilities, both legal and morally, when it comes
> to protecting the privacy of their customers.
>
> Global Security Week is a totally voluntary initiative and we have no
> commercial funding or agenda.  The initiative is funded entirely from the
> committee's own funds and time.  We have people involved in Global
> Security
> Week throughout the world and during the week we have events planned in
> different regions.  For example here in Ireland I plan to run a free
> seminar
> on the above topic open to anyone who wished to attend.
>
> We ask that those who wish to become involved, help promote Global
> Security
> Week in their region either by running specific events dedicated to Global
> Security Week, taking part in events already planned or simply making
> people
> aware that the week is on and the topic is "Privacy in the 21st Century".
> Even simply making people aware of Global Security Week and directing them
> to the website is a great help.
> Not having commercial funding we depend on word of mouth and like minded
> individuals to make people aware of the week.
>
> We are in the early stages of planning a Blog to run during the week.
> Ideally we would like to get as many contributors from around the world
> involved who can make valued contribution on the theme for the week.  So
> if
> the timing of the week is not suitable for hosting an event perhaps your
> chapter would be willing to contribute to the Blog?  An example would be
> to
> highlight the legal obligations companies operating in your area are
> obliged
> to meet regarding privacy.
>
> I have attached the press release that we sent out last week announcing
> the
> theme for this year.  In fact if there are any members of your chapter
> with
> an artistic flair then they could help by entering our logo competition
> and
> could stand a chance to win a $100 Amazon.com voucher.
>
> Tom, thanks again for taking the time and interest in Global Security
> Week.
> If there is anything else I can do to help or more information you require
> please do not hesitate to contact me.
>
> Regards
>
> Brian
>
> Brian Honan
> BH Consulting
> Helping You Piece IT Together
> T:  +353-1-4404065
> M:  +353-868114066
> E:  brian.honan at bhconsulting.ie
> W:  http://www.bhconsulting.ie
> B:  http://www.bhconsulting.ie/blog
>
> Supporting Global Security Week http://www.globalsecurityweek.com
>
> This message is for the named person's use only. If you received this
> message in error, please immediately delete it and all copies and notify
> the
> sender. You must not, directly or indirectly, use, disclose, distribute,
> print, or copy any part of this message if you are not the intended
> recipient. Any views expressed in this message are those of the individual
> sender and not of BH Consulting.
> BH Consulting is a registered trade name for BH IT Consulting Limited,
> Company Registration Number: 393479 with registered offices at 49
> Luttrelstown Drive, Castleknock, Dublin 15.  Company Directors are Brian
> Honan and Veronica Sheridan.
>
>
>
>
>
> - -----Original Message-----
> From: Tom Brennan [mailto:tomb at accessitgroup.com]
> Sent: Friday, 13 July 2007 10:02 a.m.
> To: info at GlobalSecurityWeek.com
> Subject: Volunteer NYC Metro USA
>
> Wanted to reach out to GSW from both the commercial side and non-profit
> side
> to volunteer efforts to GSW.
>
> I am the chapter president for OWASP NYC/NJ see:
> http://www.owasp.org/index.php/NYNJMetro and although our next meeting
> will
> be Sept 27th (after the GSW Week) I was wondering what local events or
> tasks
> you could use some help with?
>
> Thanks in advance.
>
> Tom Brennan CISSP, NSA, C|EH (USMC-Ret.) Ethical Hacker & Practice Manager
> AccessIT Group
> Office: 973-316-6016 Ext. 525
> Mobile: 973-202-0122
> Web: www.accessitgroup.com <http://www.accessitgroup.com/>
>
> Do you LinkIn? http://www.linkedin.com/in/tombrennan
> <http://www.linkedin.com/in/tombrennan>
>
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGP 8.1
>
> iQA/AwUBRpqNbIu28IDxtc99EQKQIQCfRCoRjsBAlf+yneVTDonC0txqQvEAn1z/
> 3vf3Fk7zYmrOr5XOqyXFDR6X
> =HvOA
> -----END PGP SIGNATURE-----
>
>
>


--
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20070724/ab90fde6/attachment-0002.html>


More information about the Owasp-board mailing list