[Owasp-summit-2013] OWASP Global Connector October 9, 2013

The OWASP Foundation The_OWASP_Foundation at mail.vresp.com
Wed Oct 9 22:12:06 UTC 2013

Global OWASP Connector - October 9, 2013
Featured OWASP Project

OWASP CSRFGuard Project -

OWASP CSRFGurard is a library that implements a variant of the
synchronizer token pattern to mitigate the risk of Cross-Site Request
Forgery (CSRF) attacks.  The OWASP CSRFGuard library is integrated
through the use of JavaEE Filter, and exposes various automated and
manual ways to integrate per-session or pseudo-per-request tokens
into HTML.  When a user interacts with this HTML, CSRF prevention
tokens (i.e. cryptrgraphically random synchronizer tokens) are
submitted with the corresponding HTTP request.  It is the
responsibility of OWASP CSRFGuard to ensure the token is present and
is valid for the current HTTP request.  For more information on the
CSRFGuard project, please contact the project leander, Eric Sheridan
- eric.sheridan at owasp.org .

NEW OWASP Projects

OWASP Node.js Goat Project

Node.js is a widely adopted platform for developing web applications.
 This project provides an environment to learn how OWASP Top 10
security risks apply to web applications developed using Node.js, and
how to effectively address them. For more information, please contact
the project leader, Chetan Karande - chetan.karande at owasp.org .

OWASP Pygoat Project

The Pygoat Project is similar to the WebGoat or RailsGoat projects in
that it is an application specifically designed to be insecure in
hopes of teaching others about code flaws in web applications.  In
this specific context, it will focus mainly on Python and Django code
libraries.  For more information, please contact the project leader,
Kyle Rippee - kyle.rippee at owasp.org .

OWASP Python Security Project

Python Security is a free, open source project that aims at creating
a hardened version of python that makes it easier for security
professionals and developers to write applications more resilient to
attacks and manipulations.

The project is designed to explore how web applications can be
developed in python by approaching the problem from three different
angles:  Security in python:  white-box analysis, structural and
functional analysis, Security in python:  black box analysis,
identify and address security-related issues, Security with python: 
develop security hardened python suitable for high-risk and
high-security environments.  For more information, please contact the
project leader, Enrico Branca - enrico.branca at owasp.org .

3 New Project Releases!

OWASP Broken Web Applications  -
http://cts.vresp.com/c/?TheOWASPFoundation/98efb52f04/4f163f6020/f23d04aa40 Version 1.1.1 Released

>From Chuck Willis, project leader:  I'm proud to announce the release
of version 1.1.1 of the OWASP BWA VM -
http://cts.vresp.com/c/?TheOWASPFoundation/98efb52f04/4f163f6020/aa1f2569b1/id=83 .  This release is relatively minor, but there were a couple of items
that I wanted to address:

Fixed issue with Tomcat not starting in some circumstances -
http://cts.vresp.com/c/?TheOWASPFoundation/98efb52f04/4f163f6020/44cad38f56/id=83 .  Thanks to the individuals who reported this issue (that I did not
experience) and confirmed the fix.
Updated Mutillidae and transitioned to use its new Git repository.
VM is now available for download in .ova format, which should make it
easier to use in virtualization packages other than VMware products.

http://cts.vresp.com/c/?TheOWASPFoundation/98efb52f04/4f163f6020/871d62a467 OWASP Java HTML Sanitizer Project v209 Released  The OWASP Java HTML
Sanitizer project is a fast and easy to configure HTML Sanitizer
written in Java.  This project is a secure coding library that lets
you include HTML authored by third-parties in your web application
while protecting against XSS.  The OWASP Java HTML Sanitizer was
authored by and is actively maintained by Mike Samuel from the Google
application security team.
Version 209 was recently released.  Change-log information can be
found here -
http://cts.vresp.com/c/?TheOWASPFoundation/98efb52f04/4f163f6020/c038f85100 .  If you have questions about this project, please join the project
mailing list -
http://cts.vresp.com/c/?TheOWASPFoundation/98efb52f04/4f163f6020/5e672a8849 .

OWASP Zed Attack Proxy -
http://cts.vresp.com/c/?TheOWASPFoundation/98efb52f04/4f163f6020/025bc78217  2.2.0 Released  Zap 2.2.0 is now available HERE -
http://cts.vresp.com/c/?TheOWASPFoundation/98efb52f04/4f163f6020/a84eb30c1c .

This includes support for scripts embedded in ZAP components like the
active and passive scanners as well as support for Zest - a new
security focused scripting language from the Mozilla security team. 
It also supports Mozilla Plun-n-Hack, locailization in 20 languages,
various minor enhancements and lots of bug fixes.  For more details
see the release notes -
http://cts.vresp.com/c/?TheOWASPFoundation/98efb52f04/4f163f6020/f7eb623e1a .
Additionally, if you use ZAP, then please fill in the ZAP user
questionnaire linked off the ZAP homepage -
http://cts.vresp.com/c/?TheOWASPFoundation/98efb52f04/4f163f6020/0b0528bd02 .  This will help us prioritize features for future releases.  For
more information, please contact the project leader, Simon Bennetts -
psiinon at gmail.com .

Message from Project Leader, Shruti Kulkarni:  Seeking Contributors 
Legacy applications are a reality.  I would like to present
vulnerabilities and threats of legacy web applications, and the
countermeasures for the same, in my project.  I have listed down a
few.  I would like contributions in these areas, and also pointers on
anything else assiciated with legacy web applications.  The project
is the OWASP Supporting Legacy Web Applications in the Current
Environment Project -
http://cts.vresp.com/c/?TheOWASPFoundation/98efb52f04/4f163f6020/ed0a49fa77 .  For more information, please contact the project leader, Shruti
Kulkarni - shruti.kulkarni at owasp.org .

New Support email is now available.  To reach a staff member, email: 
support at owasp.org

http://cts.vresp.com/c/?TheOWASPFoundation/98efb52f04/4f163f6020/0a91e735bc OWASP AppSec USA 2013

The *draft* schedule is now published -
OWASP Project and Leader Summit -
Press Releases -

Local and Regional Events

OWASP China 2013 Forum -
http://cts.vresp.com/c/?TheOWASPFoundation/98efb52f04/4f163f6020/aac22d26e4  - July 12 - Dec 31, Bejing, Shanghai, and Guangzhou

LASCON 2013 -
http://cts.vresp.com/c/?TheOWASPFoundation/98efb52f04/4f163f6020/876a241711  - Oct 24-25, Austin, TX

Houston November Mini-Con -
http://cts.vresp.com/c/?TheOWASPFoundation/98efb52f04/4f163f6020/d8d9e1ba31  - Nov 15, Houston, TX

OWASP BeNeLux - Nov 28-Nov 29, Netherlands

BASC 2013 - Dec 14, Cambridge, MA

AppSec California 2014 -
http://cts.vresp.com/c/?TheOWASPFoundation/98efb52f04/4f163f6020/5f1582a96e  - Jan 27-Jan 28, Santa Monica, CA

Partner and Promotional Events

Hack in the Box -
http://cts.vresp.com/c/?TheOWASPFoundation/98efb52f04/4f163f6020/e9ce171a25  - October 14-17;  Discount code for OWASP Members:  OWASP2013
Nullcon -
http://cts.vresp.com/c/?TheOWASPFoundation/98efb52f04/4f163f6020/0ba0a0f09f  - India, Feb 12-15, 2014.  Call for papers is OPEN -

Thank you to our Newest Corporate Member

Bank of NY Mellon

Thank you to our Renewed Corporate Members


OWASP Webinar Series

Wednesday, October 9, 2013
Live - Global Board Candidate Question and Answers

Interactive question and answer format for the Global Foundation
Board Candidates.  Facilitated by Kelly Santalucia.

9pm EDT


Wednesday, October 23, 2013
Live - Jason Johnson, Project leader - OWASP Hive Project:  Welcome
to the Grid

Jason will walk us through the OWASP Hive Project - the HIVE project
started out as an idea for a learning platform created by using some
small, capable pc to do our bidding - now look at the progress!

10 am EDT


9 pm EDT


Wednesday November 6, 2013  Live - Kiran Karnan, Project Leader -

Kiran will demonstrate the Top Ten using BURP

10 am EDT


9 pm EDT


Wednesday December 4, 2013

Live - Abbas Naderi, Project leader - OWASP PHP Security Project

Abbas will demonstrate the existing and planned features of his

10 am EDT


9 pm EDT


The Global Webinar Series wants to feature your Project.  Please
contact Kate Hartmann - kate.hartmann at owasp.org  or Samantha Groves -
Samantha.groves at owasp.org  to schedule your project webinar.

Women in AppSec Selection Finalized

After careful consideration, the Women in AppSec selection team chose
two winners this year for the Woman in AppSec fund.  They will each
receive a free conference pass to AppSec USA 2013, a seat in the
training class of their choice along with travel and accommodations
to attend.  Please join in our congratulations to this year's
winners, Nancy Lornston and Carrie Schaper.


Be sure to review the available materials and become an informed

Upcoming Dates

October 9 - Q&A Webinar
October 14 - Voting Begins
October 25 - Voting Ends
October 29 - Election Result Announced

The Web Application Security Persons of the Year (WASPY) award
nominees are POSTED -

Show your support for the community by becoming a Sponsor of the

Corporate sponsors AND Chapter sponsors are encouraged to participate


In case you missed it ...

The Global CTF was an outstanding success.  Initiatlly the honeynet
had capacity for 200 active players, however,  the potential to scale
up was quicly recognized.  With the assistance of the Instutute of
Technology Blanchardstown, who provided additional servers and
bandwidth, we ere able to extend the CTF capacity by and additional
25% with active players from all over the world from a variety of
time zones.  Although everyone who took part, including teh
organizers, learned lots and had fun - there can only be one winner

Top 10 Places & Scores

aaaaaa [1665]
reaver2121991 [1640
Orbiter [1539]
y0y0Hon3ySinghJ1 [1524]
ietians [1302]
cybercruiser [1290]
Mutantinmate [1284]
bannedXD [1278]
ntyeil [1277]
cia403 [1274]

Global Initiatives Metrics

504 unique volunteers

Volunteer Sign ups over Time

Leadership Status of New Volunteers

OWASP Ghana recognized in the fight against cyber crime!

Theo Sagoe and the OWASP Ghana team was recently recognized on
national television news.  The spot highlights the need in the
African Region for increased villigance and attention to cyber
security.  Watch the youtube segment -


Click to view this email in a browser

If you no longer wish to receive these emails, please reply to this
message with "Unsubscribe" in the subject line or simply click on the
following link: 


The OWASP Foundation sent this email free of charge using
VerticalResponse for Non-Profits. Non-Profits email free. You email

The OWASP Foundation
1200-C Agora Drive
Bel Air, MD 21014

Read the VerticalResponse marketing policy: 

You received this message because you are subscribed to the Google Groups "OWASP Summit 2013" group.
To unsubscribe from this group and stop receiving emails from it, send an email to owasp-summit-2013+unsubscribe at owasp.org.
To post to this group, send email to owasp-summit-2013 at owasp.org.
Visit this group at http://groups.google.com/a/owasp.org/group/owasp-summit-2013/.
For more options, visit https://groups.google.com/a/owasp.org/groups/opt_out.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-summit-2013/attachments/20131009/c702a050/attachment-0001.html>

More information about the Owasp-summit-2013 mailing list