Monday, January 16, 2017

January 2017 Corporate Members


January 2017 Corporate Members

We would like to thank the following companies for supporting the OWASP Foundation.  
The companies listed below have contributed this month by either renewing their existing 
Corporate Membership or joining OWASP as a new Corporate Member.  
Details about Corporate Membership can be found here.



Contributor Corporate Members


Accenture is a leading global professional services company, providing a broad range of services and solutions in strategy, consulting, digital, technology and operations. Combining unmatched experience and specialized skills across more than 40 industries and all business functions—underpinned by the world’s largest delivery network—Accenture works at the intersection of business and technology to help clients improve their performance and create sustainable value for their stakeholders. With more than 394,000 people serving clients in more than 120 countries, Accenture drives innovation to improve the way the world works and lives. Visit us at www.accenture.com.


Organizations worldwide use Black Duck’s industry-leading products to automate the process of securing and managing open source software, eliminating the pain related to security vulnerabilities, compliance and operational risk. Black Duck is headquartered in Burlington, MA, and has offices in San Jose, CA, London, Frankfurt, Hong Kong, Tokyo, Seoul and Beijing. For more information, visit www.blackducksoftware.com.


For more information about Cybozu, please visit https://www.cybozu.com/jp/



Want your name here? Find out how by visiting our Corporate Member information page, or contact Kelly Santalucia today!  Thank you to all of our Premier and Contributor Corporate Members for your support in 2016!


Monday, January 9, 2017

OWASP Project Graduation Update


Congratulations to Project Leaders below on moving your project forward to the next level!

New Flagship Project:
Lab to Flagship Status
Project Name: OWASP Security Shepherd
Project Leader:  Mark Denihan
Project Web Page:  https://www.owasp.org/index.php/OWASP_Security_Shepherd


New Lab Projects:

Project Name: OWASP Seraphimdroid
Project Leaders: Nikola Milosevic, Kartik Kholi


Incubator to Lab Status Project Review Report
Project Name: OWASP Security Logging Project

Project Leader:  Sytze van Koningsveld


-- 

Friday, January 6, 2017

OWASP Operations Update for January 2017

Welcome to the first operations update for 2017.  We started monthly blogs about what's happening at the OWASP Foundation back in December.

Here's our major efforts and status of those in process starting with updates from last time:

The Website Reboot aka TWR - a major effort to update and modernize OWASP's web presence.  Since last month, we've

  • Made progress on Phase 1 - updating the wiki to 1.27.x
    • Got the wiki source and all extensions in Git repos
    • Started coding Ansible to automate our deploys and updates
    • Production roll-out - mid-January
  • Next up Phase 2 - Updating the look and feel of the OWASP Wiki
    • Blocked: waiting for the 2017 Budget to get approved by the OWASP Board
The OWASP Communications Plan - a staff-created plan to professionalize how OWASP interacts with its community and the world at large.  There’s a ton of moving parts to this effort but here’s what we focusing on currently:

  • Migration to Discourse
    • Evaluation of Discourse showed it would fit our needs
    • Worked with/reverse engineered the Discourse API to ensure we can automate:
      • Migration from Mailman
      • Future operational tasks
    • An empty production site is expected mid-January
  • Beta program for the Foundation's Global Meetup account is continuing.
Two new major, interlinked efforts

Two major efforts are starting this month - a significant upgrade to OWASP's Association Management System (AMS) and the proposed plan for updating our membership models.
  • Association Management System
    • Runs atop the OWASP Foundation's Salesforce account
    • Handles many operational aspects: membership, conference registrations, etc
    • New AMS allows us to re-think our past membership model
    • Beginning the first week of February, we'll start the migration to the new AMS
  • Updating Membership Models
    • New plans created by staff based on past community, board and staff discussions
    • Account for diverse membership 
    • Developed to optimize accessibility and growth
    • Request to the OWASP Community: Please provide feedback prior to the Jan 11th Board Meeting when staff is asking for approval of the new membership plans.  The links above allow for public comments.
Projects
  • New projects
    • 2 Documenation projects
    • 5 Tool projects
    • 2 New Code Projects
  • Project Reviews
    • Multiple projects under review - look for requests for feedback this month!
Updates on Events for 2017
  • AppSec EU 2017
    • CFP & CFT Final Review
  • AppSec USA 2017
    • CFP and CFT planned to open by the end of January - look for announcements soon!
  • AppSec California 2017 happens January 23 - 25 in lovely Santa Monica CA
Membership and Outreach
  • Member numbers for January
    • 2048 Individual members
    • 70 Corporate members
  • Membership drive planning begins - tentative June launch
Community
  • Claudia and Tiffany have started the planning for an updated OWASP Volunteer program
    • Planned enhancements include searchable descriptions of opportunities, details including expected time commitment and volunteer profiles
  • Women in AppSec (WIA) Committee has been formed - Congrats!
  • Chapter Leader Handbook updates continue - draft version tentatively available at Feb Board Meeting
  • Pending a board vote: Request for a committee to be invite only as an exception to the Committee 2.0 rules
As always, the OWASP staff are here to help make the OWASP community even stronger.  If you have any question, concern or need, let us know by using the ‘Contact Us’ form here.

Your friendly neighborhood OWASP staff:
          Kate, Kelly, Alison, Laura, Claudia, Tiffany, Dawn and Matt


Thursday, January 5, 2017



Signal Sciences Supports the OWASP Foundation as a Premier Corporate Member


Bel Air, MD – January 5, 2017 – The Open Web Application Security Project (OWASP), a worldwide not-for-profit charitable organization focused on improving the security of software, is pleased to welcome Signal Sciences, a leading provider of security technologies for modern web applications as a Premier Corporate Member of OWASP.   


OWASP is an open community of over 46,000 participants dedicated to enabling organizations to conceive, develop, acquire, operate, and maintain applications that can be trusted. All of the OWASP tools, documents, forums, and chapters are free and open to anyone interested in improving application security.  OWASP does not endorse or recommend commercial products or services. Instead, we allow our community to remain vendor neutral with the collective wisdom of the best individual minds in application security worldwide.


“Signal Sciences’ Web Protection Platform provides protection for many of the Fortune 500 web properties throughout the world in addition to other top brands such as UnderArmour, Adobe, Dun & Bradstreet, and Etsy. It is with great enthusiasm that we choose to become a Premier Corporate Member with the OWASP Foundation. The OWASP community brings immense benefit to our customers as well as the web population at large. By being affiliated with OWASP, we continue to support and encourage a safer and more secure Internet.” -Tyler Shields, VP Marketing Signal Sciences


Signal Sciences has contributed to the OWASP Foundation since 2016.  Their continued support helps to fulfill the OWASP mission of making software security visible so individuals and organizations are able to make informed decisions. Just recently Signal Sciences supported the Global AppSec USA 2016 conference that took place in Washington, DC as a Gold sponsor.  AppSec USA 2016 conference talks are now available for free on the conference site.


“OWASP receives one-third of its funding from Corporate Members and we are thrilled to have Signal Sciences support as a Premier Corporate member,” stated Kelly Santalucia, Membership & Business Liaison of the OWASP Foundation. “In 2016 Signal Sciences sponsored our Global AppSec USA 2016 conference and our local LASCON event. Their participation demonstrates strong support for our global initiatives, and we are hopeful that others will follow their lead in giving back to the community.”


About OWASP
The Open Web Application Security Project (OWASP) is dedicated to making application
security visible by empowering individuals and organizations to make informed decisions
about true software security risks. As a 501(c)(3) not-for-profit worldwide charitable  organization, OWASP does not endorse or recommend commercial products or services. Instead, we allow our community to remain vendor-neutral with the collective
wisdom of the best individual minds in software security worldwide.  For more information, visit: www.owasp.org or follow us at @owasp on Twitter.


About Signal Sciences

Signal Sciences Web Protection Platform provides security visibility, protection, and scalability while breaking down the silos that divide security, operations, and development teams. We believe web application security should be a shared responsibility, so we’ve created a Web Protection Platform with collaboration firmly at its center. We allow teams to easily work together to secure the technology they build.



Signal Sciences is based in Venice, California. For more information please visit www.signalsciences.com or follow us at @signalsciences on Twitter.



Thursday, December 29, 2016

Combating the Vulnerability Chaos with OWASP DefectDojo

By: Greg Anderson

Four short years ago, I spent 35% of my time actually hacking on products and 65% of my time writing reports and recording metrics. Our team tried a multitude of tools to make our lives easier, but it seemed to only increase our turnover rates. The landscape of security has never been harder to manage with the numerous hoops engineers and penetration testers have to jump through to actually do their job.To alleviate our frustration and lack of options we created DefectDojo, a free and open-source vulnerability management tool.

Home Screen:  Here is what you will see when you first login to DefectDojo.
It provides a quick overview of the state of your security program.

DefectDojo is a tool that not only stores findings, but also helps to streamline your entire application security program. It simplifies vulnerability management by offering templating, report generation, metrics, finding deduplication, and baseline self-service tools to allow security engineers and penetration testers to spend their time on their actual expertise, hacking. Comprehensive details on all of DefectDojo’s features can be found on our official docs.


templates.gif
Templating: DefectDojo's templating system saves time on reporting
 by allowing users to recycle previous entries on similar issues.
report_gen.gif
Report Generation: DefectDojo includes a multitude of options to generate custom reports including
 filtering for a specific engagement or test-type. For an example report see the link below.
scan.gif
Self-Service Tools: DefectDojo includes self-service tools that allow teams to schedule
their own scans and store the results back into DefectDojo.
upload_scan.gif
Scanner Integration: DefectDojo allows you to import scan data from multiple commercial and open-source security tools.
Every code change is checked for quality and security with continuous testing using Travis CI.  We do this to ensure that future updates do not break the current build.  We also run the same series of tests against any contributed code.  Speaking of contributions, we’re happy to take your pull requests, feature requests or donations to keep DefectDojo moving forward.  We’ve had several pull requests from new contributors, including a recent one that added file uploads to the REST API.  
dojo_ci.PNG
Continuous Integration: Every code change is run against a series of of tests to ensure stable updates.


It is easy to make Dojo your own.  You can install DefectDojo using a single command on all Linux systems and OS X. There is also an option for Docker. The project is written with Python/Django. If you wanted to add or alter any features or displays to personalize your instance, only three files need to be changed (models.py, views.py, and templates).


DefectDojo is currently used by multiple large enterprises and has core contributors from five different organizations including Rackspace, Rapid7, Pearson, Cengage, and the OWASP Foundation.


DefectDojo works at scale. For example, Pearson uses DefectDojo to manage application security engagements for 2,000+ applications written by 5,000+ developers with operations on every continent.

If you’re curious about DefectDojo, there is a live demo.
You can log in as an administrator like so:
Admin
You can also log in as a product owner / non-staff user:
Product owner
Please direct all inquires to greg.anderson@owasp.org

Thursday, December 22, 2016

OWASP Connector | December 21, 2016
Communications

2016 in Review; Looking Ahead

OWASP Operations Update

OWASP in the News!

projects

Project Reviews

New Projects in 2016!

ESAPI's New Project Leader

Conference

AppSecEU 2017

Global AppSec Events

Local and Regional Events

Training Events

Partner and Promotional Events

chapters

Chapter Handbook Review

OWASP is Testing Meetup Pro

Request for Blog Content

membership

New and Renewing Corporate Members

Social Media

OWASP Foundation Social Media



Communications
OWASP Communications

2016 in Review; Looking Ahead

2016 has been a period of radical change for OWASP, some of it was sudden and devastating, other changes were the culmination of months of small improvements. OWASP Foundation invites you to aid us in harnessing the energy from these changes to foment a period of radical growth in 2017.
The year in Review:
  • This year we lost our Executive Director, Paul Richie. He brought order and professionalism to OWASP. He raised our own high expectations and delivered on the things he set out to do. He made all of us that worked closely with him better and more effective. He will be greatly missed.
  • AppSec Europe and AppSec USA were both successful, with AppSec USA in DC selling a record number of tickets.
  • Two Successful Project Summits during AppSec EU and AppSec USA 2016 that allowed approximately 30 thirty Project Leaders to jump in with 'hands-on' work on a variety of OWASP Projects.
  • Our experiments with hosting a Member’s Lounge at global AppSec events where you can charge your electronics, lounge in a quiet space with colleagues, and grab some swag and a snack have been wildly successful.
  • We are happy to have nearly doubled our Premier Corporate Membership.
  • We gained a significant number of chapters in Asia, Africa, and Latin America.
  • We hired our new Senior Technical Coordinator, Matt Tesauro and Community Manager, Tiffany Long to help drive our Projects and Community-based programs forward.
  • There are so many more achievements in 2016 and all can be found in back issues of our OWASP Connector newsletters.
Looking Forward:
  • The OWASP Staff had developed a new communication strategy, The majority of which will be implemented 2017.
  • The OWASP Website Reboot began with the evaluation by Sooryen in 2016 and continues into 2017. You can see the plan here.
  • Owasp will implement our new association management system. This will integrate various back-end systems and lead to improved user experience for the OWASP global community.
  • We look forward developing our volunteer program in 2017.
  • OWASP is choosing a strategic objective for 2017, you can help by discussing the current suggestions or contributing your own.
On behalf of the entire Operations team, we look forward to making 2017 an exciting and productive year for OWASP.
Best,

Tiffany Long
OWASP Community Manager
Tiffany.Long@owasp.org



OWASP Operations Update

Starting in December 2016 and continuing throughout 2017, the staff are going to post monthly updates on the OWASP Blog so the community can keep up with what the OWASP Foundation is doing to make OWASP just that much better. We’re also open to starting brief weekly updates if the community wants to follow our direction more closely.
Read the December 2016 Operations Update here.



OWASP in the NEWS!

What The Galactic Empire Could Learn from OWASP – Stormpath, December 17, 2016
Protecting Yourself From Online Scammers – Fox2Now, November 30, 2016
Application Security Conference: AppSec USA – Resolute Technology Solutions, December 16, 2016
IT security skills dearth lifts SA's risk profile – IT Web Access Control, December 12, 2016

projects
OWASP Projects

Project Reviews

OWASP Project Inventory has 93 Projects (Code, Tools, or Documentation) produced by the efforts of volunteers. Projects are divided into three categories, Incubator, Lab and Flagship status. We currently have about 39 Projects in Flagship or Lab Status and the balance are in Incubator status. The main purpose for project reviews is to provide an evaluation based on a defined criteria which provides an incentive and measurement of a projects maturity as they grow from Incubator to Flagship.
Project reviews may be requested by the Project Leaders or flagged during each project's annual health check. The evaluation is based on defined criteria which attempt to gauge the project's quality, health (activeness), and stage within our incubator to lab to flagship continuum.
The review consists of an initial self-assessment done by the project leader which is peer reviewed by volunteers from OWASP. Next, OWASP staff take look over all the feedback on the project and ensure it meets the requirements for graduation. Once a project is ready for graduation, all the review feedback is presented to the community for any final comments or +1’s. You can view the four most recent reviews and share your thoughts here.



New Projects in 2016!

Documentation:

Tools:

Code:




ESAPI's New Project Leader

OWASP Enterprise Security API  Welcomes New Leader Matt SeilBy Kevin Wall
It is with mixed emotions that I am making this announcement, that Chris Schmidt is stepping down as long-time ESAPI co-leader and that Matt Seil will be taking over that position and attempting to fill Chris' shoes. On one hand, I'm saddened because Chris was such a great leader and contributor for ESAPI.
Chris took over as co-leader sometime in May 2011, at the same time that I did, when Jim Manico handed over us the reigns, but Chris' contributions to ESAPI go back way before my involvement and his contributions are much broader than mine. While I focused mostly on ESAPI's crypto and provided some occasional general ESAPI bug zapping, Chris had his hands in almost everything ESAPI (and I mean that in a good way). For instance, he single-handedly created the ESAPI for JavaScript and the ESAPI Spring Authenticator mini-projects. Chris also played the major role in the ESAPI 2.x's release management as well as creating the outline for the ESAPI 3.x interfaces. His wisdom, insigh, and broad experience will be sorely missed by ESAPI. However, Chris should be admired in admitting that as of late, because of job and personal obligations, he has lacked the "time to really provide any value to the ESAPI team" and therefore is stepping down in the best interest of ESAPI. I personally have enjoyed working with Chris for these past 5.5 years and have learned a lot from him. I hope that he periodically finds time to continue to contribute ESAPI in whatever way possible.
On the other hand, I am eagerly looking forward to working with Matt Seil as the new ESAPI co-lead. Matt was a major contributor to bug fixes for the ESAPI 2.1.0.1 release last February. He and I worked well together and I think he is highly respected in the OWASP community by those who know him.
Shortly after this New Years, Matt and I hope to get together and discuss future plans for ESAPI, both short-term and long-term goals. Once we have the initial groundwork for that recorded in electrons somewhere, we will share them with the broader ESAPI community to get feedback and then revise them as needed. (In the meantime, if you have some suggestions that you would like us to potentially consider, please email them to Matt Seil and me.
In the meantime, I hope that along with me, you will extend your thanks and appreciation to Chris for his labor of love on ESAPI and extend your welcome to Matt as the new ESAPI project co-lead.
Thank you and Happy Holidays!

Conference
OWASP Events

AppSecEU 2017

The call for presentations and training are now open for AppSecEu 2017, which will take place in Belfast from May 8th to 12th 2017. OWASP's Global AppSec events serve a diverse audience of security professionals at all stages of their careers. We seek interesting perspectives and training to drive visibility and evolution in the safety and security of the world’s software. We have opportunities for multi-day trainings, talks, lighting trainings, lightning talks, arsonal and activities.
Our topics of interest for talks include, but are not limited to the following:
  • Novel web vulnerabilities and countermeasures
  • New technologies, paradigms, tools
  • OWASP tools or projects in practice
  • Secure development: frameworks, best practices, secure coding, methods, processes, SDLC
  • Browser security
  • Mobile security and security for the mobile web
  • Cloud security
  • REST/SOAP security
  • Security of frameworks
  • Large-scale security assessments of web applications and services
  • Privacy risks in the web and the cloud
  • Management topics in Application Security: Business Risks, Awareness Programs, Project Management, Managing SDLC

OWASP Trainings should be practical in nature--hands-on class will receive stronger consideration. Topics of interest for include but are not limited to:
  • Secure development: frameworks, best practices, secure coding, methods, processes, SDLC
  • Vulnerability analysis: code review, pentest, static analysis
  • Threat modelling
  • Mobile security
  • Cloud security
  • Browser security
  • HTML5 security
  • OWASP tools or projects in practice
  • New technologies, paradigms, tools
  • Privacy in web apps, Web services (REST, XML) and data storage
  • Operations and software security
  • Management topics in Application Security: Business Risks, Outsourcing/Offshoring, Awareness Programs, Project Management, Managing SDLC

While we understand that your submission might be a work in progress, we strongly encourage that all submissions be as thorough as possible to allow us to make the best decision. The program committee will review your submission based on a descriptive abstract of your intended presentation. Feel free to attach a preliminary version of your presentation if available, or any other supporting materials. Please review your proposal thoroughly as accepted abstracts and bios submitted will be published 1:1 on our site. If your presentation is accepted for inclusion in the conference program, you are free to submit a white paper describing your work, to be added to the website.
To ensure the best talks available are presented at AppSec Europe we are incorporating blind reading as part of our process. This means that names and job titles will be removed when the paper's abstract is being reviewed. Submissions for training will not be read blind. All speakers will be given access to speaker mentorship, we especially encourage first time speakers to take advantage of this service.
Marketing and sales pitches will not be accepted in the talks or trainings.
  • Submission deadline: January 9th, 2017
  • Notification of acceptance: February 6th, 2017
  • Conference days: May 11th – 12th 2017

  • Deadline for proposals: January 2, 2017
  • Notification to training providers: January 23, 2017
  • Training: May 8, 9, 10




Global AppSec Events

AppSec Europe 2017 May 8 - 12, 2017, Belfast, UK
AppSec USA 2017 September 19 - 22, 2017, Orlando, Florida, USA



Regional and Local Events

AppSec Cali 2017 January 23 - 25, 2017, Santa Monica, CA, USA
AppSec Africa 2017 February 1 - 2, 2017, Casablanca, Morocco
SnowFROC 2017 March 16, 2017, Denver, CO, USA
Latam Tour 2017 April 3 - 28, 2017, South America



Training Events

Boston Training January 25 - 27, 2017, Waltham, MA, USA



Partner and Promotional Events

IoT Tech Expo Global 2017 January 23-24, 2017   Olympia, London   OWASP members save 20% by using discount code: OWASP20
Cyber Resilience & InfoSec 2017  February 6-7, 2017   Abu Dhabi, U.A.E.
SC Congress London   February 23, 2017   London, UK
CyberCentral   April 4-6, 2017   Prague, Czech Republic
QuBit Conference 2017   April 4-6, 2017   Prague, Czech Republic   OWASP members save 10% by using discount code: QB17OWASP
Cyber Security North Africa Summit   April 26-27, 2017   Cairo, Egypt  
SC Congress New York   May 2, 2017   New York, NY
Techno Security & Digital Forensics Conference  June 4-7, 2017   Myrtle Beach, SC
SC Congress Toronto   June 13-14, 2017   Toronto, Canada

Ads are not endorsements and reflect the messages of the advertiser only.They represent co-marketing arrangements
with other organizations in support of the OWASP Community.   CLICK HERE for more information on advertising.
Synopsys Security Compass

chapters
OWASP Chapters

Chapter Handbook Review

The Chapter Handbook goes under periodic review. This is your opportunity to be heard at OWASP. Each chapter is listed in its own doc, please comment to tell us where you think the handbook needs clarification, further guidance, or updates. Please confine your activity to the comments and do not directly edit the pages. Comments will remain open for one month.



OWASP is Testing Meetup Pro

OWASP has been listening to you and we are proud to announce that we began testing the new MeetUp Pro service this month.
MeetUp Pro will provide an umbrella under which the chapter groups would be gathered. This means that all of our chapters would be uniformly branded and advertised on our master homepage. From the chapters’ point of view, the meetup would function the same as before with the only changes being that the leaders are listed as “local leaders” and only the official OWASP account would have the ability to start and eliminate chapters.
There are a lot of benefits for chapters of going pro, not only will your meetups be more searchable, but the cost of the service, currently born from your chapter budgets, will be absorbed by the foundation budget. A significant “silent” benefit is that the API should allow us to mirror the information on the MeetUp page on the Chapter wikis thereby eliminating a large amount of work that we currently ask our leaders to do, but do not enforce.
After MeetUp Pro is out of Beta, All chapters will once again be required to keep their wiki pages up to date. Our goal is to remove the onerous time sink of doing this.
If you would like to see what the new Pro pages look like check out this page, where the first 7 chapters have joined.



Request for Blog Content

OWASP would like to start spotlighting chapter activity on our blog. If your chapter hosted and recorded an amazing talk that just NEEDS to be shared, or perhaps you ran a great event and would like to help other chapter follow suite think about writing a blog post to be shared on the OWASP Blog. Contact our community manager, Tiffany Long for more details.

Membership
OWASP Membership
We would like to thank the following companies for supporting the OWASP Foundation. The companies listed below have contributed this month by either renewing their existing Corporate Membership or joining OWASP as a new Corporate Member. Details about Corporate Membership can be found here.


Premier Corporate Member
Signal Sciences is the industry’s first Web Protection Platform using both Next Generation WAF as well as RASP technologies. Signal Sciences WPP was built in response to our own frustrations of trying to use legacy WAFs while enabling business initiatives like DevOps, cloud adoption and CI/CD. The Signal Sciences NGWAF works seamlessly across cloud, physical, and containerized infrastructure, providing security without breaking production traffic. To learn more, please visit http://www.signalsciences.com


Contributor Corporate Member
Parasoft helps organizations perfect today’s highly connected applications by automating time-consuming testing and analysis tasks while providing management the analytics necessary to focus on what matters – eliminating the deployment of security vulnerabilities that could lead to system failure, data loss, and loss of life. Parasoft’s software security solution analyzes code, generates and executes tests, and processes the data collected throughout the SDLC to ensure compliance with security policy across all layers of the software stack. In addition, Parasoft can analyze and automatically prioritize defects that lead to security vulnerabilities and kick-off security verification and remediation tasks across the team. Learn more at www.parasoft.com/appsec


Want your name here? Find out how by visiting our Corporate Member information page, or contact Kelly Santalucia today! Thank you to all of our Premier and Contributor Corporate Members for your support in 2016!

Social Media
OWASP Social Media

OWASP Social Media Sites