OWASP - User contributions [en]

OWASP Newsletter 4

2007-01-29T17:29:42Z

Aholmes: /* 5.5 OWASP Community */

Using the same format as used in OWASP Newsletter's [[OWASP Newsletter 1|1]], [[OWASP Newsletter 2|2]] and [[OWASP Newsletter 3|3]] this is the page that will be used for the next Newsletter

== 1 OWASP Newsletter #4 ==
== OWASP projects that need your help ==

* This is not from an OWASP project, but a request I received from an MBA Student who is doing a survey on Open Source (http://www.surveymonkey.com/s.asp?u=387523013251])

== 4 Featured Project: WebScrab ==
== 3 Featured Project: {TBD} ==
== 5 Latest additions to the WIKI ==
==== 5.1 New Pages ====
* [[Guide to SQL Injection]] - Article examining the possibility of tampered SQL query data exploiting your database and/or application.
* [[Member Offers]] - New offers available for all individual OWASP Members and employees of OWASP Corporate Members.
* [[Announce:Web Honeynet]] - Web Honeynet project announcement by SecuriTeam and the ISOTF.
==== 5.2 Updated pages ====
* [[:Category:OWASP_Stinger_Project|OWASP Stinger Project‎]] - Updated with new release information (2.4 RC1)
* [[.Net Research Links]] - Several new CLR links
* [[Fuzzing]]

==== 5.3 Latest Blog entries ====
==== 5.4 Interesting Discussion Threads ====
==== 5.5 OWASP Community ====
*Feb 26-Mar 1 - [http://www.blackhat.com Black Hat DC]
: OWASP members receive a $100 Briefings discount by inserting BH7DCASSOC in the box marked “Coupon Codes”
*Feb 20 (18:00h) - [[Rochester|Rochester chapter meeting]]
*Feb 15 (18:00h) - [[Seattle|Seattle chapter meeting]]
*Feb 15 (18:00h) - [[Washington DC|Washington DC (MD) chapter meeting]]
*Feb 15 (18:00h) - [[Virginia (Northern Virginia)|Washington DC (N. VA) chapter meeting]]
*Feb 15 (18:00h) - [[Seattle|Seattle chapter meeting]]
*Feb 14 (18:00h) - [[Toronto|Toronto chapter meeting]]
*Feb 13 (18:00h) - [[Ireland|Ireland chapter meeting]]
*Feb 12 (18:30h) - [[Switzerland|Switzerland chapter meeting]]
*Feb 7 (18:30h) - [[Boston|Boston chapter meeting]]
*Feb 6-7 - [[Italy#February_6th-8th.2C_2007_-_InfoSecurity|Italy@InfoSecurity]]
*Feb 6 (18:00h) - [[Melbourne|Melbourne chapter meeting]]
*Feb 2 (14:00h) - [[Chennai|Chennai chapter meeting]]
*Jan 31 (15:00h) - [[Mumbai|Mumbai chapter meeting]]
*Jan 30 (11:30h) - [[Austin|Austin chapter meeting]]

==== 5.6 Application Security News ====

== 6 OWASP references in the Media ==

OWASP Newsletter 4

2007-01-29T17:20:46Z

Aholmes: Oops, removed news that was already discussed last week

OWASP Newsletter 4

2007-01-29T17:19:21Z

Aholmes: /* 5.2 Updated pages */

OWASP Newsletter 4

2007-01-29T17:13:26Z

Aholmes: /* 5 Latest additions to the WIKI */

OWASP Newsletter 4

2007-01-29T16:55:58Z

Aholmes: /* 5 Latest additions to the WIKI */

Announce:Web Honeynet

2007-01-23T17:23:19Z

Aholmes:

== Web Honeynet Project Announcement ==
'''Posted January 23rd, 2007'''

The newly formed Web Honeynet Project from SecuriTeam and the ISOTF will
in the next few months announce research on real-world web server attacks
which infect web servers with: Tools, connect-back shells, bots, downloaders, malware, etc. which are all
cross-platform (for web servers) and currently exploited in the wild.

The Web Honeynet Project will, for now, not deal with the regular SQL
injection and XSS attacks every web security expert loves so much, but
just with malware and code execution attacks on web servers and hosting
farms.

These attacks form botnets constructed from web servers (mainly IIS and
Apache on Linux and Windows servers) and transform hosting farms/colos to
attack platforms.

Most of these "tools" are being injected by (mainly) file inclusion
attacks against (mainly) PHP web applications, as is well known and
established.

PHP (or scripting) shells, etc. have been known for a while, as well as
file inclusion (or RFI) attacks, however, mostly as something secondary
and not much (if any - save for some blogs and a few mailing list posts a
year ago) attention was given to the subject other than to the
vulnerabilities themselves.

The bad guys currently exploit, create botnets and deface in a massive
fashion and force ISPs and colos to combat an impossible situation where
any (mainly) PHP application from any user can exploit entire server
farms, and where the web vulnerability serves as a remote exploit to be
followed by a local code execution one, or as a direct one.

What is new here is the scale, and the fact we now start engaging the bad
guys on this front (which so far, they have been unchallenged on) -
meaning aside for research, the Web Honeynet Project will also release
actionable data on offensive IP addresses, URLs and on the tools
themselves to be made available to operational folks, so that they can
mitigate the threat.

It's long overdue that we start the escalation war with web server
attackers, much like we did with spam and botnets, etc. years ago. Several
folks (and quite loudly - me) have been warning about this for a while,
not it's time to take action instead of talk. :)

Note: Below you can find sample statistics on some of the Web Honeynet
Project information for this last Wednesday, on file inclusion attacks
seeding malware.
You will likely notice most of these have been taken care of by now.

The first research on the subject (after looking into several hundred such
tools) will be made public in the February edition of the Virus Bulletin
magazine, from:
Kfir Damari, Noam Rathaus and Gadi Evron (yours truly).

The SecuriTeam and ISOTF Web Honeynet Project would like to thank
Beyond Security ( http://www.beyondsecurity.com ) for all the support.

Special thanks (so far) to: Ryan Carter, Randy Vaughn and the rest of the
new members of the project.

For more information on the Web Honeynet Project feel free to contact me.

Also, thanks for yet others who helped me form this research and
operations hybrid project (you know who you are).

-- Gadi.

Announce:Web Honeynet

2007-01-23T17:22:02Z

Aholmes:

== Web Honeynet Project Announcement ==

The newly formed Web Honeynet Project from SecuriTeam and the ISOTF will
in the next few months announce research on real-world web server attacks
which infect web servers with: Tools, connect-back shells, bots, downloaders, malware, etc. which are all
cross-platform (for web servers) and currently exploited in the wild.

The Web Honeynet Project will, for now, not deal with the regular SQL
injection and XSS attacks every web security expert loves so much, but
just with malware and code execution attacks on web servers and hosting
farms.

These attacks form botnets constructed from web servers (mainly IIS and
Apache on Linux and Windows servers) and transform hosting farms/colos to
attack platforms.

Most of these "tools" are being injected by (mainly) file inclusion
attacks against (mainly) PHP web applications, as is well known and
established.

PHP (or scripting) shells, etc. have been known for a while, as well as
file inclusion (or RFI) attacks, however, mostly as something secondary
and not much (if any - save for some blogs and a few mailing list posts a
year ago) attention was given to the subject other than to the
vulnerabilities themselves.

The bad guys currently exploit, create botnets and deface in a massive
fashion and force ISPs and colos to combat an impossible situation where
any (mainly) PHP application from any user can exploit entire server
farms, and where the web vulnerability serves as a remote exploit to be
followed by a local code execution one, or as a direct one.

What is new here is the scale, and the fact we now start engaging the bad
guys on this front (which so far, they have been unchallenged on) -
meaning aside for research, the Web Honeynet Project will also release
actionable data on offensive IP addresses, URLs and on the tools
themselves to be made available to operational folks, so that they can
mitigate the threat.

It's long overdue that we start the escalation war with web server
attackers, much like we did with spam and botnets, etc. years ago. Several
folks (and quite loudly - me) have been warning about this for a while,
not it's time to take action instead of talk. :)

Note: Below you can find sample statistics on some of the Web Honeynet
Project information for this last Wednesday, on file inclusion attacks
seeding malware.
You will likely notice most of these have been taken care of by now.

The first research on the subject (after looking into several hundred such
tools) will be made public in the February edition of the Virus Bulletin
magazine, from:
Kfir Damari, Noam Rathaus and Gadi Evron (yours truly).

The SecuriTeam and ISOTF Web Honeynet Project would like to thank
Beyond Security ( http://www.beyondsecurity.com ) for all the support.

Special thanks (so far) to: Ryan Carter, Randy Vaughn and the rest of the
new members of the project.

For more information on the Web Honeynet Project feel free to contact me.

Also, thanks for yet others who helped me form this research and
operations hybrid project (you know who you are).

-- Gadi.

OWASP Newsletter 1

2007-01-08T05:46:42Z

Aholmes: /* AoC update */

==== OWASP News – December 25th 2006 to December 31st 2006 ====

'''Happy Holidays from all of us at OWASP!'''

I would like to take a moment to welcome you all to our first edition of the OWASP weekly newsletter and introduce myself. My name is Aaron Holmes and I have had the pleasure of maintaining the OWASP Autumn of Code 2006 Web Developer Project. It has been a rewarding and educational experience for myself, and I feel OWASP has benefited greatly by the many excellent projects which have been developed and advanced through the AoC 2006 program. With all this activity and excitement, we have decided that we should produce and distribute a weekly newsletter to keep everyone up to date on the direction of OWASP and our many great projects. We invite your feedback and news submissions which can be submitted to me directly by emailing aholmes@owasp.org. Enjoy!

In next week’s newsletter we will take a deeper look within a few of the aforementioned projects and explain how they can benefit you.

Until next week, happy coding!

Aaron M. Holmes
OWASP Weekly Newsletter Editor and Website Developer

==== AoC update ====
''[dinis note: rewrite this with details of where we are today. Put special focus on the projects that are completed (also indicate the two projects that will have the extra month)]''

''[Aaron note: Re-wrote section with basic project information. Feel free to update - perhaps the 3 outstanding projects now have status updated :)]''

The end of 2006 marks an important time for OWASP with the successful completion of the Autumn of Code 2006. Four of the nine original projects have been completed and are now officially closed. The completed projects include CAL9000, OSG and ORG, the Testing Guide, and the Owasp.org website. Additionally, three other projects are up for completion and will be finalized in the very near future; including Pantera, Sherif, and OWASP Tiger (formally named Owasp.net Tools). The remaining two projects, WebScarab NX and LiveCD have been granted 1 month project extensions.

All projects have seen great developments which have been made possible by the hard work and efforts of our AoC participants, project leaders, and community members.

==== Featured Project - Aaron (use ORG and OSG instead) ====

OWASP Report Generator(ORG) and OWASP Site Generator(OSG) are projects that have recently been updated through the Autumn of Code.

ORG was produced originally by Dinis Cruz to fulfill the need of security reporting in his assessments for many different audiences. With ORG you can setup and track assessments including record findings, track the findings till they are fixed and run reports for different audiences that an assessment was done for.

OSG is a teaching tool that can be used to create basic sites that show off vulnerabilities. This allows for people teaching security to give specific examples of problems and for developers to look at real vulnerable code.
{put description here}

==== Lastest additions to the WIKI ====

* '''New pages (or major updates)'''
** [[PDF Attack Filter for Java EE]] - This is a filter to block XSS attacks on PDF files served by Java EE applications.
** [[CSRF Guard]]
** [[Books that reference OWASP]]

* '''Presentations on Chapters:'''
** Dec 06, [[Chicago]], [http://wittys.com/owasp/OWASP_Chicago_Thomas_Ptacek.pdf Webapps In Name Only] by Thomas Ptacek, Matasano Security, [http://wittys.com/owasp/cscott-Stronger%20Web%20Authentication-v1.0.ppt Token-less strong authentication for web applications: A Security Review] by Cory Scott, ABN AMRO
** Dec 06, [[Helsinki]],[http://www.owasp.org/images/7/7c/Owasp-olli.pdf Analyzing Threats] by Olli Wiren
** Nov 06, [[Virginia (Northern Virginia)]], [http://www.owasp.org/index.php/Image:OWASP_Presentation_Nov._9_2006.ppt Web site attack treads] by Jim Young, Websense Inc. and [http://www.pascarello.com/presentation/owasp/HackingFun.zip Investigating Ajax and JavaScript Security] by Eric Pascarello
** Nov 06, [[Phoenix]], [http://www.stachliu.com/presentations/webapp0day/index.html Discovering Web Application Vulnerabilities with Google CodeSearch] by Jon Rose
** Oct 06, [[Rochester]], [http://rd1.net/owasp/2006-10-16_owasp-presentation.ppt The first of the OWASP top ten: unvalidated input], by Steve Buck

* '''Page edits'''
** [[:Category:OWASP Stinger Project|OWASP Stinger Project]] and [[OWASP Validation Project]]
** [[Cross-Site Request Forgery]]
** [[Business Justification for Application Security Assessment]]
** [[OWASP Code Review Guide Table of Contents]]
** [[A Tale of Two Systems]]
** [[Category:OWASP Pantera Web Assessment Studio Project|OWASP Pantera Web Assessment Studio Project]]
** [[How to write a new WebGoat lesson]]
** [[How to test session identifier strength with WebScarab]]
** [[Source Code Analysis Tools]]

* '''OWASP Testing Project''': Here are just a couple links from the 2nd version of the [[OWASP Testing Project]] whose ToC is here: [[OWASP Testing Guide v2 Table of Contents]
** [[Testing: Spidering and googling]]
** [[Testing for Application Discovery]]
** [[Testing for Bypassing Authentication Schema]]
** [[Testing for Error Code]]
** [[Buffer Overruns and Overflows]]

==== OWASP Community ====
OWASP related events, such as chapter meetings, OWASP conferences, get-togethers, and OWASP sponsored events.
* '''Jan 17 (18:30h) - [[Denver|Denver chapter meeting]]'''

* '''Jan 15 (18:00h) - [[Rochester|Rochester chapter meeting]]'''

* '''Jan 11 (18:00h) - [[Netherlands|Netherlands chapter meeting]]'''

* '''Jan 11 (18:30h) - [[Phoenix|Phoenix chapter meeting]]'''

* '''Jan 10 (18:00h) - [[Toronto|Toronto chapter meeting]]'''

* '''Jan 9 (18:00h) - [[Virginia (Northern Virginia)|Washington DC (N. VA) chapter meeting]]'''

==== OWASP News Headlines (from owasp.org website) ====
* '''Jan 2 - [http://books.google.com/books?as_q=owasp&num=100&btnG=Google+Search&as_epq=&as_oq=&as_eq=&as_libcat=0&as_brr=0&as_vt=&as_auth=&as_pub=&as_drrb=c&as_miny=&as_maxy=&as_isbn= The Best Security Books Reference OWASP]''' - There are over 50 security books that reference OWASP. Many of the authors are contributing to OWASP, speaking at our conferences, and participating in our chapters. Some of the books just recommend OWASP, but many are structured around OWASP, and others have whole chapters dedicated to our tools.

* '''Nov 28 - [http://www.owasp.org/index.php/OWASP_JBroFuzz JBroFuzz 0.3 Released]''' - This version adds a more stable core, length updating for fuzzed POST requests and allows you to specify your own fuzz vectors in a separate file.

* '''Nov 26 - [http://www.owasp.org/index.php/OWASP_Report_Generator OWASP Report Generator 0.88 Released]''' - A tool for security consultants that supports the documentation and reporting of security vulnerabilities discovered during security.

* '''Nov 26 - [http://www.owasp.org/index.php/OWASP_Site_Generator OWASP Site Generator v.70 Released]''' - A tool that allows the creating of dynamic websites based on XML files and predefined vulnerabilities (some simple, some complex) for testing application security tools.

* '''Nov 14 - [http://www.owasp.org/index.php/Category:OWASP_Project Three great new OWASP projects]'''
** [http://www.owasp.org/index.php/Category:OWASP_Encoding_Project OWASP Encoding Project] A nice encoding library that supports Java, .NET, PHP, Python, Perl, JavaScript, and Ajax.
** [http://www.owasp.org/index.php/Category:OWASP_WSFuzzer_Project OWASP WSFuzzer Project] A fuzzing tool for Web Services to support penetration testing efforts.
** [http://www.owasp.org/index.php/Category:OWASP_Insecure_Web_App_Project OWASP Insecure Web App Project] A realistic but insecure Java EE web application for use in learning and testing tools.

* '''Nov 12 - [http://www.owasp.org/google/results.html New OWASP App Security Search Engine]''' - We're beta-testing a new Google-powered search engine for application security. The engine indexes the OWASP site and all the other sites dedicated to application security on the Internet.

* '''Nov 7 - [http://www.owasp.org/index.php/Special:Statistics OWASP Hits Two-Million Page Views]''' - Thank you all for your support! We serve approximately 1/2 million page views every month.

==== Application Security News (from Owasp.org) ====

*''' Jan 3 - [http://www.gnucitizen.org/blog/danger-danger-danger/ XSS in ALL sites with PDF download]''' - Critical XSS flaw that is trivial to exploit here in all but the very latest browsers. Attackers simply have to add a script like #attack=javascript:alert(document.cookie); to ANY URL that ends in .pdf (or streams a PDF). Solution is to not use PDF's or for Adobe to patch the planet.

* '''Dec 14 - [http://jeremiahgrossman.blogspot.com/2006/12/i-know-if-youre-logged-in-anywhere.html JavaScript error handler leaks information]''' - An attacker can find out whether you're logged into your favorite website or not. They include a script tag where the src attribute doesn't point to a script, but instead to a page on your favorite websites. Based on the error the script parser generates when trying to parse the HTML of the page that's returned, the attacker can tell whether you're logged in or not. Should extend to access control easily. Protect yourself with CSRF protection.

* '''Dec 13 - [http://www.washingtonpost.com/wp-dyn/content/article/2006/12/12/AR2006121200173.html UCLA spins massive breach]''' - Why not just say what measures you've really taken? Are all developers trained? Do you do code review and security testing? "Jim Davis, UCLA's chief information officer, said a computer trespasser used a program designed to exploit an undetected software flaw to bypass all security measures and gain access to the restricted database that contains information on about 800,000 current and former students, faculty and staff, as well as some student applicants and parents of students or applicants who applied for financial aid. 'In spite of our diligence, a sophisticated hacker found and exploited a subtle vulnerability in one of hundreds of applications,' Davis said in the statement."

* '''Dec 10 - [http://news.com.com/Security+Bites+Podcast+MySpace,+Apple+in+patch+snafu/2324-12640_3-6142120.html MySpace and Apple mess]''' - MySpace and Apple show how NOT to handle security incidents (see also [http://blog.washingtonpost.com/securityfix/2006/12/how_not_to_distribute_security_1.html How Not to Distribute Security Patches])

* '''Dec 2 - [http://blogs.oracle.com/security/2006/11/27#a39 Oracle blames security researchers]''' - "We do not credit security researchers who disclose the existence of vulnerabilities before a fix is available. We consider such practices, including disclosing 'zero day' exploits, to be irresponsible." So the question on everybody's mind - is the Oracle Software Security Assurance program real? Or are David Litchfield and Cesar Cerrudo right that Emperor has no clothes?

OWASP Newsletter 1

2006-12-26T04:13:37Z

Aholmes:

OWASP Newsletter 1

2006-12-26T04:01:45Z

Aholmes:

==== OWASP News – December 25th 2006 to December 31st 2006 ====

Happy Holidays from all of us at OWASP!

I would like to take a moment to welcome you all to our first edition of the OWASP weekly newsletter and introduce myself. My name is Aaron Holmes and I have had the pleasure of maintaining the OWASP Autumn of Code 2006 Web Developer Project. It has been a rewarding and educational experience for myself, and I feel OWASP has benefited greatly by the many excellent projects which have been developed and advanced through the AoC 2006 program. With all this activity and excitement, we have decided that we should produce and distribute a weekly newsletter to keep everyone up to date on the direction of OWASP and our many great projects. We invite your feedback and news submissions which can be submitted to me directly by emailing aholmes@owasp.org. Enjoy!

As previously noted there has been an amazing amount of progress and work being finalized with the AoC 2006 winding down. We’ve seen new releases from both the OWASP Report Generator and the OWASP Site Generator Projects, having been made possible by the hard work of AoC 2006 participant Mike de Libero and project coordinator Dinis Cruz. Please see the progress page for a complete listing of new features and fixes as well as the main Report Generator and Site Generator project pages for complete project descriptions and resources.

Other projects seeing considerable development through the AoC 2006 program are Web Scarab (a web application security testing tool), Web Goat (online application security training environment), CAL9000 (a collection of web application security testing tools), Live CD (CD containing ready to use versions of application security analysis and testing tools), Pantera (Web Assessment Studio), Testing Guide (security testing procedures and guides), and the OWASP .NET Tools Project.

Phew, those are a lot of projects! In next week’s newsletter we will take a deeper look within a few of the aforementioned projects and explain how they can benefit you.

Until next week, happy coding!

Aaron M. Holmes
OWASP Weekly Newsletter Editor and Website Developer

==== Featured Project - OWASP WebScarab Project ====

WebScarab is a Java based framework for analysing applications that communicate using the HTTP and HTTPS protocols. WebScarab has several modes of operation that are activated through plugins. By default WebScarab operates as an intercepting proxy that allows the user to review and modify requests created by the browser before they are sent to the server, and to review and modify responses returned from the server before they are received by the browser.

==== Latest Releases / Features ====

Nov 26 - [http://www.owasp.org/index.php/OWASP_Report_Generator OWASP Report Generator 0.88] Released
A tool for security consultants that supports the documentation and reporting of security vulnerabilities discovered during security.

Nov 26 - [http://www.owasp.org/index.php/OWASP_Site_Generator OWASP Site Generator v.70] Released
A tool that allows the creating of dynamic websites based on XML files and predefined vulnerabilities (some simple, some complex) for testing application security tools.

==== OWASP News Headlines ====

Nov 14 - [http://www.owasp.org/index.php/Category:OWASP_Project Three great new OWASP projects]
1) [http://www.owasp.org/index.php/Category:OWASP_Encoding_Project OWASP Encoding Project] A nice encoding library that supports Java, .NET, PHP, Python, Perl, JavaScript, and Ajax.
2) [http://www.owasp.org/index.php/Category:OWASP_WSFuzzer_Project OWASP WSFuzzer Project] A fuzzing tool for Web Services to support penetration testing efforts.
3) [http://www.owasp.org/index.php/Category:OWASP_Insecure_Web_App_Project OWASP Insecure Web App Project] A realistic but insecure Java EE web application for use in learning and testing tools.

Nov 12 - [http://www.owasp.org/google/results.html New OWASP App Security Search Engine]
We're beta-testing a new Google-powered search engine for application security. The engine indexes the OWASP site and all the other sites dedicated to application security on the Internet.

Nov 7 - [http://www.owasp.org/index.php/Special:Statistics OWASP Hits Two-Million Page Views]
Thank you all for your support! We serve approximately 1/2 million page views every month.

OWASP Financials 2006

2006-12-21T19:02:11Z

Aholmes:

= OWASP 2006 Annual Report =

===From the Executive Director===
Welcome to this inaugural Annual Report for OWASP!

2006 has been an exciting time for the web application security. Many organizations have realized just how important web application security is to their bottom line - with the Payments Card Industry (PCI) to name just one mandating code reviews and security assessets of code.

OWASP is proud to have been on the forefront of the trends over the last six years.

OWASP is an open project, and thus this should include our financial data and roadmap.

We have many exciting projects underway, with some huge contributions from the community and security vendors alike. These tools, like LAPSE (a static Java source code checker) and CAL9000 (a Javascript penetration testing tool) are groundbreaking and should be a part of every serious web application security
Our tax year is the US financial year, so it may make more sense for the next annual report to be issued after we have filed.

If you have any queries relating to this annual report, please contact us at owasp@owasp.org

=== Financial Summary ===
OWASP is a 503(c).1 non-profit organization. We do not have any share holders, so essentially, this information is produced for the benefit of our community and transparency.

The above figures are of as 31st August 2006, and include most of the projected expenses on the Autumn of Code, but does not include the all the income or expenses from the Seattle conference.

Please see the Financial Statements section for more detail

=== Operations and significant developments ===
2006 has been a great year for OWASP. We have many active projects, more local chapters than ever before, greater adoption of our standards and guidelines, and two fantastic conferences. We expect the trend to continue through 2007.

==== Revenue Streams ====
OWASP expects to generate income from three major sources: corporate sponsorship, conferences, and membership dues. The major driver for 2006/2007 is to develop a method to allow membership dues to be levied and a portion of that money made available to the relevant local chapters.

==== Infrastructure ====
This last six months have been very active on the infrastructure front. We have moved our mail lists in house, set up forums and blogs for our members, and moved our entire content to a Wiki.

These moves allow the community to more easily access and work together. In particular, it enables us to host the Autumn of Code, which in turn builds real results for selected OWASP projects.

==== Autumn of Code ====
We have just commissioned the OWASP Autumn of Code. Dinis Cruz is running with this project, which will for the first time see the funds donated by our corporate sponsors and membership dues being used for OWASP projects directly. At the time of writing, submissions have been accepted and projects are underway.
If this project is successful, we will be seeking sponsorship for the Autumn of Code 2007. This will allow organizations to sponsor projects which have been useful for them and in turn allows the organizations to see real improvements.

==== Top 10 2007 ====
The Top 10 has been tremendously successful, and is widely adopted as a technical standard. SANS, Payments Card Industry (PCI), and many others have made the Top 10 a core part of their web application security standard.

Much has changed since its release in 2004, it’s time for a refresh. The project is actively working towards a release in early 2007, with a draft expected in early November 2006.

==== Guide 3.0 ====
The project is refreshing content from the successful launch of the Guide 2.0 in 2005. There are two new chapters: Ajax Security and State Management along with a raft of new content in each chapter to bring it completely up to date. It is the most comprehensive “how to code securely” tome available for any price.

The Guide 3.0 will be appearing in print sometime in early 2007 through No Starch Press.

==== Contributions to OWASP ====
OWASP has been proud to accept many contributions from outside organizations. This demonstrates OWASP’s acceptance by the industry as the preeminent web application security organization.
Projects include:
*CLASP - Comprehensive Lightweight Application Security Project. Donated by Secure Software
*CAL 9000 - Javascript web application security tester. Donated by Chris Loomis
*LAPSE - Java code review tool
*Vulncat - A taxonomy donated by Fortify Software with over 500 entries.
We have much work to integrate some of these projects into a useable whole that we have created the Honeycomb project. This project should enable several large projects (CLASP, Guide, Vulncat, etc) to share content and methodologies.
Forward looking statements
During the next twelve months, a key driver for OWASP is openness and transparency.
We are seeking more financial individual members, who in return for a GNI indexed membership fee, will receive a proper membership kit for the first time.
Once we have a critical mass of financial members, we will be adopting more of the common NetBSD method of open elections to elect OWASP Foundation positions, which have been to date appointments based upon meritocracy.
We expect the first AGM and votes to be held sometime in 2007, possibly as early as the OWASP EU conference in May 2007.
OWASP Seattle October 16-18 2006
OWASP Seattle is looking to be an excellent conference with two tracks and a training day. One of the keynote speakers is Michael Howard from Microsoft’s security team and a noted author of several respected books, including Writing Secure Code and Secure Development Lifecycle.
OWASP EU May 2007
The location for this conference has not been set as yet, but a leading contender is Portugal.

OWASP Autumn of Code 2006 - Projects: Website and Branding - Progress

2006-12-05T15:47:33Z

Aholmes:

[[OWASP_Autumn_of_Code_2006_-_Projects:_Website_and_Branding|Project Main Page]]

== Progress Notes ==
*Prepared news release and front page article for review
*Created project pages for AoC
*Created misc. content for distribution
*Created tshirt design for AoC 2006
*Created OWASP corporate identity package including business card, letterhead, envelope, and newsletter designs
*Working to create and manage weekly news releases regarding OWASP activity.
*Working to create and manage monthly newsletter for OWASP members.

OWASP Autumn of Code 2006 - Projects: Website and Branding

2006-12-05T15:32:38Z

Aholmes:

'''AoC Candidate:''' Aaron M. Holmes

'''Project Coordinator:''' Jeff Williams

'''Project Progress:''' 50% Complete - [[OWASP_Autumn_of_Code_2006_-_Projects:_Website_and_Branding_-_Progress|Progress Page]]

== Background and Motivation ==

'''History Behind Project'''

The Open Web Application Security Project (OWASP) is an open community dedicated to enabling organizations to develop, purchase, and maintain applications that can be trusted. Our website provides information, tools and valuable resources to the community and is a cost effective medium for distributing up to date material worldwide. Given this potential it is important that we focus on providing the best possible experience for our users so that they may take advantage of all OWASP resources.

Additionally, it is important for OWASP to identify itself as a trusted and authoritative source. Our goal is to create a standard which all OWASP projects and resources must uphold, as well as to create a brand to aid in distinguishing OWASP resources from those that are available elsewhere. Our intent is to provide an identity that is immediately recognizable within the security community which also carries with it a feeling of assurance.

'''Problem to be Addressed'''

The current OWASP.org website takes advantage of the community collaboration and ease of editing features of Wiki-based websites. However, the OWASP project is successfully growing in size and quickly outgrowing its original home. There is a great opportunity here to extend the existing site to provide a greater depth of functionality for community members, better organization, and a more robust 'user experience'. During this time it will also be beneficial to decide on a new look and feel to the website which will align with the OWASP branding and identity.

'''Benefit to OWASP Members and Community'''

OWASP members will benefit by:
*Having content that is easier to navigate and locate
*Taking advantage of the OWASP brand to gain trust within their work
*Increased site functionality (to be identified)
*Increased outreach and marketing of the OWASP resources, thus attracting more eyes and recognition

== Goals and Deliverables ==

'''Plan of Approach'''

We will immediately commence updating and creating new content pages as required. Time will also be spent creating documents which will give in depth detail for all deliverables including timelines. A design brief will be prepared to ensure that all future work aligns with the branding of OWASP and to minimize the risk of creating an image that is not distinct or recognizable.

'''Deliverables'''

*Design website template
*Design print and promotional materials
*Design logos, certified OWASP logos, and other imagery
*Content updating and proofing (English)
*Prepare guidelines and standards for OWASP projects
*Prepare marketing brief discussing the identity of OWASP
*Prepare website documentation for future developers
*Develop features and functionality as identified by OWASP and community (Including web services and member only access pages)
*Audit website with the help of other projects

== Risks and Rewards ==

'''Main Risks'''

This is a large project which relies on the support and cooperation of the OWASP community. There is a risk that without proper planning time will be wasted in creating designs and materials which do not align well and do not provide for a disctinct identity.

'''Rewards of Successful Project'''

A successful project will allow OWASP to continue strong growth and gain credibility as a trusted and beneficial group. By providing a better user experience it will be easier for OWASP to gain traction with individuals and organizations that are worried about putting too much faith in 'grassroot' or 'Mickey Mouse' type communities; which are considered to be too small, not dedicated, lack focus, and are not reliable in the long-term. A professional identity for OWASP will help alleviate these concerns by providing a professional look and feel which will be instantly recognizable. This attention to detail will carry through to all resources and services provided by OWASP, and is what helps differentiate OWASP from others.

Category:OWASP Video Demo

2006-11-11T03:11:20Z

Aholmes:

== Welcome to the OWASP Video Collection ==

OWASP attempts to make videos of presentations made by our members and at our conferences concerning application security whenever possible. The slides for most of these presentations are available, linked to the conference agendas (please link them if possible!).

Some of the videos below got a little mangled in the conversion process. So some of the talks run together. For example the first part of Dinis' .Net Tools video is appended to the end of Jeff's Guide talk. We're working on it.

== Videos ==

;[http://video.google.com/videoplay?docid=-1807054604513842127&q=owasp OWASP_GunnerPeterson_IntegratingIdentityServicesintoWebApps.mp4]
:OWASP Gunner Peterson Integrating Identity Services into Web Apps. OWASP - 35 min - Oct 12, 2006

;[http://video.google.com/videoplay?docid=-2481289516847680871&q=owasp OWASP_Intro_DaveWichers_Key_JoeJarzombek_RonRose.mp4]
:OWASP Intro Dave Wichers Key Note Joe Jarzombek & Ron Rose. OWASP - 2 hr 7 min - Oct 12, 2006

;[http://video.google.com/videoplay?docid=-5332911124544076749&q=owasp :OWASP_JeffWilliams_OWASP_Guide_and_Membership.mp4]
:OWASP Jeff Williams OWASP Guide and Membership. OWASP - 2 hr 12 min - Oct 13, 2006

;[http://video.google.com/videoplay?docid=-2492965730809426450&q=owasp OWASP_DinizCruz_Rooting_the_CLR.mp4]
:OWASP Diniz Cruz Rooting the CLR. OWASP - 1 hr 22 min - Oct 12, 2006

;[http://video.google.com/videoplay?docid=-2492965730809426450&q=owasp OWASP_JohnSteven_Building_a_Scalable_Software_Security_Practice.mp4]
:OWASP John Steven Building a Scalable Software Security Practice. OWASP - 1 hr 19 min - Oct 13, 2006

;[http://video.google.com/videoplay?docid=-5233500471539001436&q=owasp OWASP_PaulBlack_RickKuhn.mp4]
:OWASP Paul Black & Rick Kuhn. OWASP - 1 hr 9 min - Oct 13, 2006

;[http://video.google.com/videoplay?docid=-9110574247136866679&q=owasp OWASP_IraWinkler_Secrets_and_Superspies.mp4]
:OWASP Ira Winkler Secrets and Superspies. OWASP - 2 hr 2 min - Oct 13, 2006

;[http://video.google.com/videoplay?docid=8437304318271455155&q=owasp OWASP_RoganDawes_AdvancedFeaturesofWebScarab.mp4]
:OWASP Rogan Dawes Advanced Features of WebScarab. OWASP - 1 hr 24 min - Oct 13, 2006

;[http://video.google.com/videoplay?docid=7947858567235952851&q=owasp OWASP_DinizCruz_DotNet_Tools_Project.mp4]
:OWASP Diniz Cruz DotNet Tools Project. OWASP - 1 hr 15 min - Oct 12, 2006

;[http://video.google.com/videoplay?docid=5758230888370998733&q=owasp OWASP_ArianEvans_Tools_SurveyProject.mp4]
:OWASP Arian Evans Tools Survey Project. OWASP - 1 hr 18 min - Oct 12, 2006

;[http://video.google.com/videoplay?docid=4473926180612118549&q=owasp OWASP_AlexSmolen_Application_Logic_Defense.mp4]
:OWASP Alex Smolen Alication Logic Defense. OWASP - 36 min - Oct 12, 2006

;[http://video.google.com/videoplay?docid=4379894308228900017&q=owasp OWASP_DanielCutbert_Evolution_WebAppPenTest.mp4]
:OWASP Daniel Cutbert Evolution Web App Pen Test. OWASP - 1 hr 11 min - Oct 12, 2006

;[http://video.google.com/videoplay?docid=3853779542023264815&q=owasp OWASP_JackDanahy_The_Business_Case_for_Software_Security_Assurance.mp4]
:OWASP Jack Danahy The Business Case for Software Security Assurance. OWASP - 2 hr 2 min - Oct 13, 2006

;[http://video.google.com/videoplay?docid=2018648061521175729&q=owasp OWASP_MattFisher_WormsNowTargetingWebApps.mp4]
:OWASP Matt Fisher Worms Now Targeting Web Apps. OWASP - 49 min - Oct 13, 2006

;[http://video.google.com/videoplay?docid=941077664562737284&q=owasp Dinis Cruz @ BlackHat 2006 with FSTV]
:Dinis Cruz, leader of the OWASP.NET project joins us to talk about .NET, web security tools, the future of OWASP, and Open Source Software. OWASP - 30 min - Aug 30, 2006

OWASP AppSec Washington 2005

2006-10-28T18:02:01Z

Aholmes:

== [[AppSec_Washington_2005/Agenda | Agenda (two tracks)]] ==

The full conference schedule including Power Point presentations is now available here. Each of the speakers and what they have presented is listed below. For the first time, given the number of speakers, the conference was presented in two parallel tracks.

== Location - NIST ==

The conference was held at the Main Campus of the National Institute of Standards and Technology (NIST), in Gaithersburg, MD, near Washington DC. This conference was sponsored by the NIST Software Assurance Metrics and Tool Evaluation (SAMATE) project, which is being run by Dr. Paul Black, who is also on the conference committee. OWASP extends its gratitude to NIST for offering to host our conference.

With a location near our nation's capital, OWASP intends to draw a wide contingent of attendees from the commercial, government, and academic arenas. The importance of application security has been growing immensely over the past few years and people from all three areas need to get together to discuss the state of the practice in application security and encourage others to get involved and do what needs to get done to protect the custom applications for which they are responsible.

== Speakers and Training Day ==

This year's conference included a number of speakers from the government arena, including NIST, which we have not had represented at previous OWASP conferences.

For the first time, OWASP has arranged to have a one day training course on Web Application Security be offered the day prior to the course. More information about this one day tutorial is available here: The Foundations of Web Application Security. This course provides a great introduction for conference attendees into the fundamental security issues that are highly prevalent in today's Web Applications. The prevalence of such vulnerabilities is why OWASP was formed to raise awareness of and help organizations and individuals eliminate such vulnerabilities from their application code.

== Evening Social Event - Oct. 11th ==

An optional social event for the evening of the 11th will be held at the Holiday Inn Gaithersburg, which is the same location where the training is to be held on the 10th, and where discounted rooms are being made available to all conference attendees (see Accommodations below).

This event involves a dinner at the hotel from 7PM-9PM (which is included in the event fee), followed by drinks at O'Malley's Irish Pub right in the hotel or out by the hotel's indoor pool adjacent to the pub.

== [[AppSec_Washington_2005/Accommodations | Accommodations]] ==

NIST has arranged for a block of hotel rooms to be reserved for the conference at a significant discount at the nearby Gaithersburg Holiday Inn. Registration information for this hotel is available here. NIST buses will be available to take attendees back and forth between the hotel and the NIST campus during both days of the conference.

== Gaithersburg Holiday Inn location ==

: 2 MONTGOMERY VILLAGE AVE
: GAITHERSBURG, MD 20879

== Directions to NIST Main Campus ==

From northbound I-270 take Exit 10, Route 117 West, Clopper Road. Bear right at the first light onto Clopper Road/West Diamond Avenue. At the next light, turn left onto the NIST grounds.

From southbound I-270 take Exit 11, Route 124, Montgomery Village Avenue/Quince Orchard Road. Bear right at the first light onto Route 124 West, Quince Orchard Road. After you merge onto Rt. 124, Quince Orchard Road, turn left at the second light onto Route 117, West Diamond Avenue. Turn right at the first light onto NIST grounds.

Directions from local airports to the NIST Main Campus is available at: http://www.nist.gov/public_affairs/maps/directions.htm

== NIST Check In Process ==

NIST will provide Security with a list of all conference attendees. Eveyone needs to stop by the Visitor Trailer on the first day of the conference to show picture id and get a gate pass. You will then be directed to the Administration Building where you will get your badge.

The conference will be in the Green Auditorium in the Administration Building.

'''Note:''' No onsite registrations will be allowed for this conference. It is against NIST policy to allow people to enter the NIST facility without preregistering for the conference.

== Conference Committee ==

* Dave Wichers, Aspect Security, (Conferences Chair)
* Dr. Paul Black, NIST
* Ken van Wyk, KRvW Associates
* David A. Wheeler, IDA

If you have any questions about the conference please contact Dave Wichers, the OWASP Conferences Chair, at conferences 'at' owasp.org

== Conference Sponsors ==

For the first time, OWASP is accepting sponsorships for the OWASP Conference. OWASP would like to thank the following organizations for sponsoring this conference:

'''Facility Sponsor:'''

[[Image:Nist.jpg]]

'''Conference Sponsors:'''

[http://www.aspectsecurity.com http://www.owasp.org/images/3/30/100px-Aspect_Security_Logo.jpg] [http://www.ouncelabs.com/ http://www.owasp.org/docroot/owasp/img/sponsors/ounce_labs.jpg] [http://www.teros.com/ http://www.owasp.org/docroot/owasp/img/members/teros05.gif] [http://www.watchfire.com/products/webxm/security.aspx http://www.owasp.org/docroot/owasp/img/members/watchfirelogo.gif] [http://www.cenzic.com/ http://www.owasp.org/docroot/owasp/img/members/CenzicLogoTag4C.gif] [http://www.securesoftware.com/ http://www.owasp.org/docroot/owasp/img/members/SS_logo.gif] [http://www.parasoft.com/ http://www.owasp.org/docroot/owasp/img/members/ps.jpg]

[[Category:OWASP AppSec Conference]]

OWASP AppSec Europe 2006

2006-10-28T18:00:21Z

Aholmes:

[[Image:AppSecEurope2006.jpg|right]]

==Conference Location==

This year, the OWASP Europe Conference was held in Belgium at the Catholic University of Leuven (aka Katholieke Universiteit Leuven, or K.U. Leuven) in Leuven, which is 25 km from Brussels. More information about the location is presented below.

==Agenda and Presentations==

See the [[AppSec_Europe_2006/Agenda | agenda page]] for the conference agenda and copies of all the presentations.

==Training Day==

OWASP arranged a one-day training course on Web Application Security which was offered on May 29th, the day prior to the conference. More information about this one day tutorial is available here: [[AppSec_Europe_2006/Training | The Foundations of Web Application Security]]. This course provides a great introduction for conference attendees into the fundamental security issues that are highly prevalent in today's Web Applications. The prevalence of such vulnerabilities is why OWASP was formed to raise awareness of and help organizations and individuals eliminate such vulnerabilities from their application code.

OWASP also provided a second one-day training course on Web Services Security. Information on this course is available here: [[AppSec_Europe_2006/Training | Web Services Security]].

==Evening Social Event - May 30th==

At every conference we have an evening social event the first night. This allows participants to have some unstructured time to mingle with the other attendees. They are always fun and typically attract about half the conference attendees. This year's event was more upscale than in the past, with a three course dinner at the nearby Faculty Club. The Faculty club is a restaurant annex conference centre located in a medieval part of Leuven. You can find pictures and more details here: [http://www.facultyclub.be/E/030_infrastructuur_D.lasso Faculty Club Info].

This event started with a short tour of Leuven as we walk to the club, followed by a short reception and then dinner. Historically, after the dinner is over, a local club is identified and the die hards move to that location. We hope to see you there.

Dinner Agenda:
18h00-19h00: a guided city tour in the historical center of Leuven that starts at the auditorium and ends at the Faculty Club
19h00-19h30: small reception at the Faculty Club
19h30-….: 3-course dinner with wines

==Accommodations==

Current information on available accomodations is available [[AppSec_Europe_2006/Accommodations | here]].

==Directions==

[http://www.leuven.be/ Leuven] is about 25 km east of [http://www.brussels.be/ Brussels], capital of Belgium. Do not confuse Leuven with Louvain La Neuve, where the francophone sister university of the K.U.Leuven is located! Louvain La Neuve is near Wavre and Ottignies, about 30km south-west of Leuven.

==By Plane==

Take the plane to [http://www.brusselsairport.be/ Brussels Airport] (Zaventem). It is about 25 km from Leuven.

The are different options to get from the airport to Leuven:
There are frequent [http://www.b-rail.be/ trains] to Leuven. The trip takes less than 20 minutes and will cost 4.80 euro.
You can use the following [http://www.b-rail.be/ website] to find a train from Brussels Airport ("Brussel Nationale Luchthaven") to Leuven on the desired date and time.

A taxi from Brussels Airport will cost about 50 euro.

[http://www.brusselsairport.be/rental/ Car rental] desks are located in the arrival halls of the airport. However, keep in mind that parking space in Leuven is limited and expensive.

==By Train==

Consult the [http://www.b-rail.be/ Belgian Railways] site. Leuven is on the line from Brussels to Liege (Luik), Aachen and Koeln. There are [http://www.b-rail.be/ trains] every 15 minutes from any of the three major train stations in the city of Brussels (Brussel Zuid, Brussel Centraal, and Brussel Noord) to Leuven. The total trip will take about 30 minutes and will cost you about 4 euro.

There are also fast international train connections to Brussels South (Brussel Zuid/Bruxelles Midi) available from major European cities:
[http://www.thalys.com/ Thalys]: Paris Nord
(1h25'), Airport Charles De Gaulle (1h15'), Koeln HBF (2h30'), Amsterdam
(2h40'), Rotterdam (1h40')

[http://www.eurostar.com/ Eurostar]: London
Waterloo (2h20'), Lille Europe (40')

==By Car==

Take the highway E40 (Brussel-Luik).
From E40 take the exit E314/A2 Leuven-Hasselt-Genk between exit 22 (Bertem)and exit 23 (Haasrode).
From E314 take the exit 15 and follow directions to Leuven.

==Conference Location in Leuven==

[http://www.kuleuven.be/english http://www.owasp.org/docroot/owasp/img/sponsors/kuleuven.jpg]

The conference will be held in:
College De Valk
Auditorium Zeger Van Hee
Tiensestraat 41
3000 Leuven

The location is indicated with a cross on the following [http://cwisdb.cc.kuleuven.be/kaarten-bin/basiskaart.pl?gebouwnm=&straatnm=Tiensestraat41&deelgem=Leuven&kaartnr=1&xlambert=173640&ylambert=174220&xlambin=173640&ylambin=174220 map]. (Click on the map to zoom in)

Conference Committee (conferences 'at' owasp.org)
*Dave Wichers, Aspect Security, (OWASP Conferences Chair)
*Frank Piessens, University of Leuven, (Local Conference Chair)
*Sebastien Deleersnyder, Ascure, (OWASP Belgium Chapter Lead)

If you have any questions about the conference please contact Dave Wichers, the OWASP Conferences Chair, at conferences at' owasp.org

== [[OWASP AppSec Conference Sponsors | Conference Sponsors]]==

OWASP would like to thank the following organizations for sponsoring this conference:

[http://www.aspectsecurity.com http://www.owasp.org/images/3/30/100px-Aspect_Security_Logo.jpg] [http://www.f5.com http://www.owasp.org/images/7/7e/50px-F5_50px.jpg][http://www.ascure.com http://www.owasp.org/images/4/49/Ascure_logo.jpg] [http://www.zionsecurity.com/index.php http://www.owasp.org/images/3/36/100px-Zion_150_37.jpg] [http://www.fortifysoftware.com http://www.owasp.org/images/5/5d/Fortifysoftware_lowres.JPG] [http://www.bee-ware.net http://www.owasp.org/docroot/owasp/img/sponsors/bee_ware_logo.gif]

==Facility Sponsor==

*Katholieke Universiteit Leuven

[[Category:OWASP AppSec Conference]]

__NOTOC__

OWASP AppSec Seattle 2006

2006-10-28T15:03:28Z

Aholmes:

[http://www.owasp.org/index.php/OWASP_AppSec_Seattle_2006 http://www.owasp.org/images/c/cd/Seattle1006.gif]

==Conference Location==

This year's US OWASP conference will be held at the [http://www.bellharbor.com/meetings.aspx?SecID=97 Bell Harbor International Conference Center] in Seattle, Washington from October 16th-18th.

[[AppSec_Seattle_2006/Training | Training Day: October 16th]]

Main Conference: October 17-18

==Agenda and Presentations - Oct 17th-18th==

The [http://www.owasp.org/index.php/OWASP_AppSec_Seattle_2006/Agenda agenda] will follow the (current) standard OWASP conference format of two tracks, with opening keynotes and presentations in the main auditorium, split tracks in the middle of the day, and closing presentations back in the main auditorium both days.

The Keynote will be by Michael Howard from Microsoft on "The Benefits of the SDL initiative to Microsoft and its Customers". Mike is a top member of Microsoft's security team and a coauthor of several application security books including Writing Secure Code, 2nd Ed., and 19 Deadly Sins of Software Security.

This conference will include presentations from many different OWASP contributors and leading Application Security professionals, and will include one panel each day.

The current OWASP AppSec Seattle 2006 agenda can be found [http://www.owasp.org/index.php/OWASP_AppSec_Seattle_2006/Agenda here].

==Training Day: Monday - Oct 16th==

OWASP has arranged several Application Security one-day training courses which are offered on October 16th, the day prior to the conference. More information about the first tutorial is available here: [[AppSec_Seattle_2006/Training#T1._Foundations_of_Web_Application_Security_-_One_Day_Course_-_October_16th.2C_2006 | The Foundations of Web Application Security]]. This course provides a great introduction for conference attendees into the fundamental security issues that are highly prevalent in today's Web Applications. The prevalence of such vulnerabilities is why OWASP was formed to raise awareness of and help organizations and individuals eliminate such vulnerabilities from their application code.

OWASP has also arranged for a second one-day training course on Web Services Security. Information on this course is available here: [[AppSec_Seattle_2006/Training#T2._Web_Services_and_XML_Security_-_One_Day_Course_-_October_16th.2C_2006 | Web Services Security]]. The movement towards Web Services and Service Oriented architecture (SOA) paradigms requires new security paradigms to deal with new risks posed by these architectures. This session takes a pragmatic approach towards identifying Web Services security risks and selecting and applying countermeasures to the application, code, web servers, databases, application, and identity servers and related software.

A third course is now also available: [[AppSec_Seattle_2006/Training#T3._Advanced_Asp.Net_Exploits_and_Countermeasures_-_One_Day_Course_-_October_16th.2C_2006 | Advanced Asp.Net Exploits and Countermeasures]] - In this course, you will push ASP.NET to the limit and will be shown how ASP.NET applications and environments can be exploited by skilled attackers.

==Evening Social Event - Oct 17th==

At every conference we have an evening social event the first night. This allows participants to have some unstructured time to mingle with the other attendees. They are always fun and typically attract about half the conference attendees. This year's event will be held nearby at Anthony's Pier 66 at 2201 Alaskan Way, Pier 66, which is just a block away on the same pier starting at 6:30. After dinner, many of the participants then wander to the nearest bar/pub and continue sometimes into the wee hours of the morning. In Europe this year some were pretty hard core, staying out till 5 AM. I 'think' the bars in Seattle probably close earlier than that :-)

More information on Anthony's Pier 66 is available here: http://www.anthonys.com/restaurants/info/pier66.html

==Accommodations==

The conference is located in downtown Seattle on the Waterfront just four blocks from Pike Place Market and downtown Seattle. OWASP has negotiated some discounted hotel rates in the area:

'''NOTE:''' Because of the blocks of rooms we have reserved, '''it may appear that these hotels are sold out''' if you check online. If so, PLEASE call them directly and mention you are reserving a room for the OWASP conference. '''As of September 7th, there were still many rooms available.'''

'''Conference Hotel: Warwick Seattle Hotel (3.5 Stars) - OWASP Conference Rate: $144 / night + tax. Ask for the OWASP Group Rate'''

401 Lenora St (0.3 mi. [~8 blocks] from Bell Harbor Conference Center)

A set of rooms have been blocked off for Sunday through Weds nights (Oct 15, 16, 17, 18). Once they are gone, there's no guarantee that they'll have more so please reserve your rooms early!!

Hotel Description: In the heart of downtown Seattle, The Warwick Seattle Hotel greets you with European luxury and charm. Our 230 newly renovated guestrooms are spacious and tastefully decorated, offering king or double size beds. Also available are 4 penthouse suites with a full living room and Jacuzzi tub. All guestrooms feature floor-to-ceiling glass sliding doors with magnificent views of the Space Needle or the city skyline.

www.warwickwa.com | 401 Lenora St | Seattle WA 98101 | P: 206 443 4300 F: 206 448 1662

'''Additional Accommodation Options:'''

Inn at the Market (4 Stars) - OWASP Conference Rate: $155 / night + tax

86 Pine St (0.3 mi. [~8 blocks] from Bell Harbor Conference Center)

For OWASP Conference Reservations: https://reservations.ihotelier.com/crs/g_reservation.cfm?groupID=25691&hotelID=13171

30 rooms per night have been blocked off for Sunday through Weds nights (Oct 15, 16, 17, 18). ''These rooms are only reserved until Sept. 27.'' After that, they will be released for general reservations.

Hotel Description: Seattle's premier small hotel located in the historic Pike Place Market in downtown Seattle! The Inn at the Market, a 70-room boutique hotel overlooks two jewels of the city; the lovely Elliott Bay and the bustling Pike Place Market giving guests an experience they will never forget. An ideal downtown location for Seattle sightseeing, the Inn at the Market is only a few feet away from Seattle's famed Pike Place Market and the stunning waterfront, guests will find themselves in the center of the vibrant downtown Seattle area. Boutique charm and a warm elegance is evident throughout the hotel, from the elegant lobby to the comfortable guestrooms.

www.innatthemarket.com | 86 Pine Street | Seattle WA 98101 | P: 800-446-4484 | F: 206-448-0631

Mayflower Park Hotel (3.5 stars) - OWASP Conference Rate: $159 / night + tax

405 Olive Way (0.3 miles (~9 blocks) from Bell Harbor Conference Center)

30 rooms per night have been blocked off for Sunday through Wednesday nights (October 15,16,17,18) These rooms are only reserved until Sept. 24. After that, they will be released for general reservations. Book online at: https://reservations.ihotelier.com/crs/g_reservation.cfm?groupID=25569&hotelID=6628, or by phone at 1-800-426-5100. Be sure to mention the OWASP group rate.

Hotel Description: Built in 1927, the Mayflower Park Hotel has been beautifully restored, retaining the ambiance of a classic European hotel. Located in the heart of downtown Seattle, we offer the city’s finest location for shopping, business and recreation. With direct access to Westlake Center from our mezzanine level, guests can shop at the Center’s 80 specialty shops, take the Monorail to the Space Needle, and walk to nearby department stores. The Pike Place Market and the Waterfront are a short walk away. The Mayflower Park Hotel is proud to offer: 171 guest rooms and suites, complimentary high speed wireless internet access, complimentary in-room coffee service and morning newspaper. The Mayflower Park Hotel is a member of the National Trust Historic Hotels of America.

www.mayflowerpark.com │405 Olive Way │P: 206 632-8700 │F: 206 382-6996

==Conference Fees==

Standard: $450, OWASP Members: $400, Students: $250, Early Registration Discount (by Sept 21): $50 ($25 for students)

Conference Dinner (Evening of Oct 17th): $50

Conference Tutorial (All day tutorial Oct 16th): $675, Student Fee: $375

Note: To save on processing expenses, all fees paid for the OWASP conference are non-refundable. OWASP can accomodate transfers of registrations from one person to another, if such an adjustment becomes necessary.

==Directions==

[http://www.bellharbor.com/directions.aspx?SecID=92 From the Bell Harbor Conference Web Site:]

To Bell Harbor International Conference Center from north of Seattle on I-5 South:

Take Exit 167 (West Mercer Street/Fairview Avenue)

Turn right onto Fairview Avenue

Take the first left onto Valley Street

Stay left; Valley Street merges into Broad Street

Continue on Broad Street to Elliott Avenue, and turn left

Once you pass the Wall Street intersection, park in the Art Institute of Seattle parking garage on your immediate right

To Bell Harbor International Conference Center from south of Seattle on I-5 North (coming from Sea-Tac Airport):

Take the Madison Street exit (also called Convention Place exit)

Turn left onto Madison Street

Stay on Madison Street until you come to the waterfront

Turn right on Alaskan Way

You will pass Pier 66 on your left; the next street after the sky bridge is Wall Street. Turn right on Wall Street.

Turn right on Elliott Avenue

Park in the Art Institute of Seattle parking garage on your immediate right

Take the sky bridge to the Conference Center, World Trade Center Seattle, and Odyssey, the Maritime Discovery Center

The International Promenade is located in the Cruise Ship Terminal one block north of Bell Harbor on Alaskan Way. To access, follow the directions to Bell Harbor and take the elevator to the ground level.

---Please note the two parking garage entrances, Elliott Avenue and Wall Street---

2211 Alaskan Way, Pier 66

Seattle, WA 98121

phone: 206.441.6666

Click here for [http://maps.yahoo.com/py/maps.py?BFCat=&Pyt=Tmap&newFL=Use+Address+Below&addr=2211+Alaskan+Way,+Pier+66&csz=Seattle,+WA++98121&country=us&Get%20Map=Get+Map MapQuest]

Click here for PDF [http://www.columbiahospitality.com/UploadFiles/FileID247/BH%20Directions.pdf Directions]

To inquire about rates for the Art Institute of Seattle parking garage, call Republic Parking at 206.443.1793.

== [[OWASP AppSec Conference Sponsors | Conference Sponsors]]==

OWASP would like to thank the following organizations for sponsoring this conference:

[http://www.aspectsecurity.com http://www.owasp.org/images/3/30/100px-Aspect_Security_Logo.jpg]
[http://www.ioactive.com http://www.owasp.org/images/4/46/IOActive.gif]
[http://www.fortifysoftware.com http://www.owasp.org/images/5/5d/Fortifysoftware_lowres.JPG]
[http://www.watchfire.com/ http://www.owasp.org/images/3/3e/Watchfirelogo.gif]
[http://www.ouncelabs.com/ http://www.owasp.org/images/3/33/Ounce_labs.jpg]
[http://www.citrix.com/ http://www.owasp.org/images/6/65/Citrix_logo.gif]
[http://www.f5.com http://www.owasp.org/images/7/7e/50px-F5_50px.jpg]
[http://www.cenzic.com/ http://www.owasp.org/docroot/owasp/img/members/CenzicLogoTag4C.gif]

More information about conference sponsorship is available [[OWASP AppSec Conference Sponsors | here]].

== Dinner Sponsor ==

OWASP would like to thank [http://www.securesoftware.com/ Secure Software] for sponsoring the evening social event on October 17th.

[http://www.securesoftware.com/ http://www.owasp.org/images/9/99/SS_logo.gif]

== Facility Sponsor ==

OWASP would like to thank the [http://www.washington.edu/ University of Washington] for helping to organize and facilitate the event.

[http://www.washington.edu/ http://www.owasp.org/images/e/eb/UWSeal.jpg]

Category:OWASP WebGoat Project

2006-10-28T14:56:52Z

Aholmes:

[[Image:Webgoat-xss lesson.jpg|thumb|300px|right|WebGoat in action]]
'''WebGoat''' is a deliberately insecure J2EE web application maintained by [http://www.owasp.org OWASP] designed to teach web application security lessons. In each lesson, users must demonstrate their understanding of a security issue by exploiting a real vulnerability in the WebGoat application. For example, in one of the lessons the user must use [[SQL injection]] to steal fake credit card numbers. The application is a realistic teaching environment, providing users with hints and code to further explain the lesson.

Why the name "WebGoat"? Developers should not feel bad about not knowing security. Even the best programmers make security errors. What they need is a scapegoat, right? ''Just blame it on the 'Goat''!

'''To get started, read the [[WebGoat User and Install Guide Table of Contents|WebGoat User and Install Guide]]'''

==Goals==

Web application security is difficult to learn and practice. Not many people have full blown web applications like online book stores or online banks that can be used to scan for vulnerabilities. In addition, security professionals frequently need to test tools against a platform known to be vulnerable to ensure that they perform as advertised. All of this needs to happen in a safe and legal environment. Even if your intentions are good, we believe you should never attempt to find vulnerabilities without permission.

The primary goal of the WebGoat project is simple: ''create a de-facto interactive teaching environment for web application security''. In the future, the project team hopes to extend WebGoat into becoming a security benchmarking platform and a Java-based Web site Honeypot.

Check out the project [[OWASP WebGoat Project Roadmap|roadmap]] and find some tasks that you can help with right away.

==Download==

You can download WebGoat from the [http://sourceforge.net/project/showfiles.php?group_id=64424&package_id=61824 OWASP Source Code Center at Sourceforge]. There are versions with and without Java, and installation only requires unzipping the download and running a start script. For convenience, a ready-to-deploy WAR file is also made available to drop right into your J2EE application server.

You can download the WebGoat source code from [http://code.google.com/p/webgoat/ Google code].

== Overview ==
[[Image:Webgoat-BasicAuth lesson.jpg|thumb|300px|right|The multi-stage Basic Authentication lesson]]
WebGoat is written in Java and therefore installs on any platform with a Java virtual machine. There are installation programs for Linux, OS X Tiger and Windows. Once deployed, the user can go through the lessons and track their progress with the scorecard. There are currently over 30 lessons, including those dealing with the following issues:
{|
|valign="top"|
* [[Cross Site Scripting]]
* Access Control
* [[Race condition within a thread|Thread Safety]]
* [[Unvalidated_Input|Hidden Form Field Manipulation]]
* Parameter Manipulation
* [[Session_Management#Weak_Session_Cryptographic_Algorithms|Weak Session Cookies]]
* Blind [[SQL injection|SQL Injection]]
|valign="top"|
* Numeric SQL Injection
* String SQL Injection
* [[Web Services]]
* [[Improper_Error_Handling|Fail Open Authentication]]
* Dangers of HTML Comments
* ... and many more!
|}

For more details, please see the [[WebGoat User and Install Guide Table of Contents | WebGoat User and Install Guide]].

== Newest Release ==
'''WebGoat 4.0'''

Thursday, May 25th, OWASP released '''WebGoat 4.0'''. Special thanks go to the many people who have sent comments and suggestions and those who have put in the effort to contribute their time to this release like: David Anderson, Laurence Casey, Eric Sheridan, Arshan Dabirsiaghi, and Robert Sullivan.

== Future Development ==

WebGoat 5.0 - Estimated release date: January 2007

Examples of new lessons include:
{|
|valign="top"|
* HTTP Splitting
* Cross-Site Request Forgery
* XPATH Injection
* AJAX Security
|valign="top"|
* Log Spoofing
* Cache Poisoning
* Back Doors via SQL Injection
|}
There will be many improvements to existing lessons as well as an update to the Users Guide!

If you would like to become a member of the WebGoat source code project hosted at [http://code.google.com/p/webgoat/ Google Code] contact Bruce Mayhew at '''bruce DOT mayhew AT g2-inc.com'''.

== Project Contributors ==

The WebGoat project is run by Bruce Mayhew of G2. He can be contacted at '''bruce DOT mayhew AT g2-inc.com''' WebGoat is currently maintained on [[http://www.sourceforge.net SourceForge]]. The WebGoat framework makes it extremely easy to add additional lessons. We are actively seeking developers to add new lessons as new web technologies emerge. If you are interested in volunteering for the project, or have a comment, question, or suggestion, please join the WebGoat [[http://lists.owasp.org/mailman/listinfo/owasp-webgoat mailing list]].

== Project Sponsors ==

The WebGoat project is sponsored by
[http://www.aspectsecurity.com http://www.owasp.org/images/3/30/100px-Aspect_Security_Logo.jpg]

[[Category:OWASP Project]]
[[Category:OWASP Download]]
[[Category:OWASP Tool]]

__NOTOC__

Category:OWASP AppSec Conference

2006-10-28T14:53:03Z

Aholmes:

[http://www.owasp.org/index.php/OWASP_AppSec_Seattle_2006 http://www.owasp.org/images/c/cd/Seattle1006.gif]

==About==

The OWASP AppSec conference series is dedicated to bringing together industry, government, and security researchers to discuss the state of the art in application security. This series was launched in the U.S. in the Fall of 2004 and in Europe in the Spring of 2005. All of the presentations from our previous conferences can be downloaded from the agenda pages for each conference.

==Schedule==

OWASP holds two conferences each year, one in the U.S. and one in Europe. If you'd like to host a conference, we're always looking for great locations. Please contact Dave Wichers, the OWASP Conferences Chair at dave.wichers 'at' owasp.org.

; Oct 2007 - [[7th OWASP AppSec Conference - San Jose 2007]]
: Targeted for October - at or near the Google Campus in Mountainview, CA.

; May 2007 - [[6th OWASP AppSec Conference - Italy 2007]]
: Targeted for May - in Italy.

; Oct 2006 - [[OWASP AppSec Seattle 2006|5th OWASP AppSec Conference - Seattle 2006]]
: Held October 16th-18th - in Seattle, Washington. (view [[OWASP_AppSec_Seattle_2006/Agenda|agenda and presentations]])

; May 2006 - [[OWASP AppSec Europe 2006|4th OWASP AppSec Conference - Europe 2006]]
: Held in Leuven, Belgium (view [[AppSec Europe 2006/Agenda|agenda and presentations]])

; Oct 2005 - [[OWASP AppSec Washington 2005|3rd OWASP AppSec Conference - Washington 2005]]
: Held at NIST in Gaithersburg, MD (view [[AppSec Washington 2005/Agenda|agenda and presentations]])

; Apr 2005 - [[OWASP AppSec Europe 2005|2nd OWASP AppSec Conference - Europe 2005]]
: Held at Royal Holloway University in London (view [[AppSec Europe 2005/Agenda|agenda and presentations]])

; Nov 2004 - [[OWASP AppSec NYC 2004|1st OWASP AppSec Conference - NYC 2004]]
: Held at Stevens Institute in New Jersey (view [[AppSec NYC 2004|agenda and presentations]])

==Papers==

If you're interested in presenting at a future conference, please contact OWASP at: conferences 'at' owasp.org. If you are interested in submitting a paper to the refereed papers track for the next US or European conference, please contact Frank Piessens, the OWASP Conferences Refereed Papers Chair: Frank.Piessens 'at' cs.kuleuven.ac.be

==Conference Leaders==

OWASP Conferences Chair: Dave Wichers from Aspect Security. He can be contacted at dave.wichers 'at' owasp.org

OWASP Conferences Refereed Papers Chair: Frank Piessens, KU Lueven, He can be contacted at: Frank.Piessens 'at' cs.kuleuven.ac.be

==Project Sponsors==

The OWASP Conferences project is sponsored by

[http://www.aspectsecurity.com http://www.owasp.org/images/3/30/100px-Aspect_Security_Logo.jpg] and
[http://www.kuleuven.be/english http://www.owasp.org/docroot/owasp/img/sponsors/kuleuven.jpg]

== OWASP Conference Sponsors ==

The OWASP AppSec Seattle 2006 Conference is sponsored by

[http://www.aspectsecurity.com http://www.owasp.org/images/3/30/100px-Aspect_Security_Logo.jpg]
[http://www.ioactive.com http://www.owasp.org/images/4/46/IOActive.gif]
[http://www.fortifysoftware.com http://www.owasp.org/images/5/5d/Fortifysoftware_lowres.JPG]
[http://www.watchfire.com/ http://www.owasp.org/images/3/3e/Watchfirelogo.gif]
[http://www.ouncelabs.com/ http://www.owasp.org/images/3/33/Ounce_labs.jpg]
[http://www.citrix.com/ http://www.owasp.org/images/6/65/Citrix_logo.gif]
[http://www.f5.com http://www.owasp.org/images/7/7e/50px-F5_50px.jpg]
[http://www.cenzic.com/ http://www.owasp.org/docroot/owasp/img/members/CenzicLogoTag4C.gif]

[[Category:OWASP AppSec Conference]]

__NOTOC__

Category:OWASP AppSec Conference

2006-10-28T14:45:24Z

Aholmes:

[http://www.owasp.org/index.php/OWASP_AppSec_Seattle_2006 http://www.owasp.org/images/c/cd/Seattle1006.gif]

==About==

The OWASP AppSec conference series is dedicated to bringing together industry, government, and security researchers to discuss the state of the art in application security. This series was launched in the U.S. in the Fall of 2004 and in Europe in the Spring of 2005. All of the presentations from our previous conferences can be downloaded from the agenda pages for each conference.

==Schedule==

OWASP holds two conferences each year, one in the U.S. and one in Europe. If you'd like to host a conference, we're always looking for great locations. Please contact Dave Wichers, the OWASP Conferences Chair at dave.wichers 'at' owasp.org.

; Oct 2007 - [[7th OWASP AppSec Conference - San Jose 2007]]
: Targeted for October - at or near the Google Campus in Mountainview, CA.

; May 2007 - [[6th OWASP AppSec Conference - Italy 2007]]
: Targeted for May - in Italy.

; Oct 2006 - [[OWASP AppSec Seattle 2006|5th OWASP AppSec Conference - Seattle 2006]]
: Held October 16th-18th - in Seattle, Washington. (view [[OWASP_AppSec_Seattle_2006/Agenda|agenda and presentations]])

; May 2006 - [[OWASP AppSec Europe 2006|4th OWASP AppSec Conference - Europe 2006]]
: Held in Leuven, Belgium (view [[AppSec Europe 2006/Agenda|agenda and presentations]])

; Oct 2005 - [[OWASP AppSec Washington 2005|3rd OWASP AppSec Conference - Washington 2005]]
: Held at NIST in Gaithersburg, MD (view [[AppSec Washington 2005/Agenda|agenda and presentations]])

; Apr 2005 - [[OWASP AppSec Europe 2005|2nd OWASP AppSec Conference - Europe 2005]]
: Held at Royal Holloway University in London (view [[AppSec Europe 2005/Agenda|agenda and presentations]])

; Nov 2004 - [[OWASP AppSec NYC 2004|1st OWASP AppSec Conference - NYC 2004]]
: Held at Stevens Institute in New Jersey (view [[AppSec NYC 2004|agenda and presentations]])

==Papers==

If you're interested in presenting at a future conference, please contact OWASP at: conferences 'at' owasp.org. If you are interested in submitting a paper to the refereed papers track for the next US or European conference, please contact Frank Piessens, the OWASP Conferences Refereed Papers Chair: Frank.Piessens 'at' cs.kuleuven.ac.be

==Conference Leaders==

OWASP Conferences Chair: Dave Wichers from Aspect Security. He can be contacted at dave.wichers 'at' owasp.org

OWASP Conferences Refereed Papers Chair: Frank Piessens, KU Lueven, He can be contacted at: Frank.Piessens 'at' cs.kuleuven.ac.be

==Project Sponsors==

The OWASP Conferences project is sponsored by

[http://www.aspectsecurity.com http://www.owasp.org/docroot/owasp/img/sponsors/aspect_logo.gif] and
[http://www.kuleuven.be/english http://www.owasp.org/docroot/owasp/img/sponsors/kuleuven.jpg]

== OWASP Conference Sponsors ==

The OWASP AppSec Seattle 2006 Conference is sponsored by

[http://www.aspectsecurity.com http://www.owasp.org/docroot/owasp/img/sponsors/aspect_logo.gif]
[http://www.ioactive.com http://www.owasp.org/images/4/46/IOActive.gif]
[http://www.fortifysoftware.com http://www.owasp.org/images/5/5d/Fortifysoftware_lowres.JPG]
[http://www.watchfire.com/ http://www.owasp.org/images/3/3e/Watchfirelogo.gif]
[http://www.ouncelabs.com/ http://www.owasp.org/images/3/33/Ounce_labs.jpg]
[http://www.citrix.com/ http://www.owasp.org/images/6/65/Citrix_logo.gif]
[http://www.f5.com http://www.owasp.org/docroot/owasp/img/sponsors/f5_50px.jpg]
[http://www.cenzic.com/ http://www.owasp.org/docroot/owasp/img/members/CenzicLogoTag4C.gif]

[[Category:OWASP AppSec Conference]]

__NOTOC__

Category:OWASP Policies

2006-10-26T18:02:18Z

Aholmes:

OWASP Policies Category Page

Newsletter:Sandbox

2006-10-17T17:57:07Z

Aholmes:

==Overview==
; Current Month: November, 2006

; Issue Number: 1

==Owasp News and Announcements==
* Autumn Of Code

==New Pages on the Wiki (or resources like for example a Pdf or PPT)==
* Monthly Newsletter

==New Owasp Projects==

==Major developments on projects==
* Pantera release
* SiteGenerator release

==Next Owasp Chapter meetings==

==Related Web App Sec news==

Newsletter:Sandbox

2006-10-17T17:56:01Z

Aholmes:

==Overview==
; Current Month: November, 2006

; Issue Number: 1

==Owasp News and Announcements==

* Autumn Of Code

==New Pages on the Wiki (or resources like for example a Pdf or PPT)==

==New Owasp Projects==

==Major developments on projects==
* Pantera release
* SiteGenerator release

==Next Owasp Chapter meetings==

==Related Web App Sec news==

Newsletter:Sandbox

2006-10-17T17:55:26Z

Aholmes:

==Overview==
; Current Month; - November, 2006

; Issue Number; - 1

==Owasp News and Announcements==

* Autumn Of Code

==New Pages on the Wiki (or resources like for example a Pdf or PPT)==

==New Owasp Projects==

==Major developments on projects==
* Pantera release
* SiteGenerator release

==Next Owasp Chapter meetings==

==Related Web App Sec news==

Newsletter:Sandbox

2006-10-17T17:54:18Z

Aholmes:

; Current Month - November, 2006

; Issue Number - 1

==Owasp News and Announcements==

==New Pages on the Wiki (or resources like for example a Pdf or PPT)==

==New Owasp Projects==

==Major developments on projects==

==Next Owasp Chapter meetings==

==Related Web App Sec news==

Category:OWASP Project

2006-10-17T15:52:18Z

Aholmes: New organization of projects

An OWASP project is a collection of related tasks that have a defined roadmap and team members. OWASP project leaders are responsible for defining the vision, roadmap, and tasks for the project. The project leader also promotes the project and builds the team.

==Active OWASP Projects==
; Release Quality Projects
* [[:Category:OWASP Top Ten Project|OWASP Top Ten Project]] - an awareness document that describes the top ten web application security vulnerabilities
* [[:Category:OWASP WebGoat Project|OWASP WebGoat Project]] - an online training environment for hands-on learning about application security
* [[:Category:OWASP WebScarab Project|OWASP WebScarab Project]] - a tool for performing all types of security testing on web applications and web services

; Beta Status Projects
* [[:Category:OWASP CAL9000 Project|OWASP CAL9000 Project]] - a JavaScript based web application security testing suite
* [[:Category:OWASP CLASP Project|OWASP CLASP Project]] - a project focused on defining process elements that reinforce application security
* [[:Category:OWASP_LAPSE_Project|OWASP LAPSE Project]] - an Eclipse-based source static analysis tool for Java
* [[:Category:OWASP Sprajax Project|OWASP Sprajax Project]] - an open source black box security scanner used to assess the security of AJAX-enabled applications
* [[:Category:OWASP SQLiX Project|OWASP SQLiX Project]] - a project focused on the development of SQLiX, a full perl-based SQL scanner
* [[:Category:OWASP Pantera Web Assessment Studio Project|OWASP Pantera Web Assessment Studio Project]] - a project focused on combining automated capabilities with complete manual testing to get the best results

; Alpha Status Projects
* [[:Category:OWASP Live CD Project|OWASP Live CD Project]] - a CD containing ready to use versions of application security analysis and testing tools
* [[:Category:OWASP Orizon Project|OWASP Orizon Project]] - a project focused on the development of a flexible code review engine
* [[:Category:OWASP Risk Management Project|OWASP Risk Management Project]] - a new project focused on processes for managing application security risk

; Technology, Research and Guides
* [[:Category:OWASP AJAX Security Project|OWASP AJAX Security Guide]] - investigating the security of AJAX enabled applications
* [[:Category:OWASP Application Security Assessment Standards Project|OWASP Application Security Assessment Standards Project]] - establish a set of standards defining baseline approaches to conducting differing types/levels of application security assessment
* [[:Category:OWASP Application Security Metrics Project|OWASP Application Security Metrics Project]] - identify and provide a set of application security metrics that have been found by contributors to be effective in measuring application security
* [[:Category:OWASP AppSec FAQ Project|OWASP AppSec FAQ Project]] - an FAQ covering many application security topics
* [[:Category:OWASP Code Review Project|OWASP Code Review Project]] - a new project to capture best practices for reviewing code
* [[:Category:OWASP Guide Project|OWASP Guide Project]] - a massive document covering all aspects of web application and web service security
* [[:Category:OWASP Honeycomb Project|OWASP Honeycomb Guide]] - a comprehensive and integrated guide to the fundamental building blocks of application security
* [[:Category:OWASP Java Project|OWASP Java Research]] - a project focused on helping Java and J2EE developers build secure applications
* [[:Category:OWASP PHP Project|OWASP PHP Research]] - a project focused on helping PHP developers build secure applications
* [[:Category:OWASP Legal Project|OWASP Legal Research]] - a project focused on contracting for secure software
* [[:Category:OWASP Logging Project|OWASP Logging Guide]] - a project to define best practices for logging and log management
* [[:Category:OWASP .NET Project|OWASP .NET Research]] - a project focused on helping .NET developers build secure applications
* [[:Category:OWASP Testing Project|OWASP Testing Guide]] - a project focused on application security testing procedures and checklists
* [[:Category:OWASP Validation Project|OWASP Validation Research]] - a project that provides guidance and tools related to validation
* [[:Category:OWASP WASS Project|OWASP WASS Guide]] - a standards project to develop more concrete criteria for secure applications

[[OWASP Project Mailing Lists]]

==Proposing a new project==

To propose a new project, please send an email to owasp@owasp.org. Each project should have a roadmap page that details the current set of tasks and rough schedule. The page should be named "OWASP XXX Project Roadmap"

Category:OWASP Project Proof

2006-10-17T15:37:34Z

Aholmes:

An OWASP project is a collection of related tasks that have a defined roadmap and team members. OWASP project leaders are responsible for defining the vision, roadmap, and tasks for the project. The project leader also promotes the project and builds the team.

==Proposing a new project==

To propose a new project, please send an email to owasp@owasp.org. Each project should have a roadmap page that details the current set of tasks and rough schedule. The page should be named "OWASP XXX Project Roadmap"

==OWASP Active Projects==
; Release Quality Projects
* [[:Category:OWASP Top Ten Project|OWASP Top Ten Project]] - an awareness document that describes the top ten web application security vulnerabilities
* [[:Category:OWASP WebGoat Project|OWASP WebGoat Project]] - an online training environment for hands-on learning about application security
* [[:Category:OWASP WebScarab Project|OWASP WebScarab Project]] - a tool for performing all types of security testing on web applications and web services

; Beta Status Projects
* [[:Category:OWASP CAL9000 Project|OWASP CAL9000 Project]] - a JavaScript based web application security testing suite
* [[:Category:OWASP CLASP Project|OWASP CLASP Project]] - a project focused on defining process elements that reinforce application security
* [[:Category:OWASP_LAPSE_Project|OWASP LAPSE Project]] - an Eclipse-based source static analysis tool for Java
* [[:Category:OWASP Sprajax Project|OWASP Sprajax Project]] - an open source black box security scanner used to assess the security of AJAX-enabled applications
* [[:Category:OWASP SQLiX Project|OWASP SQLiX Project]] - a project focused on the development of SQLiX, a full perl-based SQL scanner
* [[:Category:OWASP Pantera Web Assessment Studio Project|OWASP Pantera Web Assessment Studio Project]] - a project focused on combining automated capabilities with complete manual testing to get the best results

; Alpha Status Projects
* [[:Category:OWASP Live CD Project|OWASP Live CD Project]] - a CD containing ready to use versions of application security analysis and testing tools
* [[:Category:OWASP Orizon Project|OWASP Orizon Project]] - a project focused on the development of a flexible code review engine
* [[:Category:OWASP Risk Management Project|OWASP Risk Management Project]] - a new project focused on processes for managing application security risk

; Technology, Research and Guides
* [[:Category:OWASP AJAX Security Project|OWASP AJAX Security Guide]] - investigating the security of AJAX enabled applications
* [[:Category:OWASP Application Security Assessment Standards Project|OWASP Application Security Assessment Standards Project]] - establish a set of standards defining baseline approaches to conducting differing types/levels of application security assessment
* [[:Category:OWASP Application Security Metrics Project|OWASP Application Security Metrics Project]] - identify and provide a set of application security metrics that have been found by contributors to be effective in measuring application security
* [[:Category:OWASP AppSec FAQ Project|OWASP AppSec FAQ Project]] - an FAQ covering many application security topics
* [[:Category:OWASP Code Review Project|OWASP Code Review Project]] - a new project to capture best practices for reviewing code
* [[:Category:OWASP Guide Project|OWASP Guide Project]] - a massive document covering all aspects of web application and web service security
* [[:Category:OWASP Honeycomb Project|OWASP Honeycomb Guide]] - a comprehensive and integrated guide to the fundamental building blocks of application security
* [[:Category:OWASP Java Project|OWASP Java Research]] - a project focused on helping Java and J2EE developers build secure applications
* [[:Category:OWASP PHP Project|OWASP PHP Research]] - a project focused on helping PHP developers build secure applications
* [[:Category:OWASP Legal Project|OWASP Legal Research]] - a project focused on contracting for secure software
* [[:Category:OWASP Logging Project|OWASP Logging Guide]] - a project to define best practices for logging and log management
* [[:Category:OWASP .NET Project|OWASP .NET Research]] - a project focused on helping .NET developers build secure applications
* [[:Category:OWASP Testing Project|OWASP Testing Guide]] - a project focused on application security testing procedures and checklists
* [[:Category:OWASP Validation Project|OWASP Validation Research]] - a project that provides guidance and tools related to validation
* [[:Category:OWASP WASS Project|OWASP WASS Guide]] - a standards project to develop more concrete criteria for secure applications

[[OWASP Project Mailing Lists]]

Category:OWASP Project Proof

2006-10-17T15:23:57Z

Aholmes:

An OWASP project is a collection of related tasks that have a defined roadmap and team members. OWASP project leaders are responsible for defining the vision, roadmap, and tasks for the project. The project leader also promotes the project and builds the team.

==Proposing a new project==

To propose a new project, please send an email to owasp@owasp.org. Each project should have a roadmap page that details the current set of tasks and rough schedule. The page should be named "OWASP XXX Project Roadmap"

==OWASP Active Projects==
; Release Quality Projects
* [[:Category:OWASP Top Ten Project|OWASP Top Ten Project]] - an awareness document that describes the top ten web application security vulnerabilities
* [[:Category:OWASP WebGoat Project|OWASP WebGoat Project]] - an online training environment for hands-on learning about application security
* [[:Category:OWASP WebScarab Project|OWASP WebScarab Project]] - a tool for performing all types of security testing on web applications and web services
* [[:Category:OWASP Pantera Web Assessment Studio Project|OWASP Pantera Web Assessment Studio Project]] - a project focused on combining automated capabilities with complete manual testing to get the best results

; Beta Status Projects
* [[:Category:OWASP CAL9000 Project|OWASP CAL9000 Project]] - a JavaScript based web application security testing suite
* [[:Category:OWASP CLASP Project|OWASP CLASP Project]] - a project focused on defining process elements that reinforce application security
* [[:Category:OWASP_LAPSE_Project|OWASP LAPSE Project]] - an Eclipse-based source static analysis tool for Java
* [[:Category:OWASP Sprajax Project|OWASP Sprajax Project]] - an open source black box security scanner used to assess the security of AJAX-enabled applications
* [[:Category:OWASP SQLiX Project|OWASP SQLiX Project]] - a project focused on the development of SQLiX, a full perl-based SQL scanner

; Alpha Status Projects
* [[:Category:OWASP Live CD Project|OWASP Live CD Project]] - a CD containing ready to use versions of application security analysis and testing tools
* [[:Category:OWASP Orizon Project|OWASP Orizon Project]] - a project focused on the development of a flexible code review engine
* [[:Category:OWASP Risk Management Project|OWASP Risk Management Project]] - a new project focused on processes for managing application security risk

; Technology, Research and Guides
* [[:Category:OWASP AJAX Security Project|OWASP AJAX Security Guide]] - investigating the security of AJAX enabled applications
* [[:Category:OWASP Application Security Assessment Standards Project|OWASP Application Security Assessment Standards Project]] - establish a set of standards defining baseline approaches to conducting differing types/levels of application security assessment
* [[:Category:OWASP Application Security Metrics Project|OWASP Application Security Metrics Project]] - identify and provide a set of application security metrics that have been found by contributors to be effective in measuring application security
* [[:Category:OWASP AppSec FAQ Project|OWASP AppSec FAQ Project]] - an FAQ covering many application security topics
* [[:Category:OWASP Code Review Project|OWASP Code Review Project]] - a new project to capture best practices for reviewing code
* [[:Category:OWASP Guide Project|OWASP Guide Project]] - a massive document covering all aspects of web application and web service security
* [[:Category:OWASP Honeycomb Project|OWASP Honeycomb Guide]] - a comprehensive and integrated guide to the fundamental building blocks of application security
* [[:Category:OWASP Java Project|OWASP Java Research]] - a project focused on helping Java and J2EE developers build secure applications
* [[:Category:OWASP PHP Project|OWASP PHP Research]] - a project focused on helping PHP developers build secure applications
* [[:Category:OWASP Legal Project|OWASP Legal Research]] - a project focused on contracting for secure software
* [[:Category:OWASP Logging Project|OWASP Logging Guide]] - a project to define best practices for logging and log management
* [[:Category:OWASP .NET Project|OWASP .NET Research]] - a project focused on helping .NET developers build secure applications
* [[:Category:OWASP Testing Project|OWASP Testing Guide]] - a project focused on application security testing procedures and checklists
* [[:Category:OWASP Validation Project|OWASP Validation Research]] - a project that provides guidance and tools related to validation
* [[:Category:OWASP WASS Project|OWASP WASS Guide]] - a standards project to develop more concrete criteria for secure applications

[[OWASP Project Mailing Lists]]

Category:OWASP Project Proof

2006-10-17T15:23:37Z

Aholmes:

An OWASP project is a collection of related tasks that have a defined roadmap and team members. OWASP project leaders are responsible for defining the vision, roadmap, and tasks for the project. The project leader also promotes the project and builds the team.

==Proposing a new project==

To propose a new project, please send an email to owasp@owasp.org. Each project should have a roadmap page that details the current set of tasks and rough schedule. The page should be named "OWASP XXX Project Roadmap"

==OWASP Active Projects==
; Release Quality Projects
* [[:Category:OWASP Top Ten Project|OWASP Top Ten Project]] - an awareness document that describes the top ten web application security vulnerabilities
* [[:Category:OWASP WebGoat Project|OWASP WebGoat Project]] - an online training environment for hands-on learning about application security
* [[:Category:OWASP WebScarab Project|OWASP WebScarab Project]] - a tool for performing all types of security testing on web applications and web services
* [[:Category:OWASP Pantera Web Assessment Studio Project|OWASP Pantera Web Assessment Studio Project]] - a project focused on combining automated capabilities with complete manual testing to get the best results

; Beta Status Projects
* [[:Category:OWASP CAL9000 Project|OWASP CAL9000 Project]] - a JavaScript based web application security testing suite
* [[:Category:OWASP CLASP Project|OWASP CLASP Project]] - a project focused on defining process elements that reinforce application security
* [[:Category:OWASP_LAPSE_Project|OWASP LAPSE Project]] - an Eclipse-based source static analysis tool for Java
* [[:Category:OWASP Sprajax Project|OWASP Sprajax Project]] - an open source black box security scanner used to assess the security of AJAX-enabled applications
* [[:Category:OWASP SQLiX Project|OWASP SQLiX Project]] - a project focused on the development of SQLiX, a full perl-based SQL scanner

; Alpha Status Projects
* [[:Category:OWASP Live CD Project|OWASP Live CD Project]] - a CD containing ready to use versions of application security analysis and testing tools
* [[:Category:OWASP Orizon Project|OWASP Orizon Project]] - a project focused on the development of a flexible code review engine
* [[:Category:OWASP Risk Management Project|OWASP Risk Management Project]] - a new project focused on processes for managing application security risk

; Technology, Research and Guides
* [[:Category:OWASP AJAX Security Project|OWASP AJAX Security Guide]] - investigating the security of AJAX enabled applications
* [[:Category:OWASP Application Security Assessment Standards Project|OWASP Application Security Assessment Standards Project]] - establish a set of standards defining baseline approaches to conducting differing types/levels of application security assessment
* [[:Category:OWASP Application Security Metrics Project|OWASP Application Security Metrics Project]] - identify and provide a set of application security metrics that have been found by contributors to be effective in measuring application security
* [[:Category:OWASP AppSec FAQ Project|OWASP AppSec FAQ Project]] - an FAQ covering many application security topics
* [[:Category:OWASP Code Review Project|OWASP Code Review Project]] - a new project to capture best practices for reviewing code
* [[:Category:OWASP Guide Project|OWASP Guide Project]] - a massive document covering all aspects of web application and web service security
* [[:Category:OWASP Honeycomb Project|OWASP Honeycomb Guide]] - a comprehensive and integrated guide to the fundamental building blocks of application security
* [[:Category:OWASP Java Project|OWASP Java Research]] - a project focused on helping Java and J2EE developers build secure applications
* [[:Category:OWASP PHP Project|OWASP PHP Research]] - a project focused on helping PHP developers build secure applications
* [[:Category:OWASP Legal Project|OWASP Legal Research]] - a project focused on contracting for secure software
* [[:Category:OWASP Logging Project|OWASP Logging Guide]] - a project to define best practices for logging and log management
* [[:Category:OWASP .NET Project|OWASP .NET Research]] - a project focused on helping .NET developers build secure applications
* [[:Category:OWASP Testing Project|OWASP Testing Guide]] - a project focused on application security testing procedures and checklists
* [[:Category:OWASP Validation Research|OWASP Validation Project]] - a project that provides guidance and tools related to validation
* [[:Category:OWASP WASS Project|OWASP WASS Guide]] - a standards project to develop more concrete criteria for secure applications

[[OWASP Project Mailing Lists]]

Category:OWASP Project Proof

2006-10-17T15:22:19Z

Aholmes:

An OWASP project is a collection of related tasks that have a defined roadmap and team members. OWASP project leaders are responsible for defining the vision, roadmap, and tasks for the project. The project leader also promotes the project and builds the team.

==Proposing a new project==

To propose a new project, please send an email to owasp@owasp.org. Each project should have a roadmap page that details the current set of tasks and rough schedule. The page should be named "OWASP XXX Project Roadmap"

==OWASP Active Projects==
; Release Quality Projects
* [[:Category:OWASP Top Ten Project|OWASP Top Ten Project]] - an awareness document that describes the top ten web application security vulnerabilities
* [[:Category:OWASP WebGoat Project|OWASP WebGoat Project]] - an online training environment for hands-on learning about application security
* [[:Category:OWASP WebScarab Project|OWASP WebScarab Project]] - a tool for performing all types of security testing on web applications and web services
* [[:Category:OWASP Pantera Web Assessment Studio Project|OWASP Pantera Web Assessment Studio Project]] - a project focused on combining automated capabilities with complete manual testing to get the best results

; Beta Status Projects
* [[:Category:OWASP CAL9000 Project|OWASP CAL9000 Project]] - a JavaScript based web application security testing suite
* [[:Category:OWASP CLASP Project|OWASP CLASP Project]] - a project focused on defining process elements that reinforce application security
* [[:Category:OWASP_LAPSE_Project|OWASP LAPSE Project]] - an Eclipse-based source static analysis tool for Java
* [[:Category:OWASP Sprajax Project|OWASP Sprajax Project]] - an open source black box security scanner used to assess the security of AJAX-enabled applications
* [[:Category:OWASP SQLiX Project|OWASP SQLiX Project]] - a project focused on the development of SQLiX, a full perl-based SQL scanner

; Alpha Status Projects
* [[:Category:OWASP Live CD Project|OWASP Live CD Project]] - a CD containing ready to use versions of application security analysis and testing tools
* [[:Category:OWASP Orizon Project|OWASP Orizon Project]] - a project focused on the development of a flexible code review engine
* [[:Category:OWASP Risk Management Project|OWASP Risk Management Project]] - a new project focused on processes for managing application security risk

; Technology, Research and Guides
* [[:Category:OWASP AJAX Security Project|OWASP AJAX Security Guide]] - investigating the security of AJAX enabled applications
* [[:Category:OWASP Application Security Assessment Standards Project|OWASP Application Security Assessment Standards Project]] - establish a set of standards defining baseline approaches to conducting differing types/levels of application security assessment
* [[:Category:OWASP Application Security Metrics Project|OWASP Application Security Metrics Project]] - identify and provide a set of application security metrics that have been found by contributors to be effective in measuring application security
* [[:Category:OWASP AppSec FAQ Project|OWASP AppSec FAQ Project]] - an FAQ covering many application security topics
* [[:Category:OWASP Code Review Project|OWASP Code Review Project]] - a new project to capture best practices for reviewing code
* [[:Category:OWASP Guide Project|OWASP Guide Project]] - a massive document covering all aspects of web application and web service security
* [[:Category:OWASP Honeycomb Project|OWASP Honeycomb Guide]] - a comprehensive and integrated guide to the fundamental building blocks of application security
* [[:Category:OWASP Java Project|OWASP Java Research]] - a project focused on helping Java and J2EE developers build secure applications
* [[:Category:OWASP PHP Research|OWASP PHP Project]] - a project focused on helping PHP developers build secure applications
* [[:Category:OWASP Legal Project|OWASP Legal Research]] - a project focused on contracting for secure software
* [[:Category:OWASP Logging Project|OWASP Logging Guide]] - a project to define best practices for logging and log management
* [[:Category:OWASP .NET Project|OWASP .NET Research]] - a project focused on helping .NET developers build secure applications
* [[:Category:OWASP Testing Guide|OWASP Testing Project]] - a project focused on application security testing procedures and checklists
* [[:Category:OWASP Validation Research|OWASP Validation Project]] - a project that provides guidance and tools related to validation
* [[:Category:OWASP WASS Project|OWASP WASS Guide]] - a standards project to develop more concrete criteria for secure applications

[[OWASP Project Mailing Lists]]

Category:OWASP Project Proof

2006-10-17T15:07:34Z

Aholmes:

An OWASP project is a collection of related tasks that have a defined roadmap and team members. OWASP project leaders are responsible for defining the vision, roadmap, and tasks for the project. The project leader also promotes the project and builds the team.

==Proposing a new project==

To propose a new project, please send an email to owasp@owasp.org. Each project should have a roadmap page that details the current set of tasks and rough schedule. The page should be named "OWASP XXX Project Roadmap"

==Project descriptions==

* [[:Category:OWASP AJAX Security Project|OWASP AJAX Security Project]] - investigating the security of AJAX enabled applications
* [[:Category:OWASP Application Security Assessment Standards Project|OWASP Application Security Assessment Standards Project]] - establish a set of standards defining baseline approaches to conducting differing types/levels of application security assessment
* [[:Category:OWASP Application Security Metrics Project|OWASP Application Security Metrics Project]] - identify and provide a set of application security metrics that have been found by contributors to be effective in measuring application security
* [[:Category:OWASP AppSec FAQ Project|OWASP AppSec FAQ Project]] - an FAQ covering many application security topics
* [[:Category:OWASP CAL9000 Project|OWASP CAL9000 Project]] - a JavaScript based web application security testing suite
* [[:Category:OWASP CLASP Project|OWASP CLASP Project]] - a project focused on defining process elements that reinforce application security
* [[:Category:OWASP Code Review Project|OWASP Code Review Project]] - a new project to capture best practices for reviewing code
* [[:Category:OWASP Guide Project|OWASP Guide Project]] - a massive document covering all aspects of web application and web service security
* [[:Category:OWASP Honeycomb Project|OWASP Honeycomb Project]] - a comprehensive and integrated guide to the fundamental building blocks of application security
* [[:Category:OWASP Java Project|OWASP Java Project]] - a project focused on helping Java and J2EE developers build secure applications
* [[:Category:OWASP_LAPSE_Project|OWASP LAPSE Project]] - an Eclipse-based source static analysis tool for Java
* [[:Category:OWASP Legal Project|OWASP Legal Project]] - a project focused on contracting for secure software
* [[:Category:OWASP Live CD Project|OWASP Live CD Project]] - a CD containing ready to use versions of application security analysis and testing tools
* [[:Category:OWASP Logging Project|OWASP Logging Project]] - a project to define best practices for logging and log management
* [[:Category:OWASP .NET Project|OWASP .NET Project]] - a project focused on helping .NET developers build secure applications
* [[:Category:OWASP Orizon Project|OWASP Orizon Project]] - a project focused on the development of a flexible code review engine
* [[:Category:OWASP Pantera Web Assessment Studio Project|OWASP Pantera Web Assessment Studio Project]] - a project focused on combining automated capabilities with complete manual testing to get the best results
* [[:Category:OWASP PHP Project|OWASP PHP Project]] - a project focused on helping PHP developers build secure applications
* [[:Category:OWASP Risk Management Project|OWASP Risk Management Project]] - a new project focused on processes for managing application security risk
* [[:Category:OWASP Sprajax Project|OWASP Sprajax Project]] - an open source black box security scanner used to assess the security of AJAX-enabled applications
* [[:Category:OWASP SQLiX Project|OWASP SQLiX Project]] - a project focused on the development of SQLiX, a full perl-based SQL scanner
* [[:Category:OWASP Testing Project|OWASP Testing Project]] - a project focused on application security testing procedures and checklists
* [[:Category:OWASP Top Ten Project|OWASP Top Ten Project]] - an awareness document that describes the top ten web application security vulnerabilities
* [[:Category:OWASP Validation Project|OWASP Validation Project]] - a project that provides guidance and tools related to validation.
* [[:Category:OWASP WASS Project|OWASP WASS Project]] - a standards project to develop more concrete criteria for secure applications
* [[:Category:OWASP WebGoat Project|OWASP WebGoat Project]] - an online training environment for hands-on learning about application security
* [[:Category:OWASP WebScarab Project|OWASP WebScarab Project]] - a tool for performing all types of security testing on web applications and web services

[[OWASP Project Mailing Lists]]

OWASP Autumn Of Code 2006 : Selected Projects Press Release

2006-10-07T20:41:22Z

Aholmes:

For Immediate Release

'''OWASP Autumn of Code 2006'''

'''London, United Kingdom, September 29, 2006 '''

The Open Web Application Security Project (OWASP) has recently launched a new project entitled "OWASP Autumn of Code 2006” that is aimed at financially sponsoring contributions to OWASP Projects.

On the 18th of September our call for entries ended and on the 25th of September we released our list of selected projects to be sponsored. OWASP has made the decision to sponsor 9 projects (5 at $3,500 USD and 4 at $5,000 USD) instead of our originally planned number of 8. We are pleased to report about the exceptional quality of the submissions that were received and we would also like to thank everyone who took the time and effort to submit their ideas to us. It was difficult narrowing the list down to the final 9 projects chosen, and we hope those that were not sponsored will resubmit their ideas in future OWASP sponsorships.

Our congratulations to the successful winning projects and their respective OWASP Autumn of Code 2006 candidates:
: 1. [[OWASP_Autumn_of_Code_2006_-_Projects:_WebScarab_NG | WebScarab NG]] – Rogan Dawes
: 2. [[OWASP_Autumn_of_Code_2006_-_Projects:_Live_CD | Live CD]] – Joshua Perrymon
: 3. [[OWASP_Autumn_of_Code_2006_-_Projects:_CAL9000 | CAL9000]] – Chris Loomis
: 4. [[OWASP_Autumn_of_Code_2006_-_Projects:_SiteGenerator_and_ORG | SiteGenerator and ORG]] – Mike de Libero
: 5. [[OWASP_Autumn_of_Code_2006_-_Projects:_Pantera | Pantera]] – Simon Roses
: 6. [[OWASP_Autumn_of_Code_2006_-_Projects:_Web_Goat | Web Goat]] – Sherif Koussa
: 7. [[OWASP_Autumn_of_Code_2006_-_Projects:_Testing_Guide | Testing Guide]] – Matteo Meucci
: 8. [[OWASP_Autumn_of_Code_2006_-_Projects:_Owasp_.Net_Tools | OWASP .NET Tools]] – Boris Maletic
: 9. [[OWASP_Autumn_of_Code_2006_-_Projects:_Website_and_Branding | OWASP Website and Branding]] – Aaron M. Holmes

Following our schedule, OWASP is now preparing for all selected projects to commence development on October 1, 2006. For more information regarding each project, including timelines and progress, please view our [[Owasp_Autumn_Of_Code_2006 | OWASP Autumn of Code 2006 Project Page]].

'''Project Schedule:'''

: 1. 31th August – 'OWASP Autumn of Code' initiative is officially launched

: 2. 18th September - Deadline for project proposals

: 3. 25th September - Publish of selected projects

: 4. 1st October - Project starts

: 5. 15th October - Update of Project status on OWASP Conference in Seattle

: 6. 15th November - Participants and to report on project status

: 7. 31st December - Project Completion

The "OWASP Autumn of Code 2006" project leader is Dinis Cruz (based in London, UK) who can be contacted for further details.

'''About OWASP '''

The Open Web Application Security Project (OWASP) is 501c3 not-for-profit foundation dedicated to enabling organizations to develop, purchase, and maintain applications that can be trusted. OWASP's open source projects and local chapters produce free, unbiased, open-source documentation and tools. The OWASP community also facilitates conferences, local chapters, papers, presentations, and mailing lists. More information can be found at www.owasp.org.

'''ENDS '''

'''Contacts '''

Dinis Cruz, OWASP Autumn of Code Project Leader,

E-mail: dinis.cruz@owasp.net

Andrew van der Stock, OWASP Executive Director,

E-mail: vanderaj@owasp.org

Jeff Williams, OWASP Chair (Alternative contact for all OWASP matters),

E-mail:jeff.williams@owasp.org

Template:OWASP News

2006-10-03T14:18:52Z

Aholmes:

; '''Sep 29 - [[OWASP Autumn Of Code 2006 : Selected Projects Press Release | OWASP Autumn Of Code 2006 Projects Selected]]'''
: OWASP has completed the selection process for the OWASP Autumn of Code 2006 sponsorship program and 9 projects have been selected in total from 26 entries.

; '''Sep 26 - [http://www.infosecurityevent.com Infosecurity NY 2006 20% OWASP Discount]'''
: OWASP Members are entitled to a discount off full conference registration – a $200 savings! Conference is October 24-25 at the Jacob Javits Convention Center, NYC. [http://www.infosecurityevent.com/app/homepage.cfm?appname=100004&moduleid=0&campaignid=9294660 Register today] and provide Priority Code CD25 to receive your discount.

; '''Sep 7 - [https://www.pcisecuritystandards.org/pdfs/pci_dss_v1-1.pdf New PCI requires code review or WAF]'''
: Under the new requirements, applications processing cardholder information MUST get either a [[:Category:OWASP Code Review Project|code review]] or a [[web app firewall]]. The language isn’t exactly clear about what happens in 2008. In addition, the OWASP [[Top Ten]] must still be addressed.

; '''Aug 31 - [[OWASP Autumn Of Code 2006 : Press Release | OWASP Autumn Of Code 2006]]'''
: Today we are lauching a new project called "OWASP Autumn of Code 2006" which will sponsor individuals to work on existing OWASP Projects.

; '''Aug 31 - [http://video.google.com/videoplay?docid=941077664562737284 Dinis Cruz video interview]'''
: Dinis talks about .NET security, the future of OWASP, and the brand new [[Autumn of Code]] project.

; [[OWASP News|Older news...]]

Template:Featured article

2006-10-03T14:03:12Z

Aholmes:

[[Image:180px-OWASP_AOC_Logo.jpg|138px|left]]

'''Announcing the [[Owasp_Autumn_Of_Code_2006|OWASP Autumn of Code Project Winners]]!'''

OWASP has chosen to sponsor 9 individuals (4 at $3,500 USD and 5 at $5,000 USD), instead of our originally planned number of 8! The proposals submitted were all very well done and we would like to thank everyone who took the time to submit their ideas to us. You made it difficult for our selection jury to narrow the list down to the final 9 projects.

Congratulations to the [[OWASP_Autumn_of_Code_2006_-_Selection | successful winning projects]] and their respective OWASP Autumn of Code 2006 candidates.

Judging by the quality of responses we received, it looks like the next three months will be a very exciting time for us as we continue to pursue our goal of bringing [[Category:OWASP_Project|existing OWASP Projects]] to the level of completeness and professionalism required for wide use and deployment. Please visit the [[OWASP_Autumn_Of_Code_2006 | OWASP Autumn of Code 2006 Project Page]] for detailed information on each of our projects as well as their progress.

The submission period is now closed and our selections have been made. Thank you once again to everybody who applied for the OWASP Autumn of Code 2006 and we look forward to producing some great work with our new team members.

Template:Featured article proof

2006-09-29T14:51:11Z

Aholmes:

OWASP Autumn of Code 2006 - Projects: Website and Branding - Progress

2006-09-29T14:10:47Z

Aholmes:

[[OWASP_Autumn_of_Code_2006_-_Projects:_Website_and_Branding|Project Main Page]]

== Daily Notes ==
*Prepared news release and front page article for review
*Created project pages for AoC

OWASP Autumn Of Code 2006 : Selected Projects Press Release

2006-09-29T14:09:20Z

Aholmes:

For Immediate Release

'''OWASP Autumn of Code 2006'''

'''London, United Kingdom, September 29, 2006 '''

The Open Web Application Security Project (OWASP) has recently launched a new project entitled "OWASP Autumn of Code 2006” that is aimed at financially sponsoring contributions to OWASP Projects.

On the 18th of September our call for entries ended and on the 25th of September we released our list of selected projects to be sponsored. OWASP has made the decision to sponsor 9 projects (5 at $3,500 USD and 4 at $5,000 USD) instead of our originally planned number of 8. We are pleased to report about the exceptional quality of the submissions that were received and we would also like to thank everyone who took the time and effort to submit their ideas to us. It was difficult narrowing the list down to the final 9 projects chosen, and we hope those that were not sponsored will resubmit their ideas in future OWASP sponsorships.

Our congratulations to the successful winning projects and their respective OWASP Autumn of Code 2006 candidates:
: 1. [[OWASP_Autumn_of_Code_2006_-_Projects:_WebScarab_NG | WebScarab NG]] – Rogan
: 2. [[OWASP_Autumn_of_Code_2006_-_Projects:_Live_CD | Live CD]] – Joshua
: 3. [[OWASP_Autumn_of_Code_2006_-_Projects:_CAL9000 | CAL9000]] – Chris
: 4. [[OWASP_Autumn_of_Code_2006_-_Projects:_SiteGenerator_and_ORG | SiteGenerator and ORG]] – Mike de Libero
: 5. [[OWASP_Autumn_of_Code_2006_-_Projects:_Pantera | Pantera]] – Simon
: 6. [[OWASP_Autumn_of_Code_2006_-_Projects:_Web_Goat | Web Goat]] – Sherif
: 7. [[OWASP_Autumn_of_Code_2006_-_Projects:_Testing_Guide | Testing Guide]] – Matteo
: 8. [[OWASP_Autumn_of_Code_2006_-_Projects:_Owasp_.Net_Tools | OWASP .NET Tools]] – Boris
: 9. [[OWASP_Autumn_of_Code_2006_-_Projects:_Website_and_Branding | OWASP Website and Branding]] – Aaron M. Holmes

Following our schedule, OWASP is now preparing for all selected projects to commence development on October 1, 2006. For more information regarding each project, including timelines and progress, please view our [[Owasp_Autumn_Of_Code_2006 | OWASP Autumn of Code 2006 Project Page]].

'''Project Schedule:'''

: 1. 31th August – 'OWASP Autumn of Code' initiative is officially launched

: 2. 18th September - Deadline for project proposals

: 3. 25th September - Publish of selected projects

: 4. 1st October - Project starts

: 5. 15th October - Update of Project status on OWASP Conference in Seattle

: 6. 15th November - Participants and to report on project status

: 7. 31st December - Project Completion

The "OWASP Autumn of Code 2006" project leader is Dinis Cruz (based in London, UK) who can be contacted for further details.

'''About OWASP '''

The Open Web Application Security Project (OWASP) is 501c3 not-for-profit foundation dedicated to enabling organizations to develop, purchase, and maintain applications that can be trusted. OWASP's open source projects and local chapters produce free, unbiased, open-source documentation and tools. The OWASP community also facilitates conferences, local chapters, papers, presentations, and mailing lists. More information can be found at www.owasp.org.

'''ENDS '''

'''Contacts '''

Dinis Cruz, OWASP Autumn of Code Project Leader,

E-mail: dinis.cruz@owasp.net

Andrew van der Stock, OWASP Executive Director,

E-mail: vanderaj@owasp.org

Jeff Williams, OWASP Chair (Alternative contact for all OWASP matters),

E-mail:jeff.williams@owasp.org

OWASP Autumn Of Code 2006 : Selected Projects Press Release

2006-09-28T23:33:55Z

Aholmes:

For Immediate Release

'''OWASP Autumn of Code 2006'''

'''London, United Kingdom, September 29, 2006 '''

The Open Web Application Security Project (OWASP) has recently launched a new project entitled "OWASP Autumn of Code 2006” that is aimed at financially sponsoring contributions to OWASP Projects.

On the 18th of September our call for entries ended and on the 25th of September we released our list of selected projects to be sponsored. OWASP has made the decision to sponsor 9 projects (5 at $3,500 USD and 4 at $5,000 USD) instead of our originally planned number of 8. We are pleased to report about the exceptional quality of the submissions that were received and we would also like to thank everyone who took the time and effort to submit their ideas to us. It was difficult narrowing the list down to the final 9 projects chosen, and we hope those that were not sponsored will resubmit their ideas in future OWASP sponsorships.

Following our schedule, OWASP is now preparing for all selected projects to commence development on October 1, 2006. For more information regarding each project, including timelines and progress, please view our [[Owasp_Autumn_Of_Code_2006 | OWASP Autumn of Code 2006 Project Page]].

'''Project Schedule:'''

: 1. 31th August – 'OWASP Autumn of Code' initiative is officially launched

: 2. 18th September - Deadline for project proposals

: 3. 25th September - Publish of selected projects

: 4. 1st October - Project starts

: 5. 15th October - Update of Project status on OWASP Conference in Seattle

: 6. 15th November - Participants and to report on project status

: 7. 31st December - Project Completion

The "OWASP Autumn of Code 2006" project leader is Dinis Cruz (based in London, UK) who can be contacted for further details.

'''About OWASP '''

The Open Web Application Security Project (OWASP) is 501c3 not-for-profit foundation dedicated to enabling organizations to develop, purchase, and maintain applications that can be trusted. OWASP's open source projects and local chapters produce free, unbiased, open-source documentation and tools. The OWASP community also facilitates conferences, local chapters, papers, presentations, and mailing lists. More information can be found at www.owasp.org.

'''ENDS '''

'''Contacts '''

Dinis Cruz, OWASP Autumn of Code Project Leader,

E-mail: dinis.cruz@owasp.net

Andrew van der Stock, OWASP Executive Director,

E-mail: vanderaj@owasp.org

Jeff Williams, OWASP Chair (Alternative contact for all OWASP matters),

E-mail:jeff.williams@owasp.org

OWASP Autumn Of Code 2006 : Selected Projects Press Release

2006-09-28T23:33:05Z

Aholmes:

For Immediate Release

'''OWASP Autumn of Code 2006'''

'''London, United Kingdom, September 29, 2006 '''

The Open Web Application Security Project (OWASP) has recently launched a new project entitled "OWASP Autumn of Code 2006” that is aimed at financially sponsoring contributions to OWASP Projects.

On the 18th of September our call for entries ended and on the 25th of September we released our list of selected projects to be sponsored. OWASP has made the decision to sponsor 9 projects (5 at $3,500 USD and 4 at $5,000 USD) instead of our originally planned number of 8. We are pleased to report about the exceptional quality of the submissions that were received and we would also like to thank everyone who took the time and effort to submit their ideas to us. It was difficult narrowing the list down to the final 9 projects chosen, and we hope those that were not sponsored will resubmit their ideas in future OWASP sponsorships.

Following our schedule, OWASP is now preparing for all selected projects to commence development on October 1, 2006. For more information regarding each project, including timelines and progress, please view our OWASP Autumn of Code 2006 Project Page.

'''Project Schedule:'''

: 1. 31th August – 'OWASP Autumn of Code' initiative is officially launched

: 2. 18th September - Deadline for project proposals

: 3. 25th September - Publish of selected projects

: 4. 1st October - Project starts

: 5. 15th October - Update of Project status on OWASP Conference in Seattle

: 6. 15th November - Participants and to report on project status

: 7. 31st December - Project Completion

The "OWASP Autumn of Code 2006" project leader is Dinis Cruz (based in London, UK) who can be contacted for further details.

'''About OWASP '''

The Open Web Application Security Project (OWASP) is 501c3 not-for-profit foundation dedicated to enabling organizations to develop, purchase, and maintain applications that can be trusted. OWASP's open source projects and local chapters produce free, unbiased, open-source documentation and tools. The OWASP community also facilitates conferences, local chapters, papers, presentations, and mailing lists. More information can be found at www.owasp.org.

'''ENDS '''

'''Contacts '''

Dinis Cruz, OWASP Autumn of Code Project Leader,

E-mail: dinis.cruz@owasp.net

Andrew van der Stock, OWASP Executive Director,

E-mail: vanderaj@owasp.org

Jeff Williams, OWASP Chair (Alternative contact for all OWASP matters),

E-mail:jeff.williams@owasp.org

OWASP News

2006-09-28T23:28:19Z

Aholmes:

This page is for people to post OWASP related news items, like new releases, updates, or announcements. If the news is about application security but NOT OWASP-specific, please post it to [[Application Security News]]. This page is monitored, and particularly important stories will be copied to the front page.

Please post new items at the top of the list using the following format:

<nowiki>
; '''Mon ## - [[OWASP Project|Headline for announcement]]'''
: Details...
</nowiki>

==Stories==
; '''Sep 29 - [[OWASP Autumn Of Code 2006 : Selected Projects Press Release | OWASP Autumn Of Code 2006 Projects Selected]]'''
: OWASP has completed the selection process for the OWASP Autumn of Code 2006 sponsorship program and 9 projects have been selected in total from 26 entries.

; '''Sep 26 - [http://www.infosecurityevent.com Infosecurity NY 2006 20% OWASP Discount]'''
: OWASP Members are entitled to a discount off full conference registration – a $200 savings! Conference is October 24-25 at the Jacob Javits Convention Center, NYC. [http://www.infosecurityevent.com/app/homepage.cfm?appname=100004&moduleid=0&campaignid=9294660 Register today] and provide Priority Code CD25 to receive your discount.

; '''Sep 7 - [https://www.pcisecuritystandards.org/pdfs/pci_dss_v1-1.pdf New PCI requires code review or WAF]'''
: Under the new requirements, applications processing cardholder information MUST get either a [[:Category:OWASP Code Review Project|code review]] or a [[web app firewall]]. The language isn’t exactly clear about what happens in 2008. In addition, the OWASP [[Top Ten]] must still be addressed.

; '''Aug 31 - [[OWASP Autumn Of Code 2006 : Press Release | OWASP Autumn Of Code 2006]]'''
: Today we are lauching a new project called "OWASP Autumn of Code 2006" which will sponsor individuals to work on existing OWASP Projects.

; '''Aug 31 - [http://video.google.com/videoplay?docid=941077664562737284 Dinis Cruz video interview]'''
: Dinis talks about .NET security, the future of OWASP, and the brand new [[Autumn of Code]] project.

; '''Aug 31 - [http://www.owasp.org/index.php/Italy#Aug.2C_2006_-_Article_on_Banca_Finanza_magazine Article about OWASP on Banca Finanza magazine]'''
: Banca Finanza mag has interviewed Raoul Chiesa talking about the new risks for the on-line banking security. Raoul speaks about OWASP and web application security.

; '''Aug 14 - [http://www.iese.fraunhofer.de/download/Security-Checker-Tools-for-Web-Applications.pdf Detailed analysis of application security tools]'''
: Holger Peine of the Fraunhofer Institute compares a number of free tools (WebScarab, Paros, Burp Suite, Spike Proxy), and commercial tools (AppScan, WebInspect, Acunetix). The methodology is quite detailed and uses OWASP's WebGoat and a 'normal' web application.

; '''Aug 14 - [http://www.owasp.org/index.php/Image:Threat_modelling_of_pharming.doc When Phishing Evolves to Pharming]
: "Phishing is evolving into a new type of attack called pharming. Pharming redirects users to fraudulent websites seamlessly without any suspicious activity such as spam mail that asks a user to login at a website. This paper analyses possible vectors of pharming and creates a threat model for it with attack tree." OWASP would like to thank Cheong Kai Wee for the submission of this paper! [[:Category:OWASP_Papers|Click here]] for details on submitting your own paper to the [[:Category:OWASP_Papers|OWASP Papers Program]].

; '''Jul 31 - [[:Category:OWASP CAL9000 Project|CAL9000 v1.1 released]]'''
: The in-browser JavaScript based web app testing framework has added enhanced encode/decode functions and several bugfixes.

; '''Jul 31 - [[:Category:OWASP Honeycomb Project|Fortify donates vulnerability research to OWASP]]'''
: Announcing a new extensive classification of software security vulnerabilities created and donated by Fortify Software Inc. The full set of vulnerabilities and the research that accompanies it is available in the [[:Category:OWASP Honeycomb Project|OWASP Honeycomb Project]].

; '''Jul 11 - [[OWASP AJAX Security Project|Two part interview on Ajax with OWASP's Andrew van der Stock]]'''
: In this two part interview, Andrew discusses the key security threats facing Ajax applications and practical advice for securing them. "I expect more Ajax vulnerabilities and exploits to surface, and I expect researchers to come up with additional "new" flaws that need to be protected against."

;'''Jun 29 - [[OWASP_.NET_Project|OWASP .NET Project in now hosted at www.owasp.org]]
:Coming full circle, the OWASP .NET Project (lead by Dinis Cruz) is now hosted here at the www.owasp.org website. The objective is to consolidate all Owasp projects in one location, and to benefit from cross projects linkage. All information that was hosted at the previous www.owasp.net wiki has now been ported and in the comming weeks, more will be added.

;'''Jun 26 - [[PHP Top 5|OWASP PHP Top 5 Released]]'''
:OWASP is pleased to announce the immediate availability of OWASP [[PHP Top 5]]. The OWASP Top 5 is an education piece which provides up to date advice to PHP developers, hosters, and other PHP users. The Top 5 is produced by the [[:Category:OWASP_PHP_Project|OWASP PHP Project]].

; '''Jun 23 - [[OWASP WebScarab Project|New version of WebScarab released]]'''
: The new version has a new logo, several new features, and some bugfixes. There are better capabilities for authentication and certificates, dropping conversations, and searching results. There are plugin enhancements to the spider, session id analyzer, and fuzzer. There's also a new extension for forced browsing to obvious extensions.

'''Jun 21 - [http://sectools.org/tools2.html OWASP WebScarab Ranked 35th on Insecure.org's Top 100 Security Tools]'''
:Nmap's Fyodor asked users from the nmap-hackers mailing list to share their favorite tools, and 3,243 people responded. This allowed him to expand the list to 100 tools, and even subdivide them into categories. Anyone in the security field would be well advised to go over the list and investigate tools they are unfamiliar with. Respondents were allowed to list open source or commercial tools on any platform.

; '''Jun 20 - [http://www.amazon.com/gp/product/0471789666/sr=8-1/qid=1150819640/002-1402412-9970431 Professional pen testers rely on OWASP]'''
: [[Image:pentestbook.jpg|100px|right]] This new book is organized around the OWASP Top Ten, and goes into detail about WebScarab and WebGoat. "OWASP's WebScarab is rock solid and a must-have for any serious Web app pen tester"

; '''Jun 8 - [[:Category:OWASP CAL9000 Project|New OWASP CAL9000 Project Unveiled]]'''
: Chris Loomis has created an interesting JavaScript driven web application testing tool that allows manual requests, RSnake powered XSS verification, and many other utilities.

; '''Jun 6 - [[OWASP Java Project]]'''
: Stephen de Vries and Rohyt Belani have taken on the OWASP Java project and will be building the project roadmap shortly.

; '''Jun 3 - [[How to test session identifier strength with WebScarab]]'''
: New article shows you how to use one of the advanced features of WebScarab!

; '''Jun 1 - [http://www.uribe100.com OWASP selected in top 100 security websites]'''
: OWASP has been selected as one of the top 100 security websites. Thanks to everyone who's helped us along the way!

; '''May 26 - [[:Category:OWASP WebGoat Project|OWASP WebGoat 4.0 released]]'''
: Lots of new features, including multi-stage hands-on '''coding''' labs for [[Authorization|access control]], [[SQL injection]], and [[Cross Site Scripting|cross site scripting]].

; '''May 25 - [[:Category:OWASP CLASP Project|OWASP CLASP project launched]]'''
: Thanks to Secure Software for donating the CLASP materials to bootstrap our [[:Category:Activity|secure lifecycle]] efforts.

; '''May 23 - [[About_The_Open_Web_Application_Security_Project|OWASP 2.0 released]]'''
: OWASP is moving to the MediaWiki platform to encourage greater collaboration. We're in the process of moving over all the old content. You can still view the [http://old.owasp.org previous website].

OWASP News

2006-09-28T23:27:51Z

Aholmes:

This page is for people to post OWASP related news items, like new releases, updates, or announcements. If the news is about application security but NOT OWASP-specific, please post it to [[Application Security News]]. This page is monitored, and particularly important stories will be copied to the front page.

Please post new items at the top of the list using the following format:

<nowiki>
; '''Mon ## - [[OWASP Project|Headline for announcement]]'''
: Details...
</nowiki>

==Stories==
; '''Sep 29 - [[OWASP Autumn Of Code 2006 : Press Release | OWASP Autumn Of Code 2006 Projects Selected]]'''
: OWASP has completed the selection process for the OWASP Autumn of Code 2006 sponsorship program and 9 projects have been selected in total from 26 entries.

; '''Sep 26 - [http://www.infosecurityevent.com Infosecurity NY 2006 20% OWASP Discount]'''
: OWASP Members are entitled to a discount off full conference registration – a $200 savings! Conference is October 24-25 at the Jacob Javits Convention Center, NYC. [http://www.infosecurityevent.com/app/homepage.cfm?appname=100004&moduleid=0&campaignid=9294660 Register today] and provide Priority Code CD25 to receive your discount.

; '''Sep 7 - [https://www.pcisecuritystandards.org/pdfs/pci_dss_v1-1.pdf New PCI requires code review or WAF]'''
: Under the new requirements, applications processing cardholder information MUST get either a [[:Category:OWASP Code Review Project|code review]] or a [[web app firewall]]. The language isn’t exactly clear about what happens in 2008. In addition, the OWASP [[Top Ten]] must still be addressed.

; '''Aug 31 - [[OWASP Autumn Of Code 2006 : Press Release | OWASP Autumn Of Code 2006]]'''
: Today we are lauching a new project called "OWASP Autumn of Code 2006" which will sponsor individuals to work on existing OWASP Projects.

; '''Aug 31 - [http://video.google.com/videoplay?docid=941077664562737284 Dinis Cruz video interview]'''
: Dinis talks about .NET security, the future of OWASP, and the brand new [[Autumn of Code]] project.

; '''Aug 31 - [http://www.owasp.org/index.php/Italy#Aug.2C_2006_-_Article_on_Banca_Finanza_magazine Article about OWASP on Banca Finanza magazine]'''
: Banca Finanza mag has interviewed Raoul Chiesa talking about the new risks for the on-line banking security. Raoul speaks about OWASP and web application security.

; '''Aug 14 - [http://www.iese.fraunhofer.de/download/Security-Checker-Tools-for-Web-Applications.pdf Detailed analysis of application security tools]'''
: Holger Peine of the Fraunhofer Institute compares a number of free tools (WebScarab, Paros, Burp Suite, Spike Proxy), and commercial tools (AppScan, WebInspect, Acunetix). The methodology is quite detailed and uses OWASP's WebGoat and a 'normal' web application.

; '''Aug 14 - [http://www.owasp.org/index.php/Image:Threat_modelling_of_pharming.doc When Phishing Evolves to Pharming]
: "Phishing is evolving into a new type of attack called pharming. Pharming redirects users to fraudulent websites seamlessly without any suspicious activity such as spam mail that asks a user to login at a website. This paper analyses possible vectors of pharming and creates a threat model for it with attack tree." OWASP would like to thank Cheong Kai Wee for the submission of this paper! [[:Category:OWASP_Papers|Click here]] for details on submitting your own paper to the [[:Category:OWASP_Papers|OWASP Papers Program]].

; '''Jul 31 - [[:Category:OWASP CAL9000 Project|CAL9000 v1.1 released]]'''
: The in-browser JavaScript based web app testing framework has added enhanced encode/decode functions and several bugfixes.

; '''Jul 31 - [[:Category:OWASP Honeycomb Project|Fortify donates vulnerability research to OWASP]]'''
: Announcing a new extensive classification of software security vulnerabilities created and donated by Fortify Software Inc. The full set of vulnerabilities and the research that accompanies it is available in the [[:Category:OWASP Honeycomb Project|OWASP Honeycomb Project]].

; '''Jul 11 - [[OWASP AJAX Security Project|Two part interview on Ajax with OWASP's Andrew van der Stock]]'''
: In this two part interview, Andrew discusses the key security threats facing Ajax applications and practical advice for securing them. "I expect more Ajax vulnerabilities and exploits to surface, and I expect researchers to come up with additional "new" flaws that need to be protected against."

;'''Jun 29 - [[OWASP_.NET_Project|OWASP .NET Project in now hosted at www.owasp.org]]
:Coming full circle, the OWASP .NET Project (lead by Dinis Cruz) is now hosted here at the www.owasp.org website. The objective is to consolidate all Owasp projects in one location, and to benefit from cross projects linkage. All information that was hosted at the previous www.owasp.net wiki has now been ported and in the comming weeks, more will be added.

;'''Jun 26 - [[PHP Top 5|OWASP PHP Top 5 Released]]'''
:OWASP is pleased to announce the immediate availability of OWASP [[PHP Top 5]]. The OWASP Top 5 is an education piece which provides up to date advice to PHP developers, hosters, and other PHP users. The Top 5 is produced by the [[:Category:OWASP_PHP_Project|OWASP PHP Project]].

; '''Jun 23 - [[OWASP WebScarab Project|New version of WebScarab released]]'''
: The new version has a new logo, several new features, and some bugfixes. There are better capabilities for authentication and certificates, dropping conversations, and searching results. There are plugin enhancements to the spider, session id analyzer, and fuzzer. There's also a new extension for forced browsing to obvious extensions.

'''Jun 21 - [http://sectools.org/tools2.html OWASP WebScarab Ranked 35th on Insecure.org's Top 100 Security Tools]'''
:Nmap's Fyodor asked users from the nmap-hackers mailing list to share their favorite tools, and 3,243 people responded. This allowed him to expand the list to 100 tools, and even subdivide them into categories. Anyone in the security field would be well advised to go over the list and investigate tools they are unfamiliar with. Respondents were allowed to list open source or commercial tools on any platform.

; '''Jun 20 - [http://www.amazon.com/gp/product/0471789666/sr=8-1/qid=1150819640/002-1402412-9970431 Professional pen testers rely on OWASP]'''
: [[Image:pentestbook.jpg|100px|right]] This new book is organized around the OWASP Top Ten, and goes into detail about WebScarab and WebGoat. "OWASP's WebScarab is rock solid and a must-have for any serious Web app pen tester"

; '''Jun 8 - [[:Category:OWASP CAL9000 Project|New OWASP CAL9000 Project Unveiled]]'''
: Chris Loomis has created an interesting JavaScript driven web application testing tool that allows manual requests, RSnake powered XSS verification, and many other utilities.

; '''Jun 6 - [[OWASP Java Project]]'''
: Stephen de Vries and Rohyt Belani have taken on the OWASP Java project and will be building the project roadmap shortly.

; '''Jun 3 - [[How to test session identifier strength with WebScarab]]'''
: New article shows you how to use one of the advanced features of WebScarab!

; '''Jun 1 - [http://www.uribe100.com OWASP selected in top 100 security websites]'''
: OWASP has been selected as one of the top 100 security websites. Thanks to everyone who's helped us along the way!

; '''May 26 - [[:Category:OWASP WebGoat Project|OWASP WebGoat 4.0 released]]'''
: Lots of new features, including multi-stage hands-on '''coding''' labs for [[Authorization|access control]], [[SQL injection]], and [[Cross Site Scripting|cross site scripting]].

; '''May 25 - [[:Category:OWASP CLASP Project|OWASP CLASP project launched]]'''
: Thanks to Secure Software for donating the CLASP materials to bootstrap our [[:Category:Activity|secure lifecycle]] efforts.

; '''May 23 - [[About_The_Open_Web_Application_Security_Project|OWASP 2.0 released]]'''
: OWASP is moving to the MediaWiki platform to encourage greater collaboration. We're in the process of moving over all the old content. You can still view the [http://old.owasp.org previous website].

OWASP Autumn of Code 2006 - Projects: Website and Branding

2006-09-28T22:35:29Z

Aholmes:

'''AoC Candidate:''' Aaron M. Holmes

'''Project Coordinator:''' Jeff Williams

'''Project Progress:''' xx% Complete - [[OWASP_Autumn_of_Code_2006_-_Projects:_Website_and_Branding_-_Progress|Progress Page]]

== Background and Motivation ==

'''History Behind Project'''

The Open Web Application Security Project (OWASP) is an open community dedicated to enabling organizations to develop, purchase, and maintain applications that can be trusted. Our website provides information, tools and valuable resources to the community and is a cost effective medium for distributing up to date material worldwide. Given this potential it is important that we focus on providing the best possible experience for our users so that they may take advantage of all OWASP resources.

Additionally, it is important for OWASP to identify itself as a trusted and authoritative source. Our goal is to create a standard which all OWASP projects and resources must uphold, as well as to create a brand to aid in distinguishing OWASP resources from those that are available elsewhere. Our intent is to provide an identity that is immediately recognizable within the security community which also carries with it a feeling of assurance.

'''Problem to be Addressed'''

The current OWASP.org website takes advantage of the community collaboration and ease of editing features of Wiki-based websites. However, the OWASP project is successfully growing in size and quickly outgrowing its original home. There is a great opportunity here to extend the existing site to provide a greater depth of functionality for community members, better organization, and a more robust 'user experience'. During this time it will also be beneficial to decide on a new look and feel to the website which will align with the OWASP branding and identity.

'''Benefit to OWASP Members and Community'''

OWASP members will benefit by:
*Having content that is easier to navigate and locate
*Taking advantage of the OWASP brand to gain trust within their work
*Increased site functionality (to be identified)
*Increased outreach and marketing of the OWASP resources, thus attracting more eyes and recognition

== Goals and Deliverables ==

'''Plan of Approach'''

We will immediately commence updating and creating new content pages as required. Time will also be spent creating documents which will give in depth detail for all deliverables including timelines. A design brief will be prepared to ensure that all future work aligns with the branding of OWASP and to minimize the risk of creating an image that is not distinct or recognizable.

'''Deliverables'''

*Design website template
*Design print and promotional materials
*Design logos, certified OWASP logos, and other imagery
*Content updating and proofing (English)
*Prepare guidelines and standards for OWASP projects
*Prepare marketing brief discussing the identity of OWASP
*Prepare website documentation for future developers
*Develop features and functionality as identified by OWASP and community (Including web services and member only access pages)
*Audit website with the help of other projects

== Risks and Rewards ==

'''Main Risks'''

This is a large project which relies on the support and cooperation of the OWASP community. There is a risk that without proper planning time will be wasted in creating designs and materials which do not align well and do not provide for a disctinct identity.

'''Rewards of Successful Project'''

A successful project will allow OWASP to continue strong growth and gain credibility as a trusted and beneficial group. By providing a better user experience it will be easier for OWASP to gain traction with individuals and organizations that are worried about putting too much faith in 'grassroot' or 'Mickey Mouse' type communities; which are considered to be too small, not dedicated, lack focus, and are not reliable in the long-term. A professional identity for OWASP will help alleviate these concerns by providing a professional look and feel which will be instantly recognizable. This attention to detail will carry through to all resources and services provided by OWASP, and is what helps differentiate OWASP from others.

OWASP Autumn of Code 2006 - Projects: Owasp .Net Tools

2006-09-28T22:35:07Z

Aholmes:

'''AoC Candidate:''' Boris

'''Project Coordinator:''' Dinis Cruz

'''Project Progress:''' xx% Complete - [[OWASP_Autumn_of_Code_2006_-_Projects:_Owasp_.Net_Tools_-_Progress|Progress Page]]

== Background and Motivation ==

'''History Behind Project'''

'''Problem to be Addressed'''

'''Benefit to OWASP Members and Community'''

== Goals and Deliverables ==

'''Plan of Approach'''

'''Deliverables'''

== Risks and Rewards ==

'''Main Risks'''

'''Rewards of Successful Project'''

OWASP Autumn of Code 2006 - Projects: Testing Guide

2006-09-28T22:34:40Z

Aholmes:

'''AoC Candidate:''' Matteo

'''Project Coordinator:''' Eoin Keary

'''Project Progress:''' xx% Complete - [[OWASP_Autumn_of_Code_2006_-_Projects:_Testing_Guide_-_Progress|Progress Page]]

== Background and Motivation ==

'''History Behind Project'''

'''Problem to be Addressed'''

'''Benefit to OWASP Members and Community'''

== Goals and Deliverables ==

'''Plan of Approach'''

'''Deliverables'''

== Risks and Rewards ==

'''Main Risks'''

'''Rewards of Successful Project'''

OWASP Autumn of Code 2006 - Projects: Web Goat

2006-09-28T22:34:17Z

Aholmes:

'''AoC Candidate:''' Sherif

'''Project Coordinator:''' Jeff Williams

'''Project Progress:''' xx% Complete - [[OWASP_Autumn_of_Code_2006_-_Projects:_Web_Goat_-_Progress|Progress Page]]

== Background and Motivation ==

'''History Behind Project'''

'''Problem to be Addressed'''

'''Benefit to OWASP Members and Community'''

== Goals and Deliverables ==

'''Plan of Approach'''

'''Deliverables'''

== Risks and Rewards ==

'''Main Risks'''

'''Rewards of Successful Project'''

OWASP Autumn of Code 2006 - Projects: Web Goat

2006-09-28T22:34:08Z

Aholmes:

'''AoC Candidate:''' Sherif

'''Project Coordinator:'''Jeff Williams

'''Project Progress:''' xx% Complete - [[OWASP_Autumn_of_Code_2006_-_Projects:_Web_Goat_-_Progress|Progress Page]]

== Background and Motivation ==

'''History Behind Project'''

'''Problem to be Addressed'''

'''Benefit to OWASP Members and Community'''

== Goals and Deliverables ==

'''Plan of Approach'''

'''Deliverables'''

== Risks and Rewards ==

'''Main Risks'''

'''Rewards of Successful Project'''

OWASP Autumn of Code 2006 - Projects: Pantera

2006-09-28T22:33:35Z

Aholmes:

'''AoC Candidate:''' Simon

'''Project Coordinator:''' Dinis Cruz

'''Project Progress:''' xx% Complete - [[OWASP_Autumn_of_Code_2006_-_Projects:_Pantera_-_Progress|Progress Page]]

== Background and Motivation ==

'''History Behind Project'''

'''Problem to be Addressed'''

'''Benefit to OWASP Members and Community'''

== Goals and Deliverables ==

'''Plan of Approach'''

'''Deliverables'''

== Risks and Rewards ==

'''Main Risks'''

'''Rewards of Successful Project'''

OWASP Autumn of Code 2006 - Projects: SiteGenerator and ORG

2006-09-28T22:33:04Z

Aholmes:

'''AoC Candidate:''' Mike de Libero

'''Project Coordinator:''' Dinis Cruz

'''Project Progress:''' xx% Complete - [[OWASP_Autumn_of_Code_2006_-_Projects:_SiteGenerator_and_ORG_-_Progress|Progress Page]]

== Background and Motivation ==

'''History Behind Project'''

'''Problem to be Addressed'''

'''Benefit to OWASP Members and Community'''

== Goals and Deliverables ==

'''Plan of Approach'''

'''Deliverables'''

== Risks and Rewards ==

'''Main Risks'''

'''Rewards of Successful Project'''

OWASP Autumn of Code 2006 - Projects: CAL9000

2006-09-28T22:32:32Z

Aholmes:

'''AoC Candidate:''' Chris

'''Project Coordinator:''' Andrew van der Stock

'''Project Progress:''' xx% Complete - [[OWASP_Autumn_of_Code_2006_-_Projects:_CAL9000_-_Progress|Progress Page]]

== Background and Motivation ==

'''History Behind Project'''

'''Problem to be Addressed'''

'''Benefit to OWASP Members and Community'''

== Goals and Deliverables ==

'''Plan of Approach'''

'''Deliverables'''

== Risks and Rewards ==

'''Main Risks'''

'''Rewards of Successful Project'''

OWASP Autumn of Code 2006 - Projects: Live CD

2006-09-28T22:32:06Z

Aholmes:

'''AoC Candidate:''' Joshua

'''Project Coordinator:''' Eoin Keary

'''Project Progress:''' xx% Complete - [[OWASP_Autumn_of_Code_2006_-_Projects:_Live_CD_-_Progress|Progress Page]]

== Background and Motivation ==

'''History Behind Project'''

'''Problem to be Addressed'''

'''Benefit to OWASP Members and Community'''

== Goals and Deliverables ==

'''Plan of Approach'''

'''Deliverables'''

== Risks and Rewards ==

'''Main Risks'''

'''Rewards of Successful Project'''