[OWASP-Columbia] OWASP Foundation | August 2016 Connector

Frank Catucci frank.catucci at owasp.org
Fri Sep 2 12:49:06 UTC 2016

[image: OWASP Global Connector]

September 2, 2016 | www.owasp.org
| Contact Us
| Brought to you by the OWASP Foundation
[image: Communications] <#m_378136282356256740_CommunicationsHeading> Global
OWASP Foundation Board of Directors Election <#m_378136282356256740_BOARD> Meet
Matt Tesauro, OWASP's Senior Project Engineer
<#m_378136282356256740_MATT> OWASP
Podcasts <#m_378136282356256740_PODCASTS> [image: projects]
<#m_378136282356256740_Projects> OWASP Core Rule Set - New Release!
<#m_378136282356256740_TOOLSWATCH> New Project
<#m_378136282356256740_RELEASES> Project Releases
<#m_378136282356256740_PRRELEASES> Google Summer of Code Update
<#m_378136282356256740_GSOC> OWASP Project Summit USA 2016
<#m_378136282356256740_SUMMIT> OWASP Project Outreach in Africa
<#m_378136282356256740_OUTREACH> [image: Conference]
<#m_378136282356256740_ConferenceHeading> OWASP AppSec USA 2016
<#m_378136282356256740_GLOBAL> Open Calls for Papers
<#m_378136282356256740_CFP> Local and Regional Events
<#m_378136282356256740_LOCAL> Partner and Promotional Events
[image: chapters] <#m_378136282356256740_ChapterHeading> Chapter Activities
<#m_378136282356256740_ChapterActivity> [image: membership]
<#m_378136282356256740_MembershipHeading> New Contributing Corporate Members
<#m_378136282356256740_CorpRenew> Renewing Corporate Members
<#m_378136282356256740_CorpRenew> [image: Social Media]
<#m_378136282356256740_SocialHeading> OWASP Foundation Social Media
[image: Communications]
*OWASP Communications*
Global OWASP Foundation Board of Directors Election

Elections for the 3 available board member seats for the 2017-2019 term
will be held in October. Board members are unpaid volunteers responsible
for setting the strategic direction of the organization and ensuring the
financial integrity of the OWASP Foundation. Detailed information on
meeting requirements, roles and responsibilities within the board, term
limits, and elections is found in the OWASP Foundation bylaws
You can follow the past Board meetings and learn about the current focus of
the board on the Board page

The current slate of candidates have been interviewed by Mark Miller
who asked the top questions submitted by the community in the Call for

Every paid and honorary member of OWASP will have one vote per each of the
three sets in the election. Members must have be registered by September
30, 2016, so join today

You can learn more about your candidates by clicking on their name (listed
in alphabetical order by first name):

   - Andrew van der Stock
   - Bil Corry
   - Frank Catucci
   - Johanna Curiel
   - Martin Knobloch
   - Matt Konda
   - Milton Smith
   - Owen Pendlebury
   - Simhalu "Sim" Kandala
   - Steve Kosten

Meet Matt Tesauro, OWASP's Senior Project Engineer

We are thrilled to announce that Matt Tesauro has joined the OWASP
Foundation staff as our Senior Project Engineer. Matt has been involved in
InfoSec for more than 15 years and a volunteer with OWASP since 2008 when
he created the OWASP Live CD Project for the first OWASP Summer of Code. He
evolved this project into the OWASP WTE
flagship project which he still runs. Additionally, Matt also co-leads
AppSec Pipeline project
and is a former OWASP Foundation Board member

The primary focus of his new role is to reinvigorate the OWASP Projects and
bring automation and workflow improvements based on Agile and DevOps
principles. Matt will be splitting his time 60/40 between proactive process
improvements and operational items. As part of his interview process, Matt
was asked to provide his preliminary thoughts on improving OWASP projects;
check out his Vision for Change
The end goal is a healthy stable of projects which are simple for project
leaders to contribute to and easy for the AppSec community at large to use.

You can read the entire blog post HERE
OWASP Podcasts

OWASP Projects and activities are often the subject of webcasts and
podcasts. Sit back and relax as you watch and listen to these recent

Security as Part of DevOps and Development

DevOps, Security, and Engineering at Slack

Update On the ASVS Project

[image: projects]
*OWASP Projects*

OWASP Core Rule Set - New Release!

The OWASP Core Rule Set team is proud to announce the first of two planned
release candidates for the upcoming OWASP ModSecurity Core Rule Set v3.0.0.

This new release represents a huge step forward in terms of both
capabilities and protections including:

   - A 95% reduction in false positives for a typical CRS deployment using
   the default configuration.
   - Extended effectiveness and detection capabilities in numerous areas;
   namely Remote Command Execution and PHP injections (Walter Hop).
   - A simple to use, adjustable paranoia level that allows users to tailor
   their ruleset experience.
   - The capability to allow existing sites to try out the Core Rules by
   enabling the rules for only limited percentage of requests (Christian

Please see the CHANGES document
for a detailed list of new features and improvements.

The intent is for the Core Rules project used as a baseline security
feature, effectively fighting OWASP TOP 10 weaknesses with few side
effects. As such CRS attempt to cut down on false positives in the default
install. This RC1 therefore offers an opportunity for individuals to
provide feedback and to report any other issues they may face. CRS is no
longer aimed at ModSecurity experts. This is the Core Rules for the rest of

Please use the CRS GitHub
or the Core Rules mailing list to tell us about your experiences, including
false positives or other issues with this release candidate. Our current
timeline is to seek public feedback on RC1 for the next month, followed by
an RC2 and subsequently a release.

For more information, please see the blog post
this release.
New Project

OWASP Juice Shop Tool Project
is is an intentionally insecure webapp for security trainings written
entirely in Javascript which encompasses the entire OWASP Top Ten
and other severe security flaws. Written in Node.js, Express and AngularJS,
Juice shop is the first application written entirely in JavaScript listed
in the OWASP VWA
Directory. The application contains 28+ challenges of varying difficulty
where the user is supposed to exploit the underlying vulnerabilities. The
hacking progress is tracked on a scoreboard. Finding this scoreboard is
actually one of the (easy) challenges! Apart from the hacker and awareness
training use case, pentesting proxies or security scanners can use Juice
Shop as a "guinea pig"-application to check how well their tools cope with
Javascript-heavy application frontends and REST APIs.
Project Releases

*The OWASP Snakes & Ladders Project* has released v1.10EN of "OWASP Snakes
and Ladders - Web Applications". Snakes & Ladders is a simple educational
board game for all sizes of people, promoting awareness of application
security controls and risks, and in particular knowledge of other OWASP
documents and tools.

This release updates the virtuous behaviors (ladders) to the secure coding
practices defined in the 2016 version of the OWASP Top Ten Proactive
Controls. The print-ready PDF
is free to download.

We will produce other language versions as translations are provided. In
the meantime, please see v1.02 files for Deutsch, Español, Français,
Português Brasileiro, 日本語 and 中文

There is also a v1.02 edition for Mobile Apps.

*The OWASP dependency-check team* is pleased to announce the release of
version 1.4.0! See the release notes
for more information.

In addition to the 1.4.0 release an SBT dependency-check plugin
was created (thanks Alexander)!
Google Summer of Code Update

The 2016 Google Summer of Code
is coming to a close. As part of our participation OWASP was given the
opportunity and funding to have 2 mentors attend the 2016 GSoC Mentor Summit
Congratulations to our raffle winners Konstantinos Papapanagiotou and
Andres Morales. Watch for the GSoC wrap up blog post coming soon!
OWASP Project Summit USA 2016

We are proud to announce the OWASP Project Summit USA 2016 taking
place at AppSecUSA
October 11th and 12th. Part working session, part roundtable, the project
summit is an open forum setting for ideas, innovations, gain contributors
and share feedback for projects to advance to the next level. You can add
your own hot topics
to the discussion

   - Project Graduation Reviews
   - Implementation of Gamification and Badges for OWASP Projects
   - OWASP Code Project Bug Bounties
   - Discussion on OWASP Documentation Projects
   - Q&A OWASP Funding and Current Initiatives

Any individual interested in learning about projects or would like to work
on a project prior to the conference is welcome to come join at no charge.

Participating Projects will receive financial support through the
reimbursement process. Each project can receive $750 for air travel
assistance and 2 nights of accommodations during the Project Summit.
Project leaders receive a free ticket to the conference.

Participating projects must have been active in the last 9 months, have
complete and updated wiki page with clear road map, submit specific agenda
and deliverables. Must sign up
by September 23.
Project Outreach in Africa

Munir Njiru
presented his project OWASP Mth3l3m3nt Framework
at Africahackon 2016.

[image: Conference]
*OWASP Events*
OWASP AppSec USA 2016

OWASP's 13th Annual AppSecUSA Conference is just two months away, and we
have exciting event details to share.

AppSec USA 2016
is taking place in Washington, DC, October 11-14. The event is comprised of
two days of training sessions followed by a two-day conference where
software security leaders, researchers and technologists discuss
cutting-edge ideas, initiatives and technological advancements to secure
web applications. This is also an opportunity for C-level executives
focused on improving the security posture of their organization to discuss
key challenges and priorities around their security programs, and learn
about the latest in security technology innovation.

This year's conference includes four inspirational keynote speakers who are
challenging traditions, including:

   - *Matthew Green,* respected cryptographer and security technologist
   with over fifteen years of industry experience in computer security. Dr.
   Green is an Assistant Professor of Computer Science at the Johns Hopkins
   Information Security Institute.
   - *Samy Kamkar,* privacy and security researcher, computer hacker,
   whistle blower and entrepreneur. At the age of 16, Mr. Kamkar co-founded
   Fonality. He is possibly best known for creating and releasing the fastest
   spreading virus of all time, the MySpace worm Samy.
   - *Joe Jarzombek,* former Director for Software Assurance in the
   National Cyber Security Division of the U.S. Department of Homeland
   Security (DHS). He led government inter-agency efforts with industry,
   academia, and standards organizations to shift the security paradigm away
   from patch management.
   - *Dan Geer,* CISO for In-Q-Tel. Mr. Geer was a key contributor to the
   development of the X Window System, as well as the Kerberos authentication
   protocol while a member of the Athena Project at MIT in the 1980s. Shortly
   after, he created the first information security consulting firm on Wall

In addition to the above key notes, there will be multiple other program
taking place with renowned speakers
from well-known companies, including: Scott Behrens, senior application
security engineer for Netflix, Christian Frichot of LinkedIn, Chris Gates,
senior security engineer for Uber, Brian Manifold, software/security
engineer for Cisco and many more.

For more information about AppSecUSA 2016, including the complete program
and speakers, or to register online, please visit the website.
Open Calls for Papers

Summertime is a HOT time for OWASP! Check out this blog post
listing all the open CFP.

Regional and Local Events ArmSec
September 16 - September 17, 2016, Armenia

Boston Application Security Conference (BASC)
October 1, 2016, Boston, MA

OWASP Bucharest AppSec Conference
October 6, 2016, Bucharest, Romania

Lonestar Application Security Conference (LASCON)
November 1 - November 4, 2016, Austin, TX

OWASP Middle East Cyber Security Conference, 2017
May 3 - May 4, 2017, Dubai, UAE

Partner and Promotional Events

OWASP will have a booth at JavaOne 2016
in San Francisco, CA, September 18 - 22, 2016. All project leaders are
invited to apply for the opportunity to demo their project at the event.
Winners will receive a ticket to the event (valued at $2,000) and $500 to
defray travel costs. There are only 2 spots available so hurry and apply!
Applications must be submitted by September 1st.

We also have unlimited staff passes available for anyone who wishes to
staff the booth and explore the expo area. To take advantage of these
passes please contact Kelly Santalucia <kelly.santalucia at owasp.org> and Claudia

September 14 - September 17, 2016, Colombia

BSides Colombia
September 14 - September 16, 2016, Boca Beach Club, Boca Raton, FL

* Cyber Security Summit New York
September 21, 2016, Grand Hyatt, New York

* (ISC)2 Secure CEE
September 27, Prague, Czech Republic

New York Metro Joint Cyber Security Conference
October 5, 2016, New York, NY

* (ISC)2 Secure Johannesburg
October 6, 2016, Johannesburg

Edge 2016 Security Conference
October 18 - 19, 2016, Knoxville, TN

(ISC)2 Security Congress EMEA 2016
October 18-19, 2016, Croke Park Stadium Dublin, Ireland

* IoT Tech Expo North America, 2016
October 20 - 21, 2016, Santa Clara, CA

* Ekoparty Security Conference
October 24 - 28, 2016, Buenos Aires

* Cyber Security Summit Los Angeles
October 27, 2016, Fairmont Miramar Hotel

ZeroNights 2016
November 17 - 18, 2016, Moscow, Russia

* (ISC)2 Secure Dubai
November 22, 2016, Dubai

* (ISC)2 Secure London
December 6, 2016, London

* (ISC)2 Secure Croatia
December 15, 2016, Croatia

* IoT Tech Expo Global, 2017
January 23 - 24, 2017, Olympia, London

April 4 - April 6, 2017, Prague, Czech Republic

to see special discounts for OWASP members.*
[image: chapters]
*OWASP Chapters*
Notable Chapter Activity

The OWASP Taguig Chapter
held a Tech Training Session covering Understanding CSRF, Email Harvesting
and Phishing Frameworks, Sandboxing, and Malware Analysis. The audience was
a mix of civilian and military members. This is part of the inter-chapter
research and development that our Filipino chapters are conducting. Their
topics include: Malware Intelligence, Static Malware Analysis, and
Automated Multi-scanner Malware.

The Jaipur chapter
hosted OWASP-Jaipur Cyber Square Summit at The LNM Institute of Information
Technology on 28th August, 2016. The event attracted 300 people from all
over India to its 10 talks.

Vlad Cotenescu, Andrei Jurca and Cosmin Ilie and Oana Cornea, members of
the Bucharest chapter
represented OWASP at the 2016 Dev Talks in Bucharest. Their team acquainted
developers with strategic projects such as OWASP Zed Attack Proxy, OWASP
Testing Guide, OWASP OWTF and OWASP Dependency Check. Thanks for to for the
awesome developer outreach!

*Share Your Stories!*

We at the OWASP Global Foundation are looking forward to hearing about more
such events in future. Share your chapter's successes! Submit your stories
to support at owasp.org

OWASP Membership is a great way to contribute to our local chapters and
projects. A portion of your membership can be allocated to the chapter
and/or project of your choice. Please show your support for OWASP Projects
and Chapters by becoming an Individual or Corporate member today!
[image: Membership]
*OWASP Membership*
New Contributing Corporate Members

   - Onward Security Corporation

Renewed Corporate Members (Premier Level)

   - CipherTechs, Inc
   - Credit Karma, Inc
   - Virsec Systems, Inc.

Renewed Corporate Members

   - *Salesforce*(Premier Level)
   - ThoughtWorks, Ltd. (Contributor Level)
   - SCSK Corporation (Contributor Level)
   - Sonatype (Contributor Level)

Your name here? Find out how by visiting our Corporate Supporters
information page.

Thanks to all of our Premier and Contributing Corporate Members
for your support in 2015!
[image: Social Media]
*OWASP Social Media*
OWASP Social Media Site

   - OWASP YouTube Channel
   - LinkedIn
   - Twitter
   - Google +
   - Facebook
   - Ning
   - StackOverflow
   - GitHub
   - Trello
   - Slack

Click to view this email in a browser

If you no longer wish to receive these emails, please reply to this message
with "Unsubscribe" in the subject line or simply click on the following
link: Unsubscribe <http://cts.vresp.com/u?e0ec9f05aa/d1c8dfd3bd/mlpftw>
The OWASP Foundation
1200-C Agora Drive
Bel Air, Maryland 21014
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-columbia/attachments/20160902/36063800/attachment-0001.html>

More information about the OWASP-Columbia mailing list