[Owasp-summit-2013] OWASP July 8, 2014 Connector

The OWASP Foundation The_OWASP_Foundation at mail.vresp.com
Tue Jul 8 23:47:09 UTC 2014

July 9, 2014  |   | www.owasp.org -
http://cts.vresp.com/c/?TheOWASPFoundation/7d3680ebcc/4f163f6020/337907c997   | Contact Us -
http://cts.vresp.com/c/?TheOWASPFoundation/7d3680ebcc/4f163f6020/a4c1879faf   |  Brought to you by the OWASP Foundation

Featured OWASP Project

OWASP Java Encoder Project -

The OWASP Java Encoder is a Java 1.5+ simple-to-use drop-in
high-performance encoder class with no dependencies and little
baggage. This project will help Java web developers defend against
Cross Site Scripting! The OWASP Java Encoder library is intended for
quick contextual encoding with very little overhead, either in
performance or usage. To get started, simply add the
encoder-1.1.1.jar, import org.owasp.encoder.Encode and start

For more information, please contact the Project Leaders, Jeff
Ichnowski - jeff.ichnowski at gmail.com  and  Jim Manico -
jim.manico at owasp.org

New OWASP Projects

OWASP Faux Bank

Faux Bank has all 10 of the top vulnerabilities implemented, as well
as fixes for these vulnerabilities. The idea is that developers can
see a real-world system with vulnerabilities, so that they can see
what to look for and how to write secure code. The OWASP Faux Bank
wiki page can be found here. -
http://cts.vresp.com/c/?TheOWASPFoundation/7d3680ebcc/4f163f6020/cf661e5268    For more information, please contact the Project Leader, Davie
Elliott. - davie.elliott at owasp.org

OWASP Store Sheep Project

OWASP Store Sheep is a work in progress application do demonstrate
security concepts relating to Windows Store Apps. Store Sheep is a
training app for Developers wishing to learn to securely code a
Windows Store ('Metro Style') App, and Testers wanting to learn to
test one. It contains a number of security vulnerabilities with
explanations and fixes for them. The project page for the OWASP Store
Sheep project can be found here. -
http://cts.vresp.com/c/?TheOWASPFoundation/7d3680ebcc/4f163f6020/b39bbe0557  For more information, please contact the Project Leader, Marion
McCune. - marion.mccune at owasp.org

OWASP SonarQube Project

OWASP Sonarqube Project consist to deliver a set of "standard"
profile for security, like OWASP Top10 profile, ASVS profiles,
PCI-DSS profile,ISO 27034ASC profile, ....who can be used by team
with the support of OWASP Community. More than 20 programming
languages are covered through plugins including Java, C#, C/C++,
PL/SQL, Cobol, ABAP. The OWASP SonarQube Project is looking to expand
the offered languages, and is looking for language experts in .NET,
PHP and any other language. The project page for the OWASP SonarQube
Project can be found here. -
http://cts.vresp.com/c/?TheOWASPFoundation/7d3680ebcc/4f163f6020/fa22306cb5  For more information, please contact the Project Leaders, Sebastien
Gioria. - sebastien.gioria  and Freddy Mallet -
freddy.mallet at sonarsource.com


OWASP URL Checker is an open source scrip-table tool to scan websites
for URL's which may lead to information divulging, exploits and
common attack patterns. This tool will check a user defined website
for potentially exploitable/ vulnerable URL's by comparing them
against the URL extensions in the database. The project page for the
OWASP URL Checker can be found here. -
http://cts.vresp.com/c/?TheOWASPFoundation/7d3680ebcc/4f163f6020/8ca8dacaf0  For more information, please contact the Project Leader, Craig Fox.
- craig.fox at owasp.org

Project Announcements

OWASP Security Shepherd New Version

The new version of the OWASP Security Shepherd Project was released
earlier this month. The project now has 50 lessons and challenges
based on risks from both the Top Ten Mobile and Web App Security Risk
lists. OWASP Security Shepherd is perfect for those who are looking
to learn about appsec for the first time or are well seasoned in the
arts of pen-testing and are looking for a challenge.

More information can be found  ON THE WIKI PAGE -
http://cts.vresp.com/c/?TheOWASPFoundation/7d3680ebcc/4f163f6020/2f66a734bd  or you can contact the project leader Mark Denihan -
markdenihan at owasp.org

Research Assistant Needed for the Developer guide

The Developer Guide Project is looking for an honors student or
masters student to replicate the 1979 paper by Morris and Thompson.
It has been many years since we've had statistically sound research
into the basic properties of the password. Morris and Thompson
introduced countermeasures that we still use today (30 day password
rotation, min six character passwords) that made sense for a PDP
11/870 back in 1979.                                 The project
leaders would like a cryptographer research student or masters
student to help look into session tokens, particularly RESTful API
tokens. The basic topic would be a short paper on the necessary
properties to protect against session prediction, session recovery,
side channel attacks against sessions, and investigate a few sample
session issuers, such as RESTful API in common use.

If you are interested in helping the Developer Guide, please contact
Andrew van der Stock - vanderaj at owasp.org .

New Set of Architectural Security Principles

The Reverse Engineering and Code Modification Prevention project has
released a set of architectural security principles that enforce
integrity preservation in mobile apps.  This is an updated list of
principles / controls that security architects will find useful when
enforcing code integrity within their mobile apps.

For the complete list of the integrity controls and underlying
security principles, check out the Architectural Principles
sub-project. -

New Dependency Check Version 1.2.3 Out Now

On June 28th, the OWASP Dependency Check released version 1.2.3.
Dependency Check can be used to analyze an applications dependent
libraries (Java and .NET) to identify and report on any known,
published vulnerabilities related to the libraries being used. The
tool will be demoed during the Black Hat Arsenal in Las Vegas on
Wednesday, August 6th.

You can find the newest release of the OWASP Dependency Check on the
project page. -

OWASP Foundation Social Media

LinkedIn -

Twitter -

Google + -

Facebook -

Ning -

StackOverflow -

WASPY Award Nominations are Complete

Every year a group of individuals including researchers, developers,
security professionals, and others work to ensure the security of web
applications.  Some of these individuals are featured in news stories
or at conferences as recognized experts. But there are many other
‘unsung heroes’ that work every day to improve web application
security and yet are rarely recognized.

The Web Application Security People of the Year (WASPY) Awards is the
OWASP Community's opportunity to recognize those individuals who have
made an impact by leveraging the OWASP platform.


Best Chapter Leader                                                  
           Sebastien Deleersnyder - Belgium                          
      Jonathan Marcil - Montreal                                
Riotaro Okada - Japan                                 Ron Perris -
Orange County                                 Sen Ueno - Japan

Best Project Leader                                                  
                                   Tokuji Akamine - OWASP XSecurity
Project                                             Spyros Gasteratos
- OWASP Hacademic Challenges Project                                 
           Achim Hoffman - OWASP O-Saft                              
              Jeremy Long - OWASP Dependency Check                   
                         John Melton - OWASP AppSensor               
                             Matteo Meucci - OWASP Testing Project

Best Mission Outreach                                                
                                         AppSec USA 2013 Team -
AppSec USA 2013                                                
Jonathan Marcil - OWASP Videos                                       
         Mostafa Siraj - Cairo Chapter

Best New Community Supporter                                         
                                                    AppSec APAC 2014
Team - AppSec Asia Pac 2014                                          
      Robert Dracea - AppSec Asia Pac 2014 - Japan                   
                             Beth Guth - South New Jersey            
                                    Takanori Nakanowatari - AppSec
Asia Pac 2014 - Japan

Congratulations to all the nominees!  You can read the full write up
on each persons accomplishments on the  2014 WASPY Awards Wiki Page -

Honorary Membership applications now being accepted.

http://cts.vresp.com/c/?TheOWASPFoundation/7d3680ebcc/4f163f6020/220d54e8a9  to find out if you qualify for Honorary Membership Deadline to
submit your application -
http://cts.vresp.com/c/?TheOWASPFoundation/7d3680ebcc/4f163f6020/1486722298  is September 30, 2014.

          Global AppSec Events in 2014

AppSec USA 2014 (September 16 - 19, Denver, CO) -

Keynotes announced!  Steve Crusenberry, Gary McGraw, and Bruce
Schneier                                     Sponsorship
opportunities are still available. -
http://cts.vresp.com/c/?TheOWASPFoundation/7d3680ebcc/4f163f6020/bd6dccc60f                                      Training sessions now posted 
http://cts.vresp.com/c/?TheOWASPFoundation/7d3680ebcc/4f163f6020/b6e341e4d9                                      Member Event Registration -
http://cts.vresp.com/c/?TheOWASPFoundation/7d3680ebcc/4f163f6020/36ef044bbe                                      Public Registration -
http://cts.vresp.com/c/?TheOWASPFoundation/7d3680ebcc/4f163f6020/ade515af23/id=a2oU0000000LJBkIAO ,

Upcoming Regional Events

MSP Day of Talks (July 21, 20014, Minneappolis, MN) -

BASC (October 18, Boston, MA) -

LASCON 2014 (October 21 - 24, Austin, TX) -

Partner and Promotional Events

OWASP has partnered with these great events in beginning of 2014 to
grow our community and build awareness around software security. If
you want to learn more about OWASP's involvement or will be attending
and want to help out contact us -

Secure Asia 2014 -
%20http://cts.vresp.com/c/?TheOWASPFoundation/7d3680ebcc/4f163f6020/235379c8b1 , (July 23-24), Bejing, China.

BlackHat -
http://cts.vresp.com/c/?TheOWASPFoundation/7d3680ebcc/4f163f6020/8e96af6a6d  (August 2-7), Las Vegas, NV.  OWASP Members receive $200 off BH
briefings with code:  owaBR200off.

BSides LV -
http://cts.vresp.com/c/?TheOWASPFoundation/7d3680ebcc/4f163f6020/bb450ddf50 , (August 5-6), Las Vegas, NV.

EC-Council TakeDown Con -
http://cts.vresp.com/c/?TheOWASPFoundation/7d3680ebcc/4f163f6020/24db425031 , (August 14-19), Huntsville, AL.

Fraud Summit Toronto -
http://cts.vresp.com/c/?TheOWASPFoundation/7d3680ebcc/4f163f6020/7a1d98633b , (Sept 8, 2014) Toronto, Canada.

(ISC)2 Security Congress -
http://cts.vresp.com/c/?TheOWASPFoundation/7d3680ebcc/4f163f6020/d845f6a964 , (Sept 22 - Oct 2), Today’s employers are seeking software
developers that have the knowledge and expertise to build secure,
hacker-resistant software. Do you have what it takes? Prove it with a
Certified Secure Software Lifecycle Professional (CSSLP®)
certification from (ISC)2 . Validate your competence in secure
software development in new and evolving environments, including the
cloud, mobile and more. Watch the CSSLP webcast series -
http://cts.vresp.com/c/?TheOWASPFoundation/7d3680ebcc/4f163f6020/e457476ed6/utm_campaign=csslp&utm_source=owaspbiweeklyconnector&utm_medium=banner&utm_content=webcasts  to get started.  Atlanta, GA.

EC-Council Hacker Halted -
http://cts.vresp.com/c/?TheOWASPFoundation/7d3680ebcc/4f163f6020/7f2e285766 (October 12-17, 2014) Atlanta, GA

ISSA International Conference -
http://cts.vresp.com/c/?TheOWASPFoundation/7d3680ebcc/4f163f6020/0f9953cedf/issaconf_home  (October 22-23), 2014, Orlando, FL

3rd Annual CISO Asia Summit and Roundtable -
http://cts.vresp.com/c/?TheOWASPFoundation/7d3680ebcc/4f163f6020/bc278257d4  (November 5-9), 2014, Singapore

Suits & Spooks -
14%20http://cts.vresp.com/c/?TheOWASPFoundation/7d3680ebcc/4f163f6020/a41ea33989 , (December 14), Singapore.

International Conference on Cyber Security -
http://cts.vresp.com/c/?TheOWASPFoundation/7d3680ebcc/4f163f6020/35b32f0250 , (January 5-8, 2014), New York, NY.

Just for Fun

We would like to congratulate Javier Coirolo for submitting the first
correct response to last issue’s puzzle. Thank you everyone who
submitted responses.

Click here to view last issue's puzzle -

Here is this issue's challenge...

A chicken farmer has figured out that a hen and a half can lay an egg
and a half in a day and a half. How many hens does the farmer need to
produce one dozen eggs in six days?

Send your answers to our comment desk - support at owasp.org  for a
chance to win a prize.  Winners will be announced in the next

Governance                             Request for Comment: 
Committees 2.0 Structure

The model outlined below represents a potential implementation of the
idea currently being described as OWASP Committees 2.0.  We aim to
leverage the lessons learned from our previous committee model to
create a new model that grows our leadership circles and empowers our
leaders for more rapid action, while still ensuring that their
activities stay true to OWASP’s core values.  It is still a
work-in-progress, but represents the contributions from the OWASP
Board, the OWASP Executive Director, OWASP Staff, Dinis Cruz, Johanna
Curiel, and various others.

Click here to review the document. -

This is your opportunity to have a voice in the future of OWASP
governance.  We look forward to hearing your thoughts on this

2014 Global Board of Directors Election

Please visit our 2014 Board Elections page -
http://cts.vresp.com/c/?TheOWASPFoundation/7d3680ebcc/4f163f6020/217f8dbc9d  for frequent updates.   Our Call for Candidates is only open until
August 15!  Please submit your candidacy here -
http://cts.vresp.com/c/?TheOWASPFoundation/7d3680ebcc/4f163f6020/1cae128b99 .

Once confirmed, the candidates will conduct individual interviews
answering questions from the community.  Anyone can submit a
question(s), vote up or vote down existing questions.  The top 5 to 6
questions will then be used for each candidate’s interview.  If you
have a question you would like to submit, please do so here -
http://cts.vresp.com/c/?TheOWASPFoundation/7d3680ebcc/4f163f6020/cac28f17ee .

For a complete Election Time line, Click Here -
http://cts.vresp.com/c/?TheOWASPFoundation/7d3680ebcc/4f163f6020/e47c2b18fa                                       Global Board of Directors
Meeting Times

Interested in what is going on with the Board of Directors?  Board
meetings are open to the public, and upcoming meetings as well as
agendas are posted to the Board wiki page -

Upcoming 2014 Meetings

July 9, 2014 9am-10am PST                                        
August 13, 2014, 9am-10am PST                                        
September 10, 2014, 9am-10am PST                                     
   September 16, 2014, 6pm - 9pm MST (in person at AppSec USA

Reminder:  Discussing Governance at OWASP

We have an open mailing list for discussing the overall topic of
governance at OWASP.  Click Here -
http://cts.vresp.com/c/?TheOWASPFoundation/7d3680ebcc/4f163f6020/c84e29e461  to browse the list archives.


OWASP Winter Code Sprint

We are thrilled to announce the launch of OWASP Winter Code Sprint
(OWCS) for this upcoming Autumn/Winter (Sept 14-March 15).

What is OWCS?

The OWCS is a program to involve students with Security projects. By
participating in OCWS a student can get real life experience while
contributing to an open source project and getting university

How it works

Any OWASP project that will give you university credits can
participate in OCWS. Each project will be guided by an OWASP expert
along with a professor. Students are graded by their University,
based on success criteria identified at the beginning of the project.

Projects are focused on developing security tools. It is required
that the code any student produces for those projects will be
released as Open Source. Universities are free to specify their own
requirements to projects, such as written reports. OWASP does not
influence the way grades are allocated. The OWASP advisers will
provide any information professors need in order to grade their

How to participate?

As a Student:

Review the list of OWASP Projects currently prticipating in OWCS     
                                       Get in touch with the OWASP
Project mentor of your choice                                        
    Agree on deliverables with OWASP mentor and university professor 
                                           Work away during
Autumn/Winter 2014                                             Rise
to Open Source Development Glory!

As a Professor:

Review the list of OWASP Projects currently prticipating in OWCS     
                                       Get in touch with the OWASP
Project mentor of your choice                                        
    Promote the participating OWASP Projects among students          
                                  Review student progress with help
from OWASP mentors                                             Grade
student work according to university scoring system                  
                          Provide student grade results to OWASP

CLICK HERE for more information -
http://cts.vresp.com/c/?TheOWASPFoundation/7d3680ebcc/4f163f6020/606b09015f                                       OWASP Meet and Greet at
BlackHat USA

What does this mean?  Chapter and Project leaders that are already
planning on attendingBlackHat USA 2014 can sign up for a 2 hour slot
(or more) to promote their chapter and/or project at the OWASP booth.
This will allow conference goers that may only know you via email to
put a face to a name.  It will also provide you visibility to
thousands of individuals to promote your chapter and/or project.

We have a limited amount of "Expo Only" passes available if you were
not planning on attending BlackHat but will be in Las Vegas on
Wednesday, August 6 and/or Thursday, August 7 and want to promote
your chapter/project at the OWASP booth.

Leaders will be showcased for the time(s) you select and the leader
with the most visitors over the two days will win a prize!

To help us promote your chapter and/or project, please fill in the
time(s) that best accommodates your schedule to be showcased at the
OWASP BlackHat booth here -
http://cts.vresp.com/c/?TheOWASPFoundation/7d3680ebcc/4f163f6020/574a859ff8 .

BSides 2014 Las Vegas Tuesday, August 5 - Wednesday, August 6

Anyone that will be in Las Vegas and would like to help promote OWASP
at our BSides booth is welcomed! Please select the time(s) that best
fit your schedule to volunteer at the OWASP booth here -
http://cts.vresp.com/c/?TheOWASPFoundation/7d3680ebcc/4f163f6020/429dc3b178 . The volunteer with the most visitors over the course of the two
days will win a prize! 

Click to view this email in a browser

If you no longer wish to receive these emails, please reply to this
message with "Unsubscribe" in the subject line or simply click on the
following link: 


The OWASP Foundation sent this email free of charge using
VerticalResponse for Non-Profits. Non-Profits email free. You email

The OWASP Foundation
1200-C Agora Drive
Bel Air, Maryland 21014

Read the VerticalResponse marketing policy: 

You received this message because you are subscribed to the Google Groups "OWASP Summit 2013" group.
To unsubscribe from this group and stop receiving emails from it, send an email to owasp-summit-2013+unsubscribe at owasp.org.
To post to this group, send email to owasp-summit-2013 at owasp.org.
Visit this group at http://groups.google.com/a/owasp.org/group/owasp-summit-2013/.
For more options, visit https://groups.google.com/a/owasp.org/d/optout.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-summit-2013/attachments/20140708/4f9b3ef4/attachment-0001.html>

More information about the Owasp-summit-2013 mailing list