OWASP - User contributions [en]

Nashua

2019-12-10T18:45:57Z

Bil Corry: /* Local News */

{{Chapter Template|chaptername=Nashua|extra=The chapter leader is [mailto:bil.corry@owasp.org Bil Corry]
|meetupurl=https://www.meetup.com/OWASP-Nashua-Chapter/|region=United States}}

== Chapter Meetings ==

For meeting details and to RSVP, please visit [https://www.meetup.com/OWASP-Nashua-Chapter/events/264402560/ Meetup].

Everyone is welcome to join us at our chapter meetings.

[[Category:OWASP Chapter]]
[[Category:United_States]]
[[Category:New Hampshire]]

Nashua

2019-08-29T16:18:52Z

Bil Corry: Added next meeting

{{Chapter Template|chaptername=Nashua|extra=The chapter leader is [mailto:bil.corry@owasp.org Bil Corry]
|meetupurl=https://www.meetup.com/OWASP-Nashua-Chapter/|region=United States}}

== Local News ==

'''Next meeting is September 23 at 6pm.''' For details and to RSVP, please visit [https://www.meetup.com/OWASP-Nashua-Chapter/events/264402560/ Meetup].

Everyone is welcome to join us at our chapter meetings.

[[Category:OWASP Chapter]]
[[Category:United_States]]
[[Category:New Hampshire]]

Bil Corry 2019 Elect Me

2019-08-27T18:42:45Z

Bil Corry: /* Interview */

=Bil Corry=

== 2019 Election for Board of Directors, OWASP ==
[[File:Bil Corry 1.jpg|alt=Bil Corry speaking at AppSec USA 2017 Leaders Meeting|left|thumb|Bil Corry speaking at AppSec USA 2017 Leaders Meeting]]

=== Bio ===

I am a lifetime member of OWASP and I've been involved with OWASP since 2008. I am currently serving on the OWASP Compliance Committee and am the Chapter Leader of the Nashua Chapter, and have contributed to a variety of projects over the years (anyone remember the OWASP Certification project?). I've volunteered at AppSec USA, rounded up speakers for chapter meetings in Chicago and the Bay Area, hosted a Bay Area chapter meeting, helped WIA become a 2.0 Committee and have been a trainer using the OWASP Secure Coding deck.

I have contributed to the technology that underpins the “World Wide Web”, namely HTTP (RFC 7230) [https://tools.ietf.org/html/rfc7230#section-10], HTTP Cookies (RFC 6265) [https://tools.ietf.org/html/rfc6265#appendix-A], TLS (RFC 6125) [https://tools.ietf.org/html/rfc6125#section-9], and the HTML specification [https://html.spec.whatwg.org/multipage/acknowledgements.html#acknowledgements]. If you have ever used a web browser to visit a website, then you have personally benefited from my efforts. Additionally, I’ve contributed to securing the web, including my participation in OWASP and WASC [http://projects.webappsec.org/w/page/13246968/Threat%20Classification%20Authors], and contributed to the design of various browser security and privacy controls (Content Security Policy, secure cookies, secure logoff, clickjacking protection, and more) [https://pdfs.semanticscholar.org/71bb/616fd09203eb32a621d95e70e6c2885da1c3.pdf] [https://pomcor.com/whitepapers/file_sharing_security.pdf] [http://websec.github.io/unicode-security-guide/] [https://www.w3.org/2011/track-privacy/papers/Paypal.pdf].

Beyond my contributions to the web, I’ve also served on the W3C Tracking Protection Working Group [https://www.w3.org/2012/dnt-ws/], which produced the specification for the Do Not Track web header, and the European Payments Council’s Payment Security Support Group, a trade group primarily focused on payment security and payment authorization in the European market.

In my professional capacity, I spent over a decade working at a web developer before switching to information security. As a security professional, I’ve worked for the largest FinTech company in the world, PayPal, in both North America and Europe, and I’ve worked at the largest mobile chip design company in the world, Arm. At PayPal, I was responsible for application security across all product lines and subsidiaries worldwide, and for a time, I was the Information Technology Officer of the Bank, a statutory position within PayPal’s licensed banking unit based in Luxembourg. At Arm, I was responsible for the end-to-end security strategy for their connected devices products (aka IoT, internet of things) and reported two levels down from the CEO. Many people are unfamiliar with the Arm brand, however anyone using a mobile device has used an Arm product as nearly every mobile device on the planet has an Arm processor, including every Apple and Android phone and tablet.

Currently I work at a healthcare startup, Blink Health, in the role of Security Assurance, which includes application security.

=== Interview ===
[https://youtu.be/hk7S1M-RKU4 Bil Corry Video Interview]

Bil Corry 2019 Elect Me

2019-08-26T23:05:52Z

Bil Corry: Tweaks

File:Bil Corry 1.jpg

2019-08-26T22:42:46Z

Bil Corry:

Bil Corry speaking at AppSec USA 2017 Leaders Meeting

Bil Corry 2019 Elect Me

2019-08-26T22:41:23Z

Bil Corry:

=Bil Corry=

== 2019 Election for Board of Directors, OWASP ==

=== Bio ===

I am a lifetime member of OWASP and I've been involved with OWASP since 2008. I am currently serving on the OWASP Compliance Committee and am the Chapter Leader of the Nashua Chapter, and have contributed to a variety of projects over the years (anyone remember the OWASP Certification project?). I've volunteered at AppSec USA, rounded up speakers for chapter meetings in Chicago and the Bay Area, hosted a Bay Area chapter meeting, helped WIA become a 2.0 Committee and have been a trainer using the OWASP Secure Coding deck.

I have contributed to the technology that underpins the “World Wide Web”, namely HTTP (RFC 7230) [https://tools.ietf.org/html/rfc7230#section-10], HTTP Cookies (RFC 6265) [https://tools.ietf.org/html/rfc6265#appendix-A], TLS (RFC 6125) [https://tools.ietf.org/html/rfc6125#section-9], and the HTML specification [https://html.spec.whatwg.org/multipage/acknowledgements.html#acknowledgements]. If you have ever used a web browser to visit a website, then you have personally benefited from my efforts. Additionally, I’ve contributed to securing the web, including my participation in OWASP and WASC [http://projects.webappsec.org/w/page/13246968/Threat%20Classification%20Authors], and contributed to the design of various browser security and privacy controls (Content Security Policy, secure cookies, secure logoff, clickjacking protection, and more) [https://pdfs.semanticscholar.org/71bb/616fd09203eb32a621d95e70e6c2885da1c3.pdf] [https://pomcor.com/whitepapers/file_sharing_security.pdf] [http://websec.github.io/unicode-security-guide/] [https://www.w3.org/2011/track-privacy/papers/Paypal.pdf].

Beyond my contributions to the web, I’ve also served on the W3C Tracking Protection Working Group [https://www.w3.org/2012/dnt-ws/], which produced the specification for the Do Not Track web header, and the European Payments Council’s Payment Security Support Group, a trade group primarily focused on payment security and payment authorization in the European market.

In my professional capacity, I spent over a decade working at a web developer before switching to information security. As a security professional, I’ve worked for the largest FinTech company in the world, PayPal, in both North America and Europe, and I’ve worked at the largest mobile chip design company in the world, Arm. At PayPal, I was responsible for application security across all product lines and subsidiaries worldwide, and for a time, I was the Information Technology Officer of the Bank, a statutory position within PayPal’s licensed banking unit based in Luxembourg. At Arm, I was responsible for the end-to-end security strategy for their connected devices products (aka IoT, internet of things) and reported two levels down from the CEO. Many people are unfamiliar with the Arm brand, however anyone using a mobile device has used an Arm product as nearly every mobile device on the planet has an Arm processor, including every Apple and Android phone and tablet.

Currently I work at a healthcare startup, Blink Health, in the role of Security Assurance, which includes application security.

=== Why Me? ===
I've run for the Board of Directors every year since 2013 - this will be my seventh time running for a seat on the Board and yes, I'm very passionate about OWASP. I run each year because I've noticed that as OWASP has grown larger, it hasn't been growing more mature, and those growing pains show up in a myriad of ways, including an exodus of staff, unhappy members, and lack of visibility.

If elected, I would work toward helping OWASP grow and mature into a more professional organization. Please join me in moving OWASP forward by casting your vote for Bil Corry.

Bil Corry 2019 Elect Me

2019-08-26T22:31:54Z

Bil Corry: Tweaks

=== Bio ===
I am a lifetime member of OWASP and I've been involved with OWASP since 2008. I am currently serving on the OWASP Compliance Committee and am the Chapter Leader of the Nashua Chapter, and have contributed to a variety of projects over the years (anyone remember the OWASP Certification project?). I've volunteered at AppSec USA, rounded up speakers for chapter meetings in Chicago and the Bay Area, hosted a Bay Area chapter meeting, helped WIA become a 2.0 Committee and have been a trainer using the OWASP Secure Coding deck.

I have contributed to the technology that underpins the “World Wide Web”, namely HTTP (RFC 7230) [https://tools.ietf.org/html/rfc7230#section-10], HTTP Cookies (RFC 6265) [https://tools.ietf.org/html/rfc6265#appendix-A], TLS (RFC 6125) [https://tools.ietf.org/html/rfc6125#section-9], and the HTML specification [https://html.spec.whatwg.org/multipage/acknowledgements.html#acknowledgements]. If you have ever used a web browser to visit a website, then you have personally benefited from my efforts. Additionally, I’ve contributed to securing the web, including my participation in OWASP and WASC [http://projects.webappsec.org/w/page/13246968/Threat%20Classification%20Authors], and contributed to the design of various browser security and privacy controls (Content Security Policy, secure cookies, secure logoff, clickjacking protection, and more) [https://pdfs.semanticscholar.org/71bb/616fd09203eb32a621d95e70e6c2885da1c3.pdf] [https://pomcor.com/whitepapers/file_sharing_security.pdf] [http://websec.github.io/unicode-security-guide/] [https://www.w3.org/2011/track-privacy/papers/Paypal.pdf].

Beyond my contributions to the web, I’ve also served on the W3C Tracking Protection Working Group [https://www.w3.org/2012/dnt-ws/], which produced the specification for the Do Not Track web header, and the European Payments Council’s Payment Security Support Group, a trade group primarily focused on payment security and payment authorization in the European market.

In my professional capacity, I spent over a decade working at a web developer before switching to information security. As a security professional, I’ve worked for the largest FinTech company in the world, PayPal, in both North America and Europe, and I’ve worked at the largest mobile chip design company in the world, Arm. At PayPal, I was responsible for application security across all product lines and subsidiaries worldwide, and for a time, I was the Information Technology Officer of the Bank, a statutory position within PayPal’s licensed banking unit based in Luxembourg. At Arm, I was responsible for the end-to-end security strategy for their connected devices products (aka IoT, internet of things) and reported two levels down from the CEO. Many people are unfamiliar with the Arm brand, however anyone using a mobile device has used an Arm product as nearly every mobile device on the planet has an Arm processor, including every Apple and Android phone and tablet.

Currently I work at a healthcare startup, Blink Health, in the role of Security Assurance, which includes application security.

=== Why Me? ===
I've run for the Board of Directors every year since 2013 - this will be my seventh time running for a seat on the Board and yes, I'm very passionate about OWASP. I run each year because I've noticed that as OWASP has grown larger, it hasn't been growing more mature, and those growing pains show up in a myriad of ways, including an exodus of staff, unhappy members, and lack of visibility.

If elected, I would work toward helping OWASP grow and mature into a more professional organization. Please join me in moving OWASP forward by casting your vote for Bil Corry.

Bil Corry 2019 Elect Me

2019-08-26T22:19:22Z

Bil Corry:

=== Bio ===
I am a lifetime member of OWASP and I've been involved with OWASP since 2008. I am currently serving on the OWASP Compliance Committee and am the Chapter Leader of the Nashua Chapter, and have contributed to a variety of projects over the years (anyone remember the OWASP Certification project?). I've volunteered at AppSec USA, rounded up speakers for chapter meetings in Chicago and the Bay Area, hosted a Bay Area chapter meeting, helped WIA become a 2.0 Committee and have been a trainer using the OWASP Secure Coding deck.

I have contributed to the technology that underpins the “World Wide Web”, namely HTTP (RFC 7230), HTTP Cookies (RFC 6265), TLS (RFC 6125), and the HTML specification. If you have ever used a web browser to visit a website, then you have personally benefited from my efforts. Additionally, I’ve contributed to securing the web, including my participation in OWASP and WASC, and contributed to the design of various browser security and privacy controls (Content Security Policy, secure cookies, secure logoff, clickjacking protection, and more).

Beyond my contributions to the web, I’ve also served on the W3C Tracking Protection Working Group, which produced the specification for the Do Not Track web header, and the European Payments Council’s Payment Security Support Group, a trade group primarily focused on payment security and payment authorization in the European market.

In my professional capacity, I spent over a decade working at a web developer before switching to information security. As a security professional, I’ve worked for the largest FinTech company in the world, PayPal, in both North America and Europe, and I’ve worked at the largest mobile chip design company in the world, Arm. At PayPal, I was responsible for application security across all product lines and subsidiaries worldwide, and for a time, I was the Information Technology Officer of the Bank, a statutory position within PayPal’s licensed banking unit based in Luxembourg. At Arm, I was responsible for the end-to-end security strategy for their connected devices products (aka IoT, internet of things) and reported two levels down from the CEO. Many people are unfamiliar with the Arm brand, however anyone using a mobile device has used an Arm product as nearly every mobile device on the planet has an Arm processor, including every Apple and Android phone and tablet.

Currently I work at a healthcare startup, Blink Health, in the role of Security Assurance, which includes application security.

=== Why Me? ===
I've run for the Board of Directors every year since 2013 - this will be my seventh time running for a seat on the Board and yes, I'm very passionate about OWASP. I run each year because I've noticed that as OWASP has grown larger, it hasn't been growing more mature, and those growing pains show up in a myriad of ways, including an exodus of staff, unhappy members, and lack of visibility.

If elected, I would work toward helping OWASP grow and mature into a more professional organization. Please join me in moving OWASP forward by casting your vote for Bil Corry.

Bil Corry 2019 Elect Me

2019-08-26T22:12:51Z

Bil Corry: Creating page

=== Bio ===
I am a lifetime member of OWASP and I've been involved with OWASP since 2008. I am currently serving on the OWASP Compliance Committee and am the Chapter Leader of the Nashua Chapter, and have contributed to a variety of projects over the years (anyone remember the OWASP Certification project?). I've volunteered at AppSec USA, rounded up speakers for chapter meetings in Chicago and the Bay Area, hosted a Bay Area chapter meeting, helped WIA become a 2.0 Committee and have been a trainer using the OWASP Secure Coding deck.

I have contributed to the technology that underpins the “World Wide Web”, namely HTTP (RFC 7230), HTTP Cookies (RFC 6265), TLS (RFC 6125), and the HTML specification. If you have ever used a web browser to visit a website, then you have personally benefited from my efforts. Additionally, I’ve contributed to securing the web, including my participation in OWASP and WASC, and contributed to the design of various browser security and privacy controls (Content Security Policy, secure cookies, secure logoff, clickjacking protection, and more).

Beyond my contributions to the web, I’ve also served on the W3C Tracking Protection Working Group, which produced the specification for the Do Not Track web header, and the European Payments Council’s Payment Security Support Group, a trade group primarily focused on payment security and payment authorization in the European market.

In my professional capacity, I spent over a decade working at a web developer before switching to information security. As a security professional, I’ve worked for the largest FinTech company in the world, PayPal, in both North America and Europe, and I’ve worked at the largest mobile chip design company in the world, Arm. At PayPal, I was responsible for application security across all product lines and subsidiaries worldwide, and for a time, I was the Information Technology Officer of the Bank, a statutory position within PayPal’s licensed banking unit based in Luxembourg. At Arm, I was responsible for the end-to-end security strategy for their connected devices products (aka IoT, internet of things) and reported two levels down from the CEO. Many people are unfamiliar with the Arm brand, however anyone using a mobile device has used an Arm product as nearly every mobile device on the planet has an Arm processor, including every Apple and Android phone and tablet.

Currently I work at a healthcare startup, Blink Health, in the role of Security Assurance, which includes application security.

=== Why Me? ===
I've run for the Board of Directors every year since 2013 - this will be my seventh time running for a seat on the Board and yes, I'm very passionate about OWASP. I run each year because I've noticed that as OWASP has grown larger, it hasn't been growing more mature, and those growing pains show up in a myriad of ways, including an exodus of staff, unhappy members, and lack of visibility.

If elected, I would work toward helping OWASP grow and mature into a more professional organization. Please join me in moving OWASP forward by casting your vote for Bil Corry.

Nashua

2019-08-14T15:05:57Z

Bil Corry: Added New Hampshire category

{{Chapter Template|chaptername=Nashua|extra=The chapter leader is [mailto:bil.corry@owasp.org Bil Corry]
|meetupurl=https://www.meetup.com/OWASP-Nashua-Chapter/|region=United States}}

== Local News ==

'''Meeting Location'''

Everyone is welcome to join us at our chapter meetings.

[[Category:OWASP Chapter]]
[[Category:United_States]]
[[Category:New Hampshire]]

OWASP Board History

2019-08-14T03:51:26Z

Bil Corry: Added 2019 Board

The data here was compiled from the OWASP Foundation Tax Returns and official election results. Asterisked years were taken from other sources and may be incomplete.

== 2014 to Current ==

{| class="wikitable" border="1"
|-
! style="background: #0A2A29; color: white" | 2014 BoD
! style="background: #0A2A29; color: white" | 2015 BoD
! style="background: #0A2A29; color: white" | 2016 BoD
! style="background: #0A2A29; color: white" | 2017 BoD
! style="background: #0A2A29; color: white" | 2018 BoD
! style="background: #0A2A29; color: white" | 2019 BoD
|- style="background: #FE9A2E; color: black"
| Tom Brennan
| style="background: #0A2A29; color: black" |
| Tom Brennan
| Tom Brennan
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
|- style="background: #8181F7; color: black"
| Eoin Keary
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
|- style="background: #F7FE2E; color: black"
| Michael Coates
| Michael Coates
| Michael Coates
| Michael Coates
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
|- style="background: #0066FF; color: black"
| Jim Manico
| Jim Manico
| Jim Manico/Jonathan Carter
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
|- style="background: #FFCC00; color: black"
| Fabio Cerullo
| Fabio Cerullo
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
|- style="background: #339933; color: black"
| Tobias Gondrom
| Tobias Gondrom
| Tobias Gondrom
| Tobias Gondrom
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
|- style="background: #CC6600; color: black"
| Josh Sokol
| Josh Sokol
| Josh Sokol
| Josh Sokol
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
|- style="background: #64FE2E; color: black"
| style="background: #0A2A29; color: black" |
| Andrew van der Stock
| Andrew van der Stock
| Andrew van der Stock
| Andrew van der Stock
| style="background: #0A2A29; color: black" |
|- style="background: #2ECCFA; color: black"
| style="background: #0A2A29; color: black" |
| Matthew Konda
| Matthew Konda
| Matthew Konda
| Matthew Konda
| style="background: #0A2A29; color: black" |
|- style="background: #FFC744; color: black"
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| Johanna Curiel (resigned)/Martin Knobloch
| Martin Knobloch
| Martin Knobloch
|- style="background: #FA5858; color: black"
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| Owen Pendlebury
| Owen Pendlebury
|- style="background: #F7FE2E; color: black"
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| Chenxi Wang
| Chenxi Wang
|- style="background: #33F6FF; color: black"
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| Greg Anderson (resigned)
| Ofer Maor
|- style="background: #00AAAA; color: black"
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| Sherif Mansour
| Sherif Mansour
|- style="background: #33FF58; color: black"
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| Richard Greenberg
|- style="background: #F796C5; color: black"
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| Gary Robinson
|}

== 2004 to 2013 ==

{| class="wikitable" border="1"
|-
! style="background: #0A2A29; color: white" | 2004 BoD*
! style="background: #0A2A29; color: white" | 2005 BoD*
! style="background: #0A2A29; color: white" | 2006 BoD*
! style="background: #0A2A29; color: white" | 2007 BoD
! style="background: #0A2A29; color: white" | 2008 BoD
! style="background: #0A2A29; color: white" | 2009 BoD
! style="background: #0A2A29; color: white" | 2010 BoD
! style="background: #0A2A29; color: white" | 2011 BoD
! style="background: #0A2A29; color: white" | 2012 BoD
! style="background: #0A2A29; color: white" | 2013 BoD
|- style="background: #64FE2E; color: black"
| Jeff Williams
| Jeff Williams
| Jeff Williams
| Jeff Williams
| Jeff Williams
| Jeff Williams
| Jeff Williams
| Jeff Williams
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
|- style="background: #2ECCFA; color: black"
| Dave Wichers
| Dave Wichers
| Dave Wichers
| Dave Wichers
| Dave Wichers
| Dave Wichers
| Dave Wichers
| Dave Wichers
| Dave Wichers
| Dave Wichers
|- style="background: #CC2EFA; color: black"
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| David Anderson
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
|- style="background: #00FF80; color: black"
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| Dinis Cruz
| Dinis Cruz
| Dinis Cruz
| Dinis Cruz
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
|- style="background: #FA5858; color: black"
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| Sebastien Deleersnyder
| Sebastien Deleersnyder
| Sebastien Deleersnyder
| Sebastien Deleersnyder
| Sebastien Deleersnyder
| Sebastien Deleersnyder
|- style="background: #FE9A2E; color: black"
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| Tom Brennan
| Tom Brennan
| Tom Brennan
| Tom Brennan
| Tom Brennan
| Tom Brennan
|- style="background: #01DF01; color: black"
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| Matt Tesauro
| Matt Tesauro
| Matt Tesauro
| style="background: #0A2A29; color: black" |
|- style="background: #8181F7; color: black"
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| Eoin Keary
| Eoin Keary
| Eoin Keary
| Eoin Keary
|- style="background: #F7FE2E; color: black"
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| Michael Coates
| Michael Coates
|- style="background: #0066FF; color: black"
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| Jim Manico
|}

Board

2019-08-05T11:54:12Z

Bil Corry: Changed August meeting date to August 19 (used to be August 20)

__NOTOC__

= Board Meetings =
[https://www.owasp.org/index.php/About_OWASP#OWASP_Foundation_Bylaws Bylaws] are the most important legal document of any organization. Bylaws outline in writing the day-to-day rules for your organization and provide comprehensive guidelines to keep things running smoothly. If you want to understand the business of OWASP Foundation the best way to do that would be to examine the bylaws the the [https://www.owasp.org/index.php/About_OWASP#Form_990_Documents 990 forms filed with the United States Government as a non-profit annually.]

[https://www.owasp.org/index.php/About_OWASP#OWASP_Foundation_Bylaws Global Bylaws]

== Upcoming 2019 Meetings ==
* [[August 2019 |August 19, 2019]] 11 AM US Pacific - [https://www.timeanddate.com/worldclock/meetingdetails.html?year=2019&month=8&day=19&hour=18&min=0&sec=0&p1=16&p2=919&p3=78&p4=136&p5=137&p6=676 other time zones]
* [[September 2019 |September 17, 2019]] 11 AM US Pacific - [https://www.timeanddate.com/worldclock/meetingdetails.html?year=2019&month=9&day=16&hour=18&min=0&sec=0&p1=16&p2=919&p3=78&p4=136&p5=137&p6=676 other time zones]
* [[October 2019 |October 22, 2019]] 11 AM US Pacific - [https://www.timeanddate.com/worldclock/meetingdetails.html?year=2019&month=10&day=21&hour=18&min=0&sec=0&p1=16&p2=919&p3=78&p4=136&p5=137&p6=676 other time zones]
* [[November 2019 |November 29, 2019]] 11 AM US Pacific - [https://www.timeanddate.com/worldclock/meetingdetails.html?year=2019&month=11&day=18&hour=19&min=0&sec=0&p1=16&p2=919&p3=78&p4=136&p5=137&p6=676 other time zones]
* [[December 2019 |December 24, 2019]] 11 AM US Pacific - [https://www.timeanddate.com/worldclock/meetingdetails.html?year=2019&month=12&day=23&hour=19&min=0&sec=0&p1=16&p2=919&p3=78&p4=136&p5=137&p6=676 other time zones]

All board meeting notes that include actions as a result will be tracked in a single document for all meetings [https://docs.google.com/a/owasp.org/document/d/1aPmftVZH3-G96J6-wrpynwwZhBHtREe5a7g8owVYUag/edit?usp=sharing click here]

== 2018 Elected by Membership, Global Board Members ==
[https://docs.google.com/a/owasp.org/spreadsheet/ccc?key=0ApZ9zE0hx0LNdG5uRzNYZE8ycDFabnBWNkU4SFpwREE Board Member, Meeting Attendance Tracking]

[https://www.owasp.org/index.php/OWASP_Board_History Historical Board Members by Year]
 
 
 
[[Image:Owasp_logo_icon.jpg|120 px|left]]
 
==== [[User:Knoblochmartin | Martin Knobloch]]: Chair ====

The Chairman of the Board shall serve as the principal executive officer of the Foundation.

Fiduciary responsibilities: He/She shall, in general, supervise and control all of the business and affairs of the Foundation. He/She will monitor financial planning and financial reports He/She or he may sign, with the Secretary or any other proper officer of the Foundation thereunto authorized by the Board of Directors, any deeds, mortgages, bonds, contracts, or other instruments which the Board of Directors has authorized to be executed, except in cases where the signing and execution thereof shall be expressly delegated by the Board of Directors or by these Bylaws to some other officer or agent of the Foundation, or shall be required by law to be otherwise signed or executed;

Leadership and Direction: provides leadership to the Board of Directors with regards to policy setting and strategic planning. He/She helps guide and mediate board actions with respect to organizational priorities and governance concerns, and in general shall perform all duties incident to the office of Chairman of the Board subject to the control of the Board of Directors.

Organizational Responsibilities: He/She plays a leading role in fundraising activities, formally evaluate the performance of the Foundation Director and informally evaluate the effectiveness of the board members. An annual, overall evaluation of the performance of the organization in achieving its mission will be accomplished. He or she shall, when present, preside at all meetings of the Board of Directors, unless otherwise delegated, and such other duties as may be prescribed by the Board of Directors from time to time.
 
 
[[Image:Owasp_logo_icon.jpg|120 px|left]]
 

==== [[Owen_Pendlebury_2017_Bio_%26_Why_Me%3F | Owen Pendlebury]]: Vice Chair ====

Performs Chair responsibilities when the Chair cannot be available, works closely with Chair and other Board Members, participates closely with Chair to develop and implement officer transition plans, performs other responsibilities as assigned by the Board.
 
 
 
[[Image:Owasp_logo_icon.jpg|120 px|left]]
 
==== [[Sherif_Mansour_2017_Bio_%26_Why_Me%3F | Sherif Mansour]]: Treasurer====

Treasurer manages finances of the organization, administers fiscal matters of the organization, provides annual budget to the board for member’s approval, ensures development and board review of financial policies and procedures. [[Image:Owasp_logo_icon.jpg|120 px|left]]
 
 
==== [[User:Ofer_Maor | Ofer Maor]]: Secretary ====

Maintains records of the board and ensures effective management of organization’s records, manages minutes of board meetings, ensures minutes are distributed shortly after each meeting, is sufficiently familiar with legal documents (articles, bylaws, IRS letters, etc.) to note applicability during meetings; is the custodian of the corporate records and of the seal of the Foundation and see that the seal of the Foundation is affixed to all documents, the execution of which on behalf of the Foundation under its seal is duly authorized; keeps a register of the post office address of each Director which shall be furnished to the Secretary by such Director; and, in general perform all duties incident to the office of the Secretary and such other duties as from time to time may be assigned to him by the Chairman of the Board or by the Board.
 
[[Image:Owasp_logo_icon.jpg|120 px|left]]
 
==== [[Chenxi_Wang,_Ph.D._(Forrester_Research) | Chenxi Wang, Ph.D.]]: Member at Large====
 
Regularly attends board meetings and important related meetings, volunteers for and willingly accepts assignments and completes them thoroughly and on time, stays informed about committee matters, prepares themselves well for meetings, and reviews and comments on minutes and reports, gets to know other committee members and builds a collegial working relationship that contributes to consensus, is an active participant in the committee’s annual evaluating and planning efforts, participates in fundraising for the organization. 
 
[[Image:Owasp_logo_icon.jpg|120 px|left]]

==== [[User:Richard_greenberg | Richard Greenberg]]: Member at Large ====
 Regularly attends board meetings and important related meetings, volunteers for and willingly accepts assignments and completes them thoroughly and on time, stays informed about committee matters, prepares themselves well for meetings, and reviews and comments on minutes and reports, gets to know other committee members and builds a collegial working relationship that contributes to consensus, is an active participant in the committee’s annual evaluating and planning efforts, participates in fundraising for the organization.

 
[[Image:Owasp_logo_icon.jpg|120 px|left]]
 
====[[Gary_Robinson_2018_Bio_and_Why_me | Gary Robinson]]: Member at Large ====

 
Regularly attends board meetings and important related meetings, volunteers for and willingly accepts assignments and completes them thoroughly and on time, stays informed about committee matters, prepares themselves well for meetings, and reviews and comments on minutes and reports, gets to know other committee members and builds a collegial working relationship that contributes to consensus, is an active participant in the committee’s annual evaluating and planning efforts, participates in fundraising for the organization. 

= How Meetings Operate =
'''CALL TO ORDER'''

The first order of business is for the chair to announce the call to order, along with the time. The secretary enters the time of the call to order in the minutes. After the meeting is called to order, the board chair may make welcoming remarks, ask for introductions, or read the organization’s mission and vision statements.

'''CHANGES TO THE AGENDA'''

The second order of business is for the chair to ask for changes to the agenda. Additions and deletions to the agenda will be made at this time. Having no changes, the agenda moves to approving the prior meeting’s minutes.

'''APPROVAL OF MINUTES'''

The third item on the agenda should list “Approval of Minutes” along with the date of the most recent meeting. In most cases, board members should have received a copy of the minutes prior to the meeting. If they have not contacted the secretary prior to the meeting with corrections or changes to the minutes, they have to opportunity to make them during this item on the agenda.

Board members have an ethical and legal responsibility to make sure that the recording of the minutes accurately reflect the board’s business.

'''REPORTS'''

The fourth item on the agenda is the reports. This first report should be a report from the Executive Director. This report should include a review of operations and projects. The Executive Director should give board members on overview of the business outlook including positive and negative trends, major initiatives, business updates, and other aspects of the business.

Following the Executive Director report, the Finance Director gives a report. Board members should make an effort to understand the financial reports so that they can identify potential financial threats. Understanding financial reports may also generate discussion about potential opportunities.

Subsequent reports may be given by committee chairs.

'''OLD BUSINESS'''

Items should include past business items that are unresolved, need further discussion, or require a board vote. Items may be tabled or referred to committee for further exploration.

'''NEW BUSINESS'''

Board members should have a discussion about new business items and identify a plan to take action. This may include tabling them, delaying action to a future date, or referring them to a committee.

'''COMMENTS, ANNOUNCEMENTS, AND OTHER BUSINESS'''

At this point in the agenda, members may make announcements, such as offering congratulations or condolences, or make other special announcements. Any other business may be brought up at this time, for example, items that may need to be added to the next meeting’s agenda.

'''ADJOURNMENT'''

This is a formal closing of the meeting by the board chair. He should state the time that the meeting closed, so that the secretary may including it in the board minutes. The date of the next meeting should follow the adjournment item, so that board members will be reminded to put it on their calendars.

For more information about the Roberts Rules of Order see this [http://www.umecra.com/BylawsAndRules/Roberts%20Rules%20Handout.pdf CHEAT SHEET]

= Voting History =

=== Historical Votes on Motions ===
The purpose of this is to track the position on each motion as presented and how the elected official voted on the motion. This is useful for the membership to review how elected officials voted on items that effect the organization and its [https://www.owasp.org/index.php/OWASP_Foundation_ByLaws bylaws]. A motion is a request for action (budget requests, policy changes, new partnerships etc.) they can be presented by ANYONE to the board such as a member of the public, a member of the OWASP Foundation but does require a sponsor on the Board. That sponsor will present the motion to the board at least (10) working days in advance so it can be read in advance of the meeting. If appropriate a motion can be presented based to take action on the motion as written. For a vote to be called and action to be taken a second board member is required to carry the business to vote. On completion of the discussion the chairman will call for a vote to the motion YES, NO, ABSTAIN. For more details on this process try this [http://www.umecra.com/BylawsAndRules/Roberts%20Rules%20Handout.pdf CHEAT SHEET]

[https://www.owasp.org/index.php/OWASP_Board_Votes Historical Board Votes]

Note that if a motion is presented and is voted on and it is approved action will be taken to implement the motion. If the motion fails it can be resubmitted and the process starts again as if it is a new motion.

=== Attendance Tracker===
This is used to keep track that Board Members meet 75% attendance requirements as noted in section 3.03 of the organization bylaws. A meeting is logged as attended if the board member attends the entire meeting as scheduled from the call to order until it is adjourned, this includes executive session if applicable that is closed to the membership and general public for reasons related to human resources and legal issues that require it by law or for the good of the OWASP Foundation Inc. -
[https://docs.google.com/a/owasp.org/spreadsheet/ccc?key=0ApZ9zE0hx0LNdG5uRzNYZE8ycDFabnBWNkU4SFpwREE Board Meeting Attendance Tracker]

= Historical Meeting Archive =
== Archive 2019 ==
* [[July 2019 |July 16, 2019]] 11 AM US Pacific - [https://www.timeanddate.com/worldclock/meetingdetails.html?year=2019&month=7&day=15&hour=18&min=0&sec=0&p1=16&p2=919&p3=78&p4=136&p5=137&p6=676 other time zones]
* [[June 2019 |June 18, 2019]] 11 AM US Pacific - [https://www.timeanddate.com/worldclock/meetingdetails.html?year=2019&month=6&day=17&hour=18&min=0&sec=0&p1=16&p2=919&p3=78&p4=136&p5=137&p6=676 other time zones]
* [[May 2019 |May 21, 2019]] 11 AM US Pacific - [https://www.timeanddate.com/worldclock/meetingdetails.html?year=2019&month=5&day=20&hour=18&min=0&sec=0&p1=16&p2=919&p3=78&p4=136&p5=137&p6=676 other time zones]
* [[April 2019 |April 29, 2019]] 11 AM US Pacific - [https://www.timeanddate.com/worldclock/meetingdetails.html?year=2019&month=4&day=15&hour=18&min=0&sec=0&p1=16&p2=919&p3=78&p4=136&p5=137&p6=676 other time zones]
* [[March 2019 |March 18, 2019]] 11 AM US Pacific - [https://www.timeanddate.com/worldclock/meetingdetails.html?year=2019&month=3&day=18&hour=18&min=0&sec=0&p1=16&p2=919&p3=78&p4=136&p5=137&p6=676 other time zones]
* [[February 2019 |February 18, 2019]] 11 AM US Pacific - [https://www.timeanddate.com/worldclock/meetingdetails.html?year=2019&month=2&day=18&hour=19&min=0&sec=0&p1=16&p2=919& other time zones]
* [[January 2019 |January 23rd, 2019]] - 3:00 PM to 4:00 PM PST([https://www.timeanddate.com/worldclock/meetingdetails.html?year=2019&month=1&day=23&hour=23&min=0&sec=0&p1=179&p2=24&p3=16&p4=136&p5=224 time zones])

== Archive 2018 ==
* [[December 2018 |December 19th, 2018]] - 1:00 PM to 2:30 PM EST ([https://www.timeanddate.com/worldclock/meetingdetails.html?year=2018&month=12&day=19&hour=19&min=0&sec=0&p1=179&p2=24&p3=16&p4=136&p5=224 time zones])
* [[November 2018 |November 21, 2018]] - 12:00 PM to 1:30 PM EST ([https://www.timeanddate.com/worldclock/meetingdetails.html?year=2018&month=11&day=21&hour=17&min=0&sec=0&p1=179&p2=24&p3=16&p4=136&p5=224 time zones])
* [[October 2018 |October 10, 2018]] - 3:00 to 4:30 PM EDT ([https://www.timeanddate.com/worldclock/meetingdetails.html?year=2018&month=10&day=10&hour=19&min=0&sec=0&p1=179&p2=24&p3=16&p4=136&p5=224 time zones]) at AppSec USA 2018 Conference
* [[September 2018 |September 27, 2018]] - 2:00 PM to 3:30 PM EDT ([https://www.timeanddate.com/worldclock/meetingdetails.html?year=2018&month=9&day=19&hour=18&min=0&sec=0&p1=179&p2=24&p3=16&p4=136&p5=224 time zones])
* [[August 2018 |August 15, 2018]] - 1:00 PM to 2:30 PM EDT ([https://www.timeanddate.com/worldclock/meetingdetails.html?year=2018&month=8&day=15&hour=17&min=0&sec=0&p1=179&p2=24&p3=16&p4=136&p5=224 time zones])
* [[July 4th, 2018|July 4th, 2018]] - during AppSec EU 2018
* [[June_19,_2018]] - [https://www.timeanddate.com/worldclock/meetingdetails.html?year=2018&month=6&day=19&hour=18&min=0&sec=0&p1=16&p2=78&p3=136&p4=179&p5=224&p6=102&p7=236&p8=152 Click Here for Meeting Time in Your Timezone]
* [[May 15, 2018]] - [https://www.timeanddate.com/worldclock/meetingdetails.html?year=2018&month=5&day=15&hour=19&min=0&sec=0&p1=16&p2=78&p3=136&p4=179&p5=224&p6=102&p7=236&p8=152 Click Here for Meeting Time in Your Timezone]
* [[April 4, 2018]] - [https://www.timeanddate.com/worldclock/meetingdetails.html?year=2018&month=4&day=4&hour=14&min=0&sec=0&p1=16&p2=78&p3=136&p4=179&p5=224&p6=102&p7=236&p8=152 TimeZone Converter]
* [[March 7, 2018]] - 3:00pm - 4:00pm EST - [https://www.timeanddate.com/worldclock/converted.html?iso=20180307T21&p1=16&p2=16&p3=676&p4=136&p5=78&p6=179&p7=224&p8=240&p9=102 Time Converter]
* [[February 7, 2018]] - [https://www.timeanddate.com/worldclock/meetingdetails.html?year=2018&month=2&day=7&hour=20&min=0&sec=0&p1=16&p2=179&p3=78&p4=102&p5=224&p6=136&p7=152&p8=676 TimeZone Converter]
* [[January 24, 2018]], [https://www.timeanddate.com/worldclock/fixedtime.html?msg=OWASP+Board+Meeting%2C+January+24+2018&iso=20180124T19&p1=16&ah=1&am=30 TimeZone Converter]

== Archive 2017 ==
* [[December 6, 2017]], 15:00-16:30 PST - [http://www.timeanddate.com/worldclock/meetingdetails.html?year=2017&month=12&day=06&hour=23&min=0&sec=0&p1=224&p2=24&p3=263&p4=78&p5=37&p6=102&p7=152 TimeZone Converter]
* [[November 8, 2017]], 07:00-08:30 PST - [https://www.timeanddate.com/worldclock/meetingdetails.html?year=2017&month=11&day=8&hour=15&min=0&sec=0&p1=224&p2=24&p3=263&p4=78&p5=37&p6=102&p7=152 TimeZone Converter]
*[[October 11, 2017]], 15:00 - 17:30 PDT - [http://www.timeanddate.com/worldclock/meetingdetails.html?year=2017&month=10&day=11&hour=22&min=0&sec=0&p1=224&p2=24&p3=263&p4=78&p5=37&p6=102&p7=152 TimeZone Converter]
*[[September 19, 2017]] 15:00-17:30 PDT, in Orlando at AppSecUSA - [https://www.timeanddate.com/worldclock/meetingdetails.html?year=2017&month=9&day=19&hour=22&min=0&sec=0&p1=224&p2=24&p3=263&p4=78&p5=37&p6=102&p7=152 TimeZone Converter]
*[[September 6, 2017]] 07:00-08:30 PDT - [http://www.timeanddate.com/worldclock/meetingdetails.html?year=2017&month=09&day=06&hour=14&min=0&sec=0&p1=224&p2=24&p3=263&p4=78&p5=37&p6=102&p7=152 TimeZone Converter] (Cancelled for interviews)
*[[August 9, 2017]], 16:00-17:30 PDT - [http://www.timeanddate.com/worldclock/meetingdetails.html?year=2017&month=08&day=09&hour=23&min=0&sec=0&p1=224&p2=24&p3=263&p4=78&p5=37&p6=102&p7=152 TimeZone Converter]
*[[July 5, 2017]], 07:00-08:00 PDT - [http://www.timeanddate.com/worldclock/meetingdetails.html?year=2017&month=07&day=05&hour=14&min=0&sec=0&p1=224&p2=24&p3=263&p4=78&p5=37&p6=102&p7=152 TimeZone Converter]
*[[June 7, 2017]], 18:00-21:00 CEST - [http://www.timeanddate.com/worldclock/meetingdetails.html?year=2017&month=06&day=07&hour=16&min=0&sec=0&p1=224&p2=24&p3=263&p4=78&p5=37&p6=102&p7=152 TimeZone Converter]
*[[May 9, 2017]], 18:00-19:30 IST, in Belfast at AppSecEU - [https://www.timeanddate.com/worldclock/meetingdetails.html?year=2017&month=5&day=9&hour=17&min=0&sec=0&p1=224&p2=24&p3=263&p4=78&p5=37&p6=102&p7=152 TimeZone Converter]
*[[April 12, 2017]], 16:00-17:00 PDT - [https://www.timeanddate.com/worldclock/meetingdetails.html?year=2017&month=04&day=12&hour=23&min=0&sec=0&p1=224&p2=24&p3=263&p4=78&p5=37&p6=102&p7=152 TimeZone Converter] ('''Cancelled''' [http://lists.owasp.org/pipermail/owasp-board/2017-April/017969.html Notice by Matt Konda])
*[[March 22, 2017]] 06:00-07:30 PST - [https://www.timeanddate.com/worldclock/meetingdetails.html?year=2017&month=3&day=22&hour=13&min=0&sec=0&p1=224&p2=24&p3=263&p4=78&p5=37&p6=102&p7=152 TimeZone Converter] - *Special Meeting to approve the 2017 Budget*
* [[March 8, 2017]], 06:00-07:30 PST - [http://www.timeanddate.com/worldclock/meetingdetails.html?year=2017&month=03&day=08&hour=23&min=0&sec=0&p1=224&p2=24&p3=263&p4=78&p5=37&p6=102&p7=152 TimeZone Converter]
* [[February 8, 2017]], 15:00-16:30 PST - [http://www.timeanddate.com/worldclock/meetingdetails.html?year=2017&month=02&day=08&hour=23&min=0&sec=0&p1=224&p2=24&p3=263&p4=78&p5=37&p6=102&p7=152 TimeZone Converter]
* [[January 11, 2017]], 14:00-15:30 PST - [https://www.timeanddate.com/worldclock/meetingdetails.html?year=2017&month=1&day=10&hour=22&min=0&sec=0&p1=224&p2=24&p3=263&p4=78&p5=37&p6=102&p7=152 TimeZone Converter]

== Archive for 2016 Meetings ==
* [[December 14, 2016]], 15:00-16:30 PST - [http://www.timeanddate.com/worldclock/meetingdetails.html?year=2016&month=12&day=14&hour=23&min=0&sec=0&p1=224&p2=24&p3=263&p4=78&p5=37&p6=102&p7=152 TimeZone Converter]
* [[November 8, 2016]], 15:00-16:30 PST - [http://www.timeanddate.com/worldclock/meetingdetails.html?year=2016&month=11&day=09&hour=23&min=0&sec=0&p1=224&p2=24&p3=263&p4=78&p5=37&p6=102&p7=152 TimeZone Converter]
* CANCELLED - [[November 30, 2016]], 15:00-16:30 PST - placeholder only optional if needed - [http://www.timeanddate.com/worldclock/meetingdetails.html?year=2016&month=11&day=30&hour=23&min=0&sec=0&p1=224&p2=24&p3=263&p4=78&p5=37&p6=102&p7=152 TimeZone Converter]
* [[October 11, 2016]], at AppSecUSA 18:00 - 21:00 EDT - [http://www.timeanddate.com/worldclock/meetingdetails.html?year=2016&month=10&day=11&hour=22&min=0&sec=0&p1=224&p2=24&p3=263&p4=78&p5=37&p6=102&p7=152 TimeZone Converter]
* [[September 21, 2016]] 07:00-08:30 PDT - [http://www.timeanddate.com/worldclock/meetingdetails.html?year=2016&month=09&day=21&hour=14&min=0&sec=0&p1=224&p2=24&p3=263&p4=78&p5=37&p6=102&p7=152 TimeZone Converter]
* [[August 23, 2016]], 16:00-17:00 PDT - [http://www.timeanddate.com/worldclock/meetingdetails.html?year=2016&month=08&day=23&hour=23&min=0&sec=0&p1=224&p2=24&p3=263&p4=78&p5=37&p6=102&p7=152 TimeZone Converter]
* [[July 1, 2016]], 18:00-21:00 CEST, in Rome at AppSecEU - [http://www.timeanddate.com/worldclock/meetingdetails.html?year=2016&month=07&day=01&hour=16&min=0&sec=0&p1=224&p2=24&p3=263&p4=78&p5=37&p6=102&p7=152 TimeZone Converter]
* [[July 27, 2016]], 07:00-08:00 PDT - [http://www.timeanddate.com/worldclock/meetingdetails.html?year=2016&month=07&day=27&hour=14&min=0&sec=0&p1=224&p2=24&p3=263&p4=78&p5=37&p6=102&p7=152 TimeZone Converter]
* [[May 18, 2016]], 07:00-08:30 PDT - [http://www.timeanddate.com/worldclock/meetingdetails.html?year=2016&month=05&day=18&hour=14&min=0&sec=0&p1=224&p2=24&p3=263&p4=78&p5=37&p6=102&p7=152 TimeZone Converter]
* [[April 20, 2016]], 16:00-17:00 PDT - [http://www.timeanddate.com/worldclock/meetingdetails.html?year=2016&month=04&day=20&hour=23&min=0&sec=0&p1=224&p2=24&p3=263&p4=78&p5=37&p6=102&p7=152 TimeZone Converter]
* [[March 16, 2016]], 16:00-17:00 PST - [http://www.timeanddate.com/worldclock/meetingdetails.html?year=2016&month=03&day=16&hour=23&min=0&sec=0&p1=224&p2=24&p3=263&p4=78&p5=37&p6=102&p7=152 TimeZone Converter]
* [[February 17, 2016]], 15:00-16:30 PST - [http://www.timeanddate.com/worldclock/meetingdetails.html?year=2016&month=02&day=17&hour=23&min=0&sec=0&p1=224&p2=24&p3=263&p4=78&p5=37&p6=102&p7=152 TimeZone Converter]
* [[January 13, 2016]], 16:00-17:30 PST - [http://www.timeanddate.com/worldclock/meetingdetails.html?year=2016&month=01&day=14&hour=00&min=0&sec=0&p1=224&p2=24&p3=263&p4=78&p5=37&p6=102&p7=152 TimeZone Converter]

== Archive for 2015 Meetings ==
* [[December 9, 2015]], 15:00-17:00 PST
* [[November 18, 2015]], 14:00-15:30 PST
* [[November 4, 2015]], 12:00-13:30 PST
* [[October 14, 2015]], 14:00-15:00 PDT
* [[September 25, 2015]] at AppSecUSA 18:00 - 20:00 PST
* [[August 12, 2015]], 16:00-17:00 PST
* [[July 22, 2015]], 14:00-15:00 PDT
* [[June 24, 2015]], 14:00-15:00 PDT
* [[May 22, 2015]], 18:00-20:00 CEST in Amsterdam @ AppSec-EU , 9:00am-11:00am PST;
* [[April 29, 2015]], 12:00-13:00 PST
* [[March 25, 2015]], 12:00-13:00 PST
* [[February 11, 2015]], 16:00-17:00 PST
* [[January 14, 2015]], 9am-10am PST

== Archive for 2014 Meetings ==
* [[December 10, 2014]], 9am-10am PST
* [[November 12, 2014]], 9am - 10am PST
* [[October 8, 2014]], 9am-10am PST
* [[September 16, 2014]], 6pm - 9pm MST, In person at Appsec USA
* [[August 13, 2014]], 9am-10am PST
* [[July 9, 2014]], 9am-10am PST
* [[June 27, 2014]], 8am - 4 pm BST, In person at AppSec Europe
* [[April 30, 2014]],9am - 12pm PST
* [[March 3, 2014]], 7am - 10am PST
* [[February 24, 2014]], 8am - 10am PST

== Archive for 2013 Meetings ==

*[[December 9, 2013]]

* December 2, 2013 - Special Board Meeting - [https://docs.google.com/spreadsheet/ccc?key=0ApZ9zE0hx0LNdGdJZ1BIaEZkc2V1QV81NmJ4dnI0R1E&usp=sharing 2014 Budget] walk through, Q & A (no meeting notes)

*[[November 22, 2013]] - In person meeting at AppSec USA - New York, NY

* November 11, 2013 - cancelled due to in person meeting on Nov. 22

*[[October 14, 2013]]

*[[September 9, 2013]]

*[[In person meeting at AppSec EU - Hamburg, Germany; August 19-24]]

* August 12, 2013 - canceled due to in person meeting on Aug 19

*[[July 8, 2013]]

*[[June 10, 2013]]

*[[May 31, 2013]]

*[[May 13, 2013]]

*[[April 8, 2013]]

*[[March 11, 2013]]

*[[February 11, 2013]]

*[[January 14, 2013]]

== Archive for 2012 Meetings ==

[https://docs.google.com/a/owasp.org/spreadsheet/ccc?key=0ApZ9zE0hx0LNdG5uRzNYZE8ycDFabnBWNkU4SFpwREE Board Meeting Attendance Tracking]

OWASP Foundation [https://www.owasp.org/images/a/ae/2012ByLawsFINAL.pdf ByLaws]

[https://www.owasp.org/index.php/Global_Committee_Pages Global Committees]

*[[January 9, 2012]]

*[[February 6, 2012]]

*[[February 15, 2012]]

*[[March 12, 2012]]

*[[April 5, 2012]]

*[[May 14,2012]]

*[[June 11, 2012]]

*[[July 11, 2012]]

*[[Aug 13, 2012]]

*[[Sept 10, 2012]]

*[[Oct 8, 2012]]

*[[Oct 24, 2012]]

*[[Nov 12, 2012]]

*[[Nov 26, 2012]] - 2013 Budget Focused

*[[Dec 10, 2012]]

*[[Dec 27, 2012]] - 2013 Budget Focused

== Archive for 2011 Meetings ==

*[[January 3, 2011]]

*[[March 7, 2011]]

*[[April_4_2011]]

*[[May_2_2011]]

*[[June 6, 2011]]

*[[July 11, 2011]]

*[[August 8, 2011]]

*[[September 6, 2011]]

*[[September 20, 2011]]

*[[September 22, 2011]]

*[[October 10, 2011]]

*[[November 14, 2011]]

*[[December 5, 2011]]

== Minutes for 2011 Meetings ==

<hr />

* [https://www.owasp.org/index.php/OWASP_Board_Votes Board Votes Historical]

<hr />

*[[Minutes January 3, 2011]]

*[[Minutes March 8, 2011]]

*[[Minutes April 4, 2011]]

*[[Minutes May 2, 2011]]

*[https://docs.google.com/a/owasp.org/document/d/1VD9ZHEwht9tmM8FKEQ6DBrtmL_gTAhSSnQhiFXYkJ7I/edit?hl=en_US&authkey=CIavkP4B June 6 2011]

*[https://docs.google.com/a/owasp.org/document/d/1VMwYrP6owtZ-SchBxUcWTIF-ITvzUX8PjUkLPwr2ipg/edit?hl=en_US&authkey=CIGTx5sD July 11 2011]

*[https://docs.google.com/a/owasp.org/document/d/1CLu9aQpS7LdeX87rJ5N9cuJ-RGGVzDWf34l6gdMml7M/edit?hl=en_US&authkey=CI-U5qEP August 8, 2011]

*[https://docs.google.com/a/owasp.org/document/d/1HM32VcvWb0hizD5_mhWMULLaouzuRgA3ZYjODRZwyAs/edit?hl=en_US September 6, 2011]

*[https://docs.google.com/a/owasp.org/document/d/1Y-8tZisUZM5ZKP8AxJqvkiNtFanVFM0m--bMG2PZ3ww/edit October 10, 2011]

*[https://docs.google.com/a/owasp.org/document/d/13-aHX2pSUXjCP8ivsbls6u1VX1BVSYewyMUH8LI7zpQ/edit November 14, 2011]

== Archive for 2010 Meetings ==
*[[January 5, 2010]]

*[[February 2, 2010]]

*[[March 2, 2010]] Postponed until March 9, 2010

*[[April 6, 2010]]

*[[May 4, 2010]]

*[[June 7, 2010]]

*[[July 12, 2010]]

*[[August 2, 2010]]

*[[September 8, 2010]]

*[[October 11, 2010]]

*[[November 9, 2010]]

*[[December_6_2010]]

== Archive of 2010 Meetings ==

*[[Jan 5, 2010]]

*[[Feb 2, 2010]]

*[[March 2, 2010]]

*[[Minutes April 6, 2010]]

*[[Minutes May 11, 2010]]

*[[Minutes June 7, 2010]]

*[[Minutes July 12, 2010]]

*[[Minutes October 11, 2010]]

*[[Minutes November 9, 2010]]

*[[Minutes_December_6,_2010]]

*[[OWASP Board Meetings January Agenda]]
*[[OWASP Board Meetings February Agenda]]
*[[OWASP Board Meetings March Agenda]]
*[[OWASP Board Meetings April09 Agenda]]
*[[OWASP Board Meetings May09 Agenda]]
*[[OWASP Board Meetings June 09 Agenda]]
*[[OWASP Board Meeting July 7, 2009 Agenda]]
*[[OWASP Board Meeting August 4, 2009 Agenda]]
*[[OWASP Board Meeting September 1, 2009 Agenda]]
*[[OWASP Board Meeting October 6, 2009 Agenda]]
*[[OWASP Board Meeting November 10, 2009 Agenda]]
*[[OWASP Board Meeting December 1, 2009 Agenda]]

== Archive of 2009 Meetings ==
* [[OWASP Board Meetings 01-06-09]]
* [[OWASP Board Meetings 02-03-09]]
* [[OWASP Board Meetings 03-10-09]]
* [[OWASP Board Meetings April 09]]
* [[OWASP Board Meetings May 09]]
* [[OWASP Board Meetings June 09]]
* [[OWASP Board Meeting July 09]]
* [[OWASP Board Meeting August 09]]
* [[OWASP Board Meeting September 09]]
* [[OWASP Board Meeting October 09]]
* [[OWASP Board Meeting December 09]]

== Archive for 2008 Meetings ==
*[[OWASP Board Meetings March Agenda]]
*[[OWASP Board Meetings April Agenda]]
*[[OWASP Board Meetings May Agenda]]
*[[OWASP Board Meetings June Agenda]]
*[[OWASP Board Meetings July Agenda]]
*[[OWASP Board Meetings August Agenda]]
*[[OWASP Board Meetings September Agenda]]
*[[OWASP Board Meetings October Agenda]]
*[[OWASP Board Meetings December Agenda]]

== Archive of 2008 Meetings ==
* [[OWASP Board Meetings 2-7-08]]
* [[OWASP Board Meetings 3-6-08]]
* [[OWASP Board Meetings 5-6-08]]
* [[OWASP Board Meetings 6-3-08]]
* [[OWASP Board Meetings 8-14-08]]
* [[OWASP Board Meetings 9-2-08]]
* [[Owasp Board Meetings 10-07-08]]
* [[Owasp Board Meetings 11-07-08]]
* [[Owasp Board Meetings 12-02-08]]

= Board Election Archive =

All elected officers are required to [https://docs.google.com/document/d/10zBT6oY2Q3B6kr6r7DGl3Cc0f5rGmQ0Slc6RYvbxmus/edit review sign and return] the following document before starting their term in office to the then current board Secretary

[https://www.owasp.org/index.php/OWASP_Board_History OWASP Board History]

===2017 Election===
[https://www.owasp.org/index.php/2017_Global_Board_of_Directors_Election 2017 Board Election]
=== 2016 Election ===
[https://www.owasp.org/index.php/2016_Global_Board_of_Directors_Election 2016 Board Election]
=== 2015 Election ===
[https://www.owasp.org/index.php/2015_Global_Board_of_Directors_Election 2015 Board Election]
=== 2014 Election ===
[https://www.owasp.org/index.php/2014_Board_Elections 2014 Board Election]
=== 2013 Election ===
[https://www.owasp.org/index.php/2013_Board_Elections 2013 Board Election]
=== 2012 Election ===
[https://www.owasp.org/index.php/Membership/2012_Election 2012 Board Election]
=== 2011 Election ===
[https://www.owasp.org/index.php/Membership/2011Election 2011 Board Election]
=== 2009 Election ===
[https://www.owasp.org/index.php/Board_Election_2009 2009 Board Election]

=== Past OWASP Boards ===

[[Board-2018]]

[[Board-2017]]

[[Board-2016]]

[[Board-2015]]

[[Board-2014]]

[[Board-2013]]

[[Board-2012]]

[[Board-2011]]

= Misc. =

* Teleconference Information: **CHECK MEETING INFORMATION**

* [https://www.owasp.org/index.php/International_Toll_Free_Calling_Information International Toll Free Calling Info]

* Meeting Template found [https://www.owasp.org/index.php/Board-Meeting-template here]

<headertabs> </headertabs>

September 2019

2019-07-22T22:02:21Z

Bil Corry: Changed meeting from 9/16 to 9/17 as per Richard Greenberg. https://groups.google.com/a/owasp.org/d/msg/global-board/HzArZtET2a8/hSQYBaUvDgAJ

Meeting Date:
Sept 17

Meeting Time:
11 AM US Pacific - [https://www.timeanddate.com/worldclock/meetingdetails.html?year=2019&month=9&day=16&hour=18&min=0&sec=0&p1=16&p2=919&p3=78&p4=136&p5=137&p6=676 other time zones]

Meeting Location:
Remote

Virtual:
[https://zoom.us/j/282821949 Zoom Meeting Link] Meeting ID: 282 821 949 - [https://zoom.us/u/kvUg3969 local dial in numbers]

AGENDA

CALL TO ORDER

CHANGES TO THE AGENDA

APPROVAL OF MINUTES

REPORTS

OLD BUSINESS

NEW BUSINESS

COMMENTS, ANNOUNCEMENTS, AND OTHER BUSINESS

ADJOURNMENT

===

==Old Business==
All active board proposals are listed [https://drive.google.com/folderview?id=0BxSfMVkfLvslVXdvUFV3NkxucWc&usp=sharing here]

==New Business==
All active board proposals are listed [https://drive.google.com/folderview?id=0BxSfMVkfLvslVXdvUFV3NkxucWc&usp=sharing here]

Governance/Whistleblower Policy

2018-09-28T06:33:47Z

Bil Corry: Richard resigned from the Compliance Committee, so it's just Fiona and Bil. Wiki updated to reflect that.

=OWASP Whistleblower & Anti-Retaliation Policy=

[https://docs.google.com/document/d/11vq24AtvKIxUORyNw3EvFSUwQW9oFAD2cr1Ek_oybK0/edit?usp=sharing Google Doc for Printing]

The OWASP Foundation requires board members, employees, and volunteers to observe high standards of business and personal ethics in the conduct of their duties and responsibilities. As employees and representatives of the OWASP Foundation, we must practice honesty and integrity in fulfilling our responsibilities and comply with all applicable laws and regulations. The purpose of this policy is to encourage any concerned parties to come forward with credible information on illegal practices or violations of adopted policies of the organization. The policy specifies that the organization will protect the individual from retaliation and identifies the appropriate procedure(s) for reporting these issues.

==I. Reporting Responsibility==

This Whistleblower Policy is intended to encourage and enable employees and others to raise serious concerns internally so that the OWASP Foundation can address and correct inappropriate conduct and actions. It is the responsibility of all board members, employees and volunteers to report concerns about violations of the OWASP Foundation’s code of ethics or suspected violations of law or regulations that govern the OWASP Foundation’s operations.

==II. No Retaliation==

It is contrary to the values of the OWASP Foundation for anyone to retaliate against any board member, employee, or volunteer who in good faith reports an ethics violation, or a suspected violation of law, such as a complaint of discrimination, or suspected fraud, or suspected violation of any regulation governing the operations of the OWASP Foundation. Anyone who retaliates against someone who has reported a violation in good faith is subject to discipline up to and including termination of employment, removal from office, and revocation of membership.

==III. Initiating an Informal Complaint==

A. Employees

The OWASP Foundation has an open door policy and suggests that employees share their questions, concerns, suggestions or complaints with their supervisor. If they are not comfortable speaking with their supervisor or are not satisfied with their supervisor’s response, they are encouraged to speak with OWASP’s Executive Director, a member of the OWASP Board of Directors, or the appointed Compliance Officer. This person will then serve as their point-of-contact during the Whistleblower process, as well as the person responsible for capturing and archiving all related evidence, unless a conflict of interest is identified. If a conflict of interest is identified, the point-of-contact will defer responsibility to either the Chairman of the Board or the Compliance Officer.

B. Non-Employees

The same open door policy that applies to OWASP Foundation employees also applies to board members and volunteers. All individuals are encouraged to share questions, concerns, suggestions, or complaints with OWASP’s Executive Director, a member of the OWASP Board of Directors, or the appointed Compliance Officer. This person will then serve as their point-of-contact during the Whistleblower process, as well as the person responsible for capturing and archiving all related evidence, unless a conflict of interest is identified. If a conflict of interest is identified, the point-of-contact will defer responsibility to either the Chairman of the Board or the Compliance Officer.

==IV. Commitment to Peaceful Conflict Resolution==

The OWASP Foundation recognizes that conflict between contributors participating in such a diverse community will happen from time to time. Our commitment is to attempt to prevent or resolve conflict before it escalates to the point of a formal complaint. Thus, if both parties agree, we will appoint either a neutral internal mediator (approved by both parties) or a neutral third-party mediator to help the parties reach a peaceful resolution. We strongly encourage all board members, employees, and volunteers to attempt mediation as a means for conflict resolution prior to submitting a formal complaint as outlined below.

==V. Initiating a Formal Complaint==

At any point in time, an OWASP Foundation board member, employee, or volunteer may choose to file a formal complaint regarding the ethical or legal violations of another member of our community. This complaint must be submitted in writing (non-verbal) to the OWASP Foundation Compliance Committee [[Governance/Whistleblower_Policy#XI._Contact| email]]. A valid complaint must include all background information necessary to evaluate the request, a list of each ethical or legal violation, as well as all evidence to support the claims. Upon submission, the Compliance Committee will evaluate that the complaint is valid and will respond back that either the complaint has been accepted, or it is lacking information necessary to properly evaluate (specifying what it is lacking).

Once a complaint has been determined as valid, the complainant is asked to cease direct contact with the individual whom they are making the complaint against. Attempts to facilitate direct contact, especially regarding the complaint in question, may result in the complaint being dismissed by the Compliance Officer. At this time, we also ask that the complainant refrain from speaking on the matter with anyone other than the Compliance Officer, in order to ensure the utmost amount of confidentiality and integrity on the matter. Disregarding this request may also result in the complaint being dismissed by the Compliance Officer. The Compliance Officer will notify the OWASP Foundation Board of Directors that a formal complaint has been filed, the date it was filed, the complainant’s name, and the party or parties named in the complaint.

==VI. Investigating a Formal Complaint==

After the Compliance Officer has determined that a complaint is valid, and has notified the OWASP Foundation Board of Directors as outlined above, they will initiate an investigation into the complaint. At this stage, the Compliance Officer, or their designee, will perform an interview of the complainant and any witnesses to the events alleged in the complaint. Additionally, the Compliance Officer will provide the subject of the complaint with a summary of the complaint against them (not an actual copy of the complaint) and allow them sufficient time to prepare for an interview with the Compliance Officer, or their designee. All interviews will be conducted either in a written question and answer format or recorded in an audio format in order to preserve evidence and ensure the objectivity and integrity of the investigation. All individuals involved in the investigation are expected to maintain confidentiality to the extent possible consistent with the need to conduct an adequate investigation, and will refrain from speaking or posting publicly about the complaint or the investigation.

==VII. Concluding an Investigation==

Once the Compliance Officer is satisfied that they have spoken to all concerned parties, and feels that they have enough information necessary to make a recommendation, they will begin to create a final report noting the allegations, the actors involved, their determination as to the veracity of the allegations, any remedial actions recommended, and any rationale for their determinations. Once complete, the final report will be provided to the complainant, the subject of the complaint, and any actors, individually, involved in order to allow them the opportunity to comment on the final report, which will not affect the final determination. They will be given 72 hours to respond, at which point, all responses will be aggregated alongside the final report, and any evidence collected during the investigation, and provided to the Executive Director and the OWASP Foundation Board of Directors by the Compliance Officer. At this point, the investigation can be considered closed.

==VIII. Determination by the Board==

Once the OWASP Foundation Board of Directors receives the final report, actor comments, and supporting evidence, they will require sufficient time to review and discuss all aspects of the situation and investigation. They should strongly consider the recommendations of the Compliance Officer, but are by no means required to follow them. From here, the standard OWASP Foundation process for Board of Director proposals and voting will apply except that any Director named in the complaint will not be allowed to vote. Once an outcome has been agreed to, a formal decision will be written up and made public, via a post on the OWASP Blog and the OWASP Leaders List, within two weeks of the vote, along with the report provided by the Compliance Officer. Appropriate corrective action will be taken if warranted by the investigation.

==IX. Compliance Officer==

The OWASP Foundation’s Compliance Officer is responsible for ensuring that all complaints about unethical or illegal conduct are investigated and resolved. The Compliance Officer will advise the Board of Directors on all complaints and their resolution and will report at least annually on any compliance activity relating to accounting or alleged financial improprieties. The Compliance Officer is empowered to conduct their investigations in isolation of the Board in order to maintain independence, but are free to involve members of the Board as necessary. It is solely the Compliance Officer’s charge to determine whether or not a complaint can be considered valid for investigation though any individual may submit a complaint as noted above.

The Compliance Officer shall immediately notify the Board of Directors and Executive Director of any concerns or complaint regarding corporate accounting practices, internal controls or auditing and work with the committee until the matter is resolved.

A Compliance Officer shall be identified by the Board of Directors and approved by a unanimous vote by January 1 of each year. A member of the OWASP Board of Directors may not also serve as the Compliance Officer during their tenure on the Board. If the Board of Directors is not able to unanimously agree on the Compliance Officer, a neutral, third-party executive ombuds services will be contracted to serve in this role.

'''The current Compliance Officers are:''' '''Fiona Collins and Bil Corry'''

==X. Confidentiality==

Violations or suspected violations may be submitted on a confidential basis by the complainant. Reports of violations or suspected violations will be kept confidential to the extent possible, consistent with the need to conduct an adequate investigation.

==XI. Contact ==
The Complaint / Whistleblower committee's email address is: compliance '@' owasp.org

Bil Corry 2018 Bio and Why me

2018-09-19T15:25:21Z

Bil Corry:

=== Bio ===
I am a lifetime member of OWASP and I've been involved with OWASP since 2008. I'm currently serving on the OWASP Compliance Committee, and have contributed to a variety of projects over the years (anyone remember the OWASP Certification project?). I've volunteered at AppSec USA, rounded up speakers for chapter meetings in Chicago and the Bay Area, hosted a Bay Area chapter meeting, helped WIA become a 2.0 Committee and have been a trainer using the OWASP Secure Coding deck. You might have also seen me at W3C, IETF, and WASC (cookie specification, content security policy, WASC Threat Classification, etc). Professionally, I worked as a web application developer for more than a decade before moving into security full time.

=== Why Me? ===
I've run for the Board of Directors every year since 2013 - this will be my sixth time running for a seat on the Board. I run each year because I've noticed that as OWASP has grown larger, it hasn't been growing more mature, and those growing pains show up in a myriad of ways, including an exodus of staff, unhappy members, and lack of visibility.

I believe OWASP is at a crossroads - it can either retain it's semi-informal structure, with a small dedicated staff, and keep doing business as usual, or it can plan for a more professional organization with a larger dedicated staff and more formal rules and processes.

If elected, I would work toward the latter, helping OWASP grow and mature into a more professional organization. Please join me in moving OWASP forward by casting your vote for Bil Corry.

2018 Global Board of Directors Election

2018-09-10T21:46:19Z

Bil Corry: Added candidates as per https://twitter.com/owasp/status/1039250386203365376 with candidates sorted in alpha order by last name.

The OWASP Foundation was established in 2001 as an open community and software security resource. Since then, OWASP has grown to be globally recognized as a credible source for application security standards (see industry citations). Individuals typically find OWASP when searching the internet for information about software security - and they are happy to find a reliable source of knowledge built by an extremely open and passionate community. OWASP is open to anyone. Anyone can attend OWASP's vendor agnostic local chapter meetings, participate in regional and global conferences, and contribute to the many OWASP projects. And anyone can start a new project, form a new chapter, or lend their expertise to help an OWASP Global Committee.

The OWASP Foundation Board of Directors currently consists of seven elected volunteers. These unpaid volunteers dedicate themselves to the organizational mission and playing a pivotal role in the software security community. OWASP conducts democratic elections of its Board Members to enable bottom-up advancement of its mission.

=== About the OWASP Foundation ===
* [[About OWASP]]
* Read the [[OWASP Foundation ByLaws]]
* Review the [[OWASP Board Meetings]] Monthly Board meetings, voting history and topics

=== '''Election Timeline'''===

# Notify the 3 current board member(s) whose term is up - July 17, 2018
# Call for Candidates Opens - July 19, 2018 [https://owasp.submittable.com/submit/120825/call-for-candidates-owasp-global-board-of-directors-election-2018 '''SUBMIT HERE''']
# Honorary Membership Self Nomination - Open year round [https://www.owasp.org/index.php/2017_Honorary_Membership '''SUBMIT HERE''']
# Submission for Questions From the Community for the Candidate Interviews - Opens July 19, 2018 [https://github.com/OWASP-Foundation/Board-Election-Call-for-Questions/issues/1 '''SUBMIT HERE''']
# Email Reminder Call For Candidates - July 30, 2018
# Email Reminder Honorary Membership - July 30, 2018
# Email Reminder Call For Candidates - August 8, 2018
# Email Reminder Honorary Membership - August 8, 2018
# Email Reminder Call for Questions from the Community - August 8, 2018
# Email Reminder Call For Candidates - August 20, 2018
# Email Reminder Honorary Membership - August 20, 2018
# Email Reminder Call for Questions from the Community - August 20, 2018
# Email Reminder Call For Candidates - August 29, 2018
# Email Reminder Honorary Membership - August 29, 2018
# Email Reminder Call for Questions from the Community - August 29, 2018
# Deadline for Call for Candidates Closes - August 31, 2018
# Deadline for Questions from the Community - August 31, 2018
# Verification of candidates - September 1 to September 8, 2018
# Candidates announced via email and social media - September 10, 2018
# The 6-7 top questions from the community will be selected & shared with Candidates - September 10, 2018
# Scheduling of group interviews - September 10 to September 14, 2018
# Group interviews will be held - September 14 to 21
# Deadline for interview recordings to be completed - September 21, 2018
# Recordings posted on the election wiki page - On or before September 30, 2018
# Email/Social Media notifying the community the recordings are posted - On or before September 30, 2018
# Paid Membership Deadline - September 30, 2018
# Voting opens - October 8
# Voting closes - November 8
# Results shared with all candidates - November 9, 2018 (morning per US Eastern time)
# Results shared via email and social media - November 9, 2018 (evening per US Eastern time) 

=== '''Global Board of Directors Primary Responsibilities''' ===

The OWASP Foundation Board of Directors currently consists of seven elected volunteers who serve a [[OWASP Foundation ByLaws|two year term]]. These unpaid volunteers dedicate themselves to the organizational mission and playing a pivotal role in the software security community. Members of the Global Board of Directors are responsible for setting the strategic direction of the organization and ensuring the financial integrity of the Foundation.

Detailed information on meeting requirements, roles and responsibilities within the board, term limits, and elections is found in the [https://www.owasp.org/index.php/OWASP_Foundation_ByLaws OWASP Foundation bylaws]. The Board of Directors Code of Conduct and details of the orientation and on-boarding process are found on our [[Governance|Governance page]].

Please reach out to our [[About The Open Web Application Security Project|current Board Members]] if you'd like additional information on what it's like to be a Global Board member at the OWASP Foundation.

Additional Responsibilities that the International Board of Directors must adhere to can be found [[Governance|on the Foundation Governance page]]

'''[[OWASP Board History|Board History]]'''

=== '''Eligibility Requirements for Board Candidates''' ===
You need to be an OWASP individual paid [https://docs.google.com/spreadsheets/d/1ixfWQ7j24lS9Teq9wPUA4-DtgxpMMT5YBJhWFd0JnoM/edit?usp=sharing member] in good standing for a twelve (12) month period of time prior to September 30, 2018. Candidates are required to create a wiki page that includes: a bio, current membership status, a brief description of why you feel you are the best candidate, and why you would like to be elected. You will be contacted on September 4, 2018 to schedule a group audio interview. If you are interesting in running for a seat on the OWASP Global Board please submit your intention along with the requirements listed above. All submissions will be reviewed and verified by OWASP. '''The Call for Candidates is opened on July 18, 2018.''' [https://owasp.submittable.com/submit/120825/call-for-candidates-owasp-global-board-of-directors-election-2018 '''SUBMIT HERE''']

If you have submitted and want to review or update your submission, instructions are available [https://docs.google.com/document/d/1NUMwpqI1AWit1yhURJoexR0vyq9blZIN-Ahpq-hOxzQ/edit here].

=== '''Meet the Candidates and listen to their interviews''' ===
''Links to the interviews will be posted here on or before September 30, 2018''

''3 seats are open for this election''

* Bil Corry
* Richard Greenberg
* Martin Knobloch
* Kishore Kumar
* Ofer Maor
* Gary Robinson
* Simon Whittaker

=== '''Results''' ===
Will be posted here after the election closes on November 9, 2018

==='''Call for Questions'''===
The 2018 Global Board of Directors election will start accepting questions for the candidates on July 19, 2018. If you are interested in helping lead a global community that strives on making the world a safer place, then please consider submitting question for the candidates for the OWASP Global Board of Directors.

From September 12 to 21, all individuals who submitted a candidacy will be interviewed, and asked a series of questions about why they feel they should be elected. The questions they are asked come from you! We will take the top 6-7 questions and those will be the questions used during the candidate interviews. You may submit your own question(s) and/or give a "thumbs up" to any existing question previously submitted by your fellow community members.

'''The Call for Questions is open! [https://github.com/OWASP-Foundation/Board-Election-Call-for-Questions/issues/1 SUBMIT HERE]'''

=== '''Honorary Membership''' ===
Who is eligible for Honorary Membership?
*OWASP Chapter Leaders - The OWASP Chapter MUST be active and your leadership position MUST be on file with the OWASP Foundation 6 months prior to September 30, 2018.
*OWASP Project Leaders - The OWASP Project MUST be active and your leadership position MUST be on file with the OWASP Foundation 6 months prior to September 30, 2018.

'''**NOTE**''' If you are an OWASP leader that does not have a current paid Individual Membership or current Honorary Membership on file, but meets the requirements (see eligibility above) for Honorary Membership, then you '''MUST APPLY''' for an Honorary Membership in order to vote in this year's election. The Honorary Membership request form is available '''[[Honorary Membership|HERE]]'''. All submissions will be reviewed and verified by OWASP.

=== '''Who Can Vote?''' ===
OWASP paid Individual Members, paid Corporate Members and Honorary Members registered as of September 30, 2018 will have (1) vote per seat (there are 3 seats up for this election).

Please check the current [https://docs.google.com/spreadsheets/d/1WN07dNGBldvYC_RmTKKsrYdguSUghlLP5A7QfQa6G9M/edit?usp=sharing Member Directory]. If you are not a member yet, we encourage you to [http://myowasp.force.com/memberappregion '''JOIN NOW'''!]

=== '''How Do I Vote?''' ===
On October 8, 2018, eligible voting members will receive an email to their registered email address from owasp@simplyvoting.com with subject "BALLOT FOR OWASP 2018 Board Election"

This email will include a specific link for you to cast your vote. Please do '''NOT''' share this link with anyone. It is a specific link '''JUST FOR YOU'''!

Additionally, eligible voting members will also receive an email from the OWASP Foundation notifying them that their ballot has been sent. In the instance that they did not receive a ballot they are asked to [https://www.tfaforms.com/308703 contact us] immediately.

=== '''Have additional questions about the OWASP Membership?''' ===
*Read the Membership FAQ [https://www.owasp.org/index.php/MEMBERSHIP_FAQ CLICK HERE] 

=== '''Election FAQ''' ===
If you have a question about the current election please [https://www.tfaforms.com/308703 '''CLICK HERE'''].
*'''Where can I find communication to the OWASP Community about the upcoming election?'''
** Answer: We will try to publish announcements and key milestone reminders to as many communication channels as possible, including the OWASP Blog, OWASP Connector, OWASP Leader's List and this Wiki Page. Please feel free to help us communicate the message, by re-posting, re-tweeting, or sharing with the OWASP Chapter, Project, or Initiatives you are involved with.

* '''Where can I find information on last years Board election?'''
** Answer: [[2017 Global Board of Directors Election]]

=== '''Communications''' ===
# July 17, 2018 - Email sent to current OWASP Foundation Board members whose terms are ending in 2018.

OWASP Board History

2018-08-12T06:29:23Z

Bil Corry: Broke out the tables into 10-year segments

The data here was compiled from the OWASP Foundation Tax Returns and official election results. Asterisked years were taken from other sources and may be incomplete.

== 2014 to Current ==

{| class="wikitable" border="1"
|-
! style="background: #0A2A29; color: white" | 2014 BoD
! style="background: #0A2A29; color: white" | 2015 BoD
! style="background: #0A2A29; color: white" | 2016 BoD
! style="background: #0A2A29; color: white" | 2017 BoD
! style="background: #0A2A29; color: white" | 2018 BoD
|- style="background: #FE9A2E; color: black"
| Tom Brennan
| style="background: #0A2A29; color: black" |
| Tom Brennan
| Tom Brennan
| style="background: #0A2A29; color: black" |
|- style="background: #8181F7; color: black"
| Eoin Keary
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
|- style="background: #F7FE2E; color: black"
| Michael Coates
| Michael Coates
| Michael Coates
| Michael Coates
| style="background: #0A2A29; color: black" |
|- style="background: #0066FF; color: black"
| Jim Manico
| Jim Manico
| Jim Manico/Jonathan Carter
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
|- style="background: #FFCC00; color: black"
| Fabio Cerullo
| Fabio Cerullo
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
|- style="background: #339933; color: black"
| Tobias Gondrom
| Tobias Gondrom
| Tobias Gondrom
| Tobias Gondrom
| style="background: #0A2A29; color: black" |
|- style="background: #CC6600; color: black"
| Josh Sokol
| Josh Sokol
| Josh Sokol
| Josh Sokol
| style="background: #0A2A29; color: black" |
|- style="background: #64FE2E; color: black"
| style="background: #0A2A29; color: black" |
| Andrew van der Stock
| Andrew van der Stock
| Andrew van der Stock
| Andrew van der Stock
|- style="background: #2ECCFA; color: black"
| style="background: #0A2A29; color: black" |
| Matthew Konda
| Matthew Konda
| Matthew Konda
| Matt Konda
|- style="background: #FFC744; color: black"
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| Johanna Curiel/Martin Knobloch
| Martin Knobloch
|- style="background: #FA5858; color: black"
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| Owen Pendlebury
|- style="background: #F7FE2E; color: black"
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| Chenxi Wang
|- style="background: #8181F7; color: black"
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| Greg Anderson
|- style="background: #0066FF; color: black"
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| Sherif Mansour
|}

== 2004 to 2013 ==

{| class="wikitable" border="1"
|-
! style="background: #0A2A29; color: white" | 2004 BoD*
! style="background: #0A2A29; color: white" | 2005 BoD*
! style="background: #0A2A29; color: white" | 2006 BoD*
! style="background: #0A2A29; color: white" | 2007 BoD
! style="background: #0A2A29; color: white" | 2008 BoD
! style="background: #0A2A29; color: white" | 2009 BoD
! style="background: #0A2A29; color: white" | 2010 BoD
! style="background: #0A2A29; color: white" | 2011 BoD
! style="background: #0A2A29; color: white" | 2012 BoD
! style="background: #0A2A29; color: white" | 2013 BoD
|- style="background: #64FE2E; color: black"
| Jeff Williams
| Jeff Williams
| Jeff Williams
| Jeff Williams
| Jeff Williams
| Jeff Williams
| Jeff Williams
| Jeff Williams
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
|- style="background: #2ECCFA; color: black"
| Dave Wichers
| Dave Wichers
| Dave Wichers
| Dave Wichers
| Dave Wichers
| Dave Wichers
| Dave Wichers
| Dave Wichers
| Dave Wichers
| Dave Wichers
|- style="background: #CC2EFA; color: black"
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| David Anderson
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
|- style="background: #00FF80; color: black"
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| Dinis Cruz
| Dinis Cruz
| Dinis Cruz
| Dinis Cruz
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
|- style="background: #FA5858; color: black"
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| Sebastien Deleersnyder
| Sebastien Deleersnyder
| Sebastien Deleersnyder
| Sebastien Deleersnyder
| Sebastien Deleersnyder
| Sebastien Deleersnyder
|- style="background: #FE9A2E; color: black"
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| Tom Brennan
| Tom Brennan
| Tom Brennan
| Tom Brennan
| Tom Brennan
| Tom Brennan
|- style="background: #01DF01; color: black"
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| Matt Tesauro
| Matt Tesauro
| Matt Tesauro
| style="background: #0A2A29; color: black" |
|- style="background: #8181F7; color: black"
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| Eoin Keary
| Eoin Keary
| Eoin Keary
| Eoin Keary
|- style="background: #F7FE2E; color: black"
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| Michael Coates
| Michael Coates
|- style="background: #0066FF; color: black"
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| Jim Manico
|}

Women In AppSec

2017-07-12T20:42:23Z

Bil Corry: Updated with election results

=WELCOME=

==Women in Application Security Committee==

The purpose of Women in AppSec (WIA) Committee is to develop leadership, promote active membership and participation, and contributions by women in application security professional communities, globally and locally.

The Women in AppSec program is for anyone who believes that diversity is important to the success of the organization, as well as for women looking to learn more about AppSec or who want to make career connections with like-minded colleagues. This includes female undergraduate and graduate students, instructors, and professionals who are dedicated to information security or application development.

=FIND US=

==Email List==

[https://lists.owasp.org/mailman/listinfo/appsec_usa_women_in_security WIA List and Archive]

==Twitter==

[https://twitter.com/owaspwia @OWASPWIA]

==Slack Channel==

[https://owasp.slack.com/messages/C2NUH1J5B/ WIA Slack Channel]

You can get an OWASP Slack invite here: [https://owasp.herokuapp.com/ OWASP Slack Invite]

=WIA PURPOSE AND SCOPE=

==Purpose==

The purpose of Women in AppSec (WIA) Committee is to develop leadership, promote active membership and participation, and contributions by women in application security professional communities, globally and locally.

==Scope==

The scope for OWASP WIA Committee falls into the following areas:

# Attract women to OWASP, as active members, contributors and leaders.
# Offer opportunities for women to become engaged in AppSec and related professional communities.
# Provide inclusive targeted application security programs for all women learners.
# Provide inclusive training and mentorship for all interested OWASP women.
# Provide financial support to OWASP women members through scholarships, sponsorships, and grant making.
# Pursue fundraising, advancement and development to secure financial support for OWASP WIA activities..
# Integrate WIA track and related activities into OWASP events at all levels.
# Cultivate women for community leadership, speakers for conferences, thought leadership, learning leaders, and local chapter events.
# Collaborate with other committees and initiatives as needs present.
# Collaborate with local OWASP Chapters and Global OWASP leadership, including but not limited to offering advisory support to local and global OWASP leadership for WIA advancement and collaboratively building pro-WIA OWASP communities.
# Develop other special projects and events designed to further the purpose of WIA.

=MEMBERSHIP=

==Membership Types==

===Voting===

Voting Members are members of OWASP who have formally joined the WIA Committee. Voting Members are allowed to vote on Committee business and are allowed to serve in one of the five officer positions of the Committee.

In order to become a Voting Member, you must first become a Participating Member and participate for three months, become an OWASP member in good standing, and obtain a written endorsement from a current Voting Member or an OWASP Board of Director. Once all three criteria are met, you must formally request to join as a Voting Member to the WIA List. The Voting Members then vote via the WIA list, and if you receive a majority affirmative vote, you are then made a Voting Member.

Voting Members have an obligation to maintain participation and to reaffirm their commitment every six months (the Secretary will send an email every six months to affirm commitment, replying "no" or not replying will result in removal).

===Participating===

Participating Members are anyone that is interested in volunteering time to the WIA Committee or sub-committees. Participating Members are able to participate in all activities, with the exception of voting and serving in one of the five Committee officer roles.

In order to become a Participating member, you must express your volunteering commitment to the Secretary, who will then add you to the Membership List. Participating Members can withdraw their commitment at any time by notifying the Secretary. Participating Members do not need to be OWASP members.

==Membership List==

[https://docs.google.com/spreadsheets/d/1T7I0FJwfrI-h3XY-iL5URNNeZ-A0wxPTV0nfQHrSZVs/edit?usp=sharing Membership List]

=GOVERNANCE=

==Operating Model==

WIA is a formal Committee of OWASP. WIA is governed by the rules set forth in the [https://www.owasp.org/index.php/Governance/OWASP_Committees OWASP Committees 2.0 Operational Model].

==Committee Officers==

#Chair
##Tanya Janca
##Duties
###Open/run the meetings
###Put items to vote and announce the result
###Oversee progress of committee activities
###Participates in fundraising activities/sponsorship acquisition
#Vice-Chair
##Loredana Mancini
##Duties
###Serve in place of the chair when the chair is not available, temporarily or permanently
###Confirm and validate results of votes
###Help the chair oversee progress of committee activities
###Participates in fundraising activities/sponsorship acquisition
###Run doodles for upcoming meetings
###Send out meeting invites
#Secretary
##Cathy Hall
##Duties
###Maintain the WIA membership list and associated bookkeeping
###Take attendance/minutes at meetings
###Create an agenda for each meeting, put out a call to members for agenda items
###Post agendas and meetings
###Edit/update committee Wiki page
#Treasurer
##Cathy Hall
##Duties
###Maintain budget
###Track income and expenses for all committee activities
###Report at each meeting the expenditures and incoming revenue for the month and the balance of the fund
###Check the balance of the WIA budget with the OWASP accountant quarterly
###Participates in fundraising activities/sponsorship acquisition

Note: Only Voting Members may serve as Committee Officers

==Sub-Committee Coordinators==

#Volunteer Coordinator
##Vandana Verma (Asia), Loredana Mancini (Europe), Wendy Istvanick (North America)
##Duties
###Recruit new members for WIA/volunteers for specific events
###Schedule/train volunteers as needed
###Provides direction and coordination for volunteers
###Plan for retention and replacement
###Support in fundraising activities/sponsorship acquisition
###Connect with other local active groups in security to create volunteer networking
###Maintain lessons learned in the volunteer recruiting for the different events to improve the recruiting process
###Keep informal/formal contacts with all the volunteer to be able to reach them in case of new needs
#Media Relations Coordinator
##Katherine Cancelado
##Duties
###Maintain list of media contacts
###Maintain list of media articles mentioning WIA
###Promote WIA to media
###Prepare talking points, messaging strategy
###Work with OWASP Global to issue press releases

Note: All Committee Members may serve as Sub-Committee Coordinators

=2017 ELECTIONS=

==Timeline==
* June 23, 2017 (Friday) - Call for Candidates closes
* June 24, 2017 (Saturday) - Election emails send to voting members
* July 2, 2017 (Sunday) - Election closes
* July 3, 2017 (Monday) - Election results announced on WIA list

==Candidates==
===Committee Officers===

''Positions can only be filled by Voting Members.''

====Chair====
* Tanya Janca

====Vice Chair====
* Loredana Mancini
* Cathy Hall

====Secretary====
* Cathy Hall

====Treasurer====
* Cathy Hall

===Sub-Committee Coordinators===

''Positions can be filled by Voting and Participating Members.''

====Volunteer Coordinator - Asia====
* Vandana Verma

====Volunteer Coordinator - Europe====
* Loredana Mancini

====Volunteer Coordinator - North America====
* Wendy Istvanick

====Media Relations Coordinator====
* Katherine Cancelado

==Ballot==
This is the ballot that was sent to Voting Members on June 24, 2017

<blockquote>
Dear Voting Members of WIA,

This is your 2017 WIA Ballot. You must respond by Sunday, July 2. On Monday, July 3, I will tally the votes and announce the winners. The candidate with the most vote wins. Votes not received by the deadline will not be counted.

To vote, please reply to me with your candidate selections. You may optionally choose to cc Tiffany Long as an extra ballot counter. And you may optionally choose to "reply all" if you want your vote to be transparent to your fellow Voting Members.

Please choose one candidate for each role. You have the option to choose "None" if you do not want to elect any of the listed candidate(s) for that role. Omitting a vote for a role will cause your vote to not be counted.

For candidates running for multiple roles, if the candidate wins more than one position, they will pick the role they want, and for the other role(s), the runner-up candidate is declared the winner. For roles left empty, the incoming leadership team will decide how best to fill the role.

The candidates for 2017 are as follows:

Chair
# Tanya Janca
# None

Vice Chair
# Loredana Mancini
# Cathy Hall
# None

Secretary
# Cathy Hall
# None

Treasurer
# Cathy Hall
# None

Volunteer Coordinator - Asia
# Vandana Verma
# None

Volunteer Coordinator - Europe
# Loredana Mancini
# None

Volunteer Coordinator - North America
# Wendy Istvanick
# None

Media Relations Coordinator
# Katherine Cancelado
# None

Please let me know if you have any questions. Otherwise, I look forward to receiving your votes.

- Bil
</blockquote>

==Election Results==
===Committee Officers===

''Positions can only be filled by Voting Members.''

====Chair====
* Tanya Janca

====Vice Chair====
* Loredana Mancini

====Secretary====
* Cathy Hall

====Treasurer====
* Cathy Hall

===Sub-Committee Coordinators===

''Positions can be filled by Voting and Participating Members.''

====Volunteer Coordinator - Asia====
* Vandana Verma

====Volunteer Coordinator - Europe====
* Loredana Mancini

====Volunteer Coordinator - North America====
* Wendy Istvanick

====Media Relations Coordinator====
* Katherine Cancelado

=PREVIOUS WIA ACTIVITIES=

== AppSec EU 2017 ==
Women in AppSec is kicking it up a notch at AppSec EU 2017 and we want YOU to join us! Make sure you stop by during the week to check out our events and to learn more about the group.

Events are free to attend and do not require a conference ticket.

Monday, May 8, 2017 6:00-9:00 pm Networking Session

On Monday 8th May at 6:00 pm in the Waterfront Conference Centre, we will have a group of mentors each give a brief talk about their experience followed by an "unconference" event. During the "unconference" event, we will break into groups to discuss popular technical topics. This will be a fantastic opportunity to engage in mentoring relationships and hear from women in the field. You can sign up for this free event on Meetup.com here: <nowiki>https://www.meetup.com/OWASP-Belfast/events/238434511/</nowiki>

Thursday, May 11, 2017 7:30-8:45 a.m. Mentoring Breakfast

Join us at our pre-conference WiA breakfast in the Waterfront Conference Centre at 7.30 am on Thursday 11th May. A light breakfast will be provided for table discussions on various topics. This will also be a second opportunity to chat with anyone you didn't get to during the Monday evening event. Details to register for this event will be available soon, it will also be free to attend.

=== Wondering what to expect? ===
Organisers Michelle and Claire discuss what you can expect here:

<nowiki>https://drive.google.com/open?id=0B3mw0mZ4CcgtbG5FUDJxbzVqX28</nowiki>

=== Interested in being a Mentor? ===
We’re looking for mentors to participate in both events. Both men and women are invited to contribute as mentors. This is the commitment we’re asking for:
* A picture and bio for the website
* A time commitment of two hours between the two events
** 30+ minutes at the networking event
** 1½ hours at the mentoring breakfast
Let us know if you’re interested in joining us!

<nowiki>https://docs.google.com/forms/d/e/1FAIpQLSfy0qx9hnkJiCiceeUDmaq78i9aYXeGsHNv9B95Z_ZeN5Z_KA/viewform</nowiki>

Not sure if you’re interested yet? Provide your email address for updates as they become available.

<nowiki>https://docs.google.com/forms/d/e/1FAIpQLSc2DYBKcGzESX6U8-Syohqvm_g7bLLyTBPaw5E7sUj5KO3O4A/viewform</nowiki>

'''We look forward to seeing you at AppSec EU 2017!'''

=== Meet the EU WIA planning team ===
* === Michelle Simpson === Security Consultant at NCC Group
* === Claire Burn === Field Applications Engineer at Titan-IC
* === Cathy Hall === Principal Consultant at Sila Solutions Group
* === Owen Pendelbury === Manager Cyber Risk Services - Penetration Testing @ Deloitte
* === Zoe Braiterman === Business Studies graduate from Drew University
* === Wendy Istvanick === Object Tactician at ThoughtWorks
* === Fiona Collins === IT Security Engineer, Staff at Qualcomm
* === Bev Corwin === Director of Technology at DDC
* === Loredana Mancini === Chief Operation Officer at ITWAY
* === Emily Verwee === Online Project Manager at The Arc of the United States
* === Tiffany Long === Community Manager at OWASP

== AppSec USA 2015 ==

'''AppSec USA 2015''' 
The Women in AppSec (WIA) program is for all OWASP members who believe that diversity is important to the success of an organization, as well as for women who want to make career connections with like-minded colleagues. We encourage you to attend our session on Thursday at 3:30pm in Room F, featuring the founders of InfoSec Girls, Apoorva Giri and Shruthi Kamath. 
We also invite you to join us for our networking and “Birds of a Feather” sessions on on Thursday in WIA meeting room . Stop by anytime between 10:00am and 3:30pm to meet other members and learn more about the WIA program. You can also suggest a discussion topic on the sign-up at the room entrance. 
Sponsorship opportunities for commercial organizations and OWASP chapters are also available.

'''AppSec USA 2015''' 
Currently, there is an effort to plan activities for AppSec USA 2015. Volunteers are eagerly sought to support the program at AppSec USA! We are especially excited to invite the founders of the '''InfoSec Girls''' initiative to the AppSec USA 2015 conference. To bring InfoSec Girls to AppSec USA, we need to raise $7500. We are very close to our goal and know that with the support of the OWASP community, we can easily get there! Donations above and beyond our goal will be used for future WIA programs around the world. '''Donate now:''' 

== AppSec EU 2015 ==
During AppSec EU there was a panel discussion and workshop supported by the Women in AppSec initiative. Through these sessions we hoped to encourage women to pursue a career in AppSec and help them realize it is an option for them. These sessions was be open to all so we can help build support for the women around us. Learn more here: [http://2015.appsec.eu/women-in-application-security/ http://2015.appsec.eu/women-in-application-security] 

'''Panel: "Women in AppSec - Making it Happen"''' 
During this panel session we discussed what can be done to Make it Happen for Women in AppSec going forward. What have those currently working in the field done to Make it Happen for themselves and other women; what tips and advice do they have to help you do to make a career for yourself or encourage those around you (sister, friend, daughter, etc…) to pursue a career in AppSec? What can we as professionals can do to help encourage girls to go for a career in AppSec?

'''Workshop''' 
During the workshop we introduced female attendees of the conference to what a career in App Sec can involve. We discussed application security and the many career paths available. We hope to build relationships that may lead to a mentoring program for these women.

== AppSec USA 2013 ==
Learn more about the program here: http://2013.appsecusa.org/2013/activities/owasp-women-in-application-security-appsec-program/index.html

==Previous Women in AppSec Winners==
Following their experience at AppSec, winners are encouraged to write a short piece about their experience at the conference and their participation in the Women in AppSec program. Here, they outline their experience with the Women in AppSec Program in their own words.

'''Carrie Schaper, 2013 Winner'''
{| style="background-color: transparent"
|-
! width="200" align="center" | 
! width="1000" align="center" | 
|-
| align="center" | [[Image:Carrie Schaper Small.jpg|100px]]
| align="justify" |"OWASP Appsec proved to be a great experience for me, uniting and interacting with friends, professionals, and colleagues from the Information Security space from across the US and Internationally whom were in attendance. The huge space and well organized functions such as the: trainings, expert talks, panels, bug-bounty, lock-picking village and social events all enhanced the conference experience. Participating on the Women in IT panel was a wonderful experience, as many women were in attendance and participated in collaborative discussions. OWASP Appsec held in NY this year, was a premier NY conference not to be missed. Thank you to OWASP, its attendees and organizers."
|}
 

'''Nancy Lornston, 2013 Winner'''
{| style="background-color: transparent"
|-
! width="200" align="center" | 
! width="1000" align="center" | 
|-
| align="center" | [[Image:Nancy Lorntson Small.jpg|100px]]
| align="justify" |"AppSec 2013 was an awesome experience! Nowhere in the world can you find the top security experts all in one place at one time (and participate in a marriage proposal!). The conference presentations were well organized and the speakers were prepared to share pros, cons, successes and failures of their work in order to advance the application security domain. The variety of vendors was terrific as well.

The Women in AppSec panel was an opportunity to advance women's position in the community. Each speaker shared some very candid remarks about their personal experiences and by the end, it was clear that while more work needs to be done, there is a sincere interest by companies, universities and the industry in general to work on doing the things needed to attract more women to the profession.

The training course I attended (Open source tools) lived up to it's billing and I came away with several invaluable tips and strategies to improve our program.

A huge thank you to the Women in App Sec Panel and OWASP in general for this opportunity to attend the premier Application Security Conference in the world."
|}
 

'''Tara Wilson, 2011 Winner'''
{| style="background-color: transparent"
|-
! width="200" align="center" | 
! width="1000" align="center" | 
|-
| align="center" | [[Image:Tara wilson.jpg|100px]]
| align="justify" |“Being fortunate enough to receive the Women in AppSec sponsorhsip is a unique and valuable experience. It is a great opportunity for women to have a chance to bolster their skills and dive deep into the world of application security. I found that attending the conference was not only a great way to experience what the OWASP community has to offer, but it also gives students a chance to network with a great group of people who are passionate about their field and willing to share a wealth of information.”
|}
 

'''Chandni Bhowmik, 2011 Winner'''
{| style="background-color: transparent"
|-
! width="200" align="center" | 
! width="1000" align="center" | 
|-
| align="center" | [[Image:Chandni_bhowmik.jpg|100px]]
| align="justify" |Chandni Bhowmik is currently completing an M.S. in Computer Security and Information Assurance at the Rochester Institute of Technology (RIT). Her first introduction to OWASP was through the project WebScarab during an application security lab last spring at RIT and her interest in OWASP grew ever since. Over the summer, she started programming open source web applications using built-in security features of Django and Python. She is interested in becoming an information security researcher, and hopes to leverage learning at OWASP AppSec USA 2011 in ad-hoc architecture, mobile platforms and over-all concepts of web application security. Besides secure programming, Chandni enjoys her current research involving digital image forensics and machine learning. In addition to attending school, she has interned in IT security and compliance at Paychex, a Rochester based payroll processing company, and gained industrial experience working an assistant systems engineer for Tata Consultancy Services, a global IT firm.
|}
 

<headertabs></headertabs>

Women In AppSec

2017-06-24T16:12:19Z

Bil Corry: added copy of the ballot

=WELCOME=

==Women in Application Security Committee==

The purpose of Women in AppSec (WIA) Committee is to develop leadership, promote active membership and participation, and contributions by women in application security professional communities, globally and locally.

The Women in AppSec program is for anyone who believes that diversity is important to the success of the organization, as well as for women looking to learn more about AppSec or who want to make career connections with like-minded colleagues. This includes female undergraduate and graduate students, instructors, and professionals who are dedicated to information security or application development.

=FIND US=

==Email List==

[https://lists.owasp.org/mailman/listinfo/appsec_usa_women_in_security WIA List and Archive]

==Twitter==

[https://twitter.com/owaspwia @OWASPWIA]

==Slack Channel==

[https://owasp.slack.com/messages/C2NUH1J5B/ WIA Slack Channel]

You can get an OWASP Slack invite here: [https://owasp.herokuapp.com/ OWASP Slack Invite]

=WIA PURPOSE AND SCOPE=

==Purpose==

The purpose of Women in AppSec (WIA) Committee is to develop leadership, promote active membership and participation, and contributions by women in application security professional communities, globally and locally.

==Scope==

The scope for OWASP WIA Committee falls into the following areas:

# Attract women to OWASP, as active members, contributors and leaders.
# Offer opportunities for women to become engaged in AppSec and related professional communities.
# Provide inclusive targeted application security programs for all women learners.
# Provide inclusive training and mentorship for all interested OWASP women.
# Provide financial support to OWASP women members through scholarships, sponsorships, and grant making.
# Pursue fundraising, advancement and development to secure financial support for OWASP WIA activities..
# Integrate WIA track and related activities into OWASP events at all levels.
# Cultivate women for community leadership, speakers for conferences, thought leadership, learning leaders, and local chapter events.
# Collaborate with other committees and initiatives as needs present.
# Collaborate with local OWASP Chapters and Global OWASP leadership, including but not limited to offering advisory support to local and global OWASP leadership for WIA advancement and collaboratively building pro-WIA OWASP communities.
# Develop other special projects and events designed to further the purpose of WIA.

=MEMBERSHIP=

==Membership Types==

===Voting===

Voting Members are members of OWASP who have formally joined the WIA Committee. Voting Members are allowed to vote on Committee business and are allowed to serve in one of the five officer positions of the Committee.

In order to become a Voting Member, you must first become a Participating Member and participate for three months, become an OWASP member in good standing, and obtain a written endorsement from a current Voting Member or an OWASP Board of Director. Once all three criteria are met, you must formally request to join as a Voting Member to the WIA List. The Voting Members then vote via the WIA list, and if you receive a majority affirmative vote, you are then made a Voting Member.

Voting Members have an obligation to maintain participation and to reaffirm their commitment every six months (the Secretary will send an email every six months to affirm commitment, replying "no" or not replying will result in removal).

===Participating===

Participating Members are anyone that is interested in volunteering time to the WIA Committee or sub-committees. Participating Members are able to participate in all activities, with the exception of voting and serving in one of the five Committee officer roles.

In order to become a Participating member, you must express your volunteering commitment to the Secretary, who will then add you to the Membership List. Participating Members can withdraw their commitment at any time by notifying the Secretary. Participating Members do not need to be OWASP members.

==Membership List==

[https://docs.google.com/spreadsheets/d/1T7I0FJwfrI-h3XY-iL5URNNeZ-A0wxPTV0nfQHrSZVs/edit?usp=sharing Membership List]

=GOVERNANCE=

==Operating Model==

WIA is a formal Committee of OWASP. WIA is governed by the rules set forth in the [https://www.owasp.org/index.php/Governance/OWASP_Committees OWASP Committees 2.0 Operational Model].

==Committee Officers==

#Chair
##TBD for 2017 Term
##Duties
###Open/run the meetings
###Put items to vote and announce the result
###Oversee progress of committee activities
###Participates in fundraising activities/sponsorship acquisition
#Vice-Chair
##TBD for 2017 Term
##Duties
###Serve in place of the chair when the chair is not available, temporarily or permanently
###Confirm and validate results of votes
###Help the chair oversee progress of committee activities
###Participates in fundraising activities/sponsorship acquisition
###Run doodles for upcoming meetings
###Send out meeting invites
#Secretary
##TBD for 2017 Term
##Duties
###Maintain the WIA membership list and associated bookkeeping
###Take attendance/minutes at meetings
###Create an agenda for each meeting, put out a call to members for agenda items
###Post agendas and meetings
###Edit/update committee Wiki page
#Treasurer
##TBD for 2017 Term
##Duties
###Maintain budget
###Track income and expenses for all committee activities
###Report at each meeting the expenditures and incoming revenue for the month and the balance of the fund
###Check the balance of the WIA budget with the OWASP accountant quarterly
###Participates in fundraising activities/sponsorship acquisition

Note: Only Voting Members may serve as Committee Officers

==Sub-Committee Coordinators==

#Volunteer Coordinator
##TBD for 2017 Term
##Duties
###Recruit new members for WIA/volunteers for specific events
###Schedule/train volunteers as needed
###Provides direction and coordination for volunteers
###Plan for retention and replacement
###Support in fundraising activities/sponsorship acquisition
###Connect with other local active groups in security to create volunteer networking
###Maintain lessons learned in the volunteer recruiting for the different events to improve the recruiting process
###Keep informal/formal contacts with all the volunteer to be able to reach them in case of new needs
#Media Relations Coordinator
##TBD for 2017 Term
##Duties
###Maintain list of media contacts
###Maintain list of media articles mentioning WIA
###Promote WIA to media
###Prepare talking points, messaging strategy
###Work with OWASP Global to issue press releases

Note: All Committee Members may serve as Sub-Committee Coordinators

=2017 ELECTIONS=

==Timeline==
* June 23, 2017 (Friday) - Call for Candidates closes
* June 24, 2017 (Saturday) - Election emails send to voting members
* July 2, 2017 (Sunday) - Election closes
* July 3, 2017 (Monday) - Election results announced on WIA list

==Candidates==
===Committee Officers===

''Positions can only be filled by Voting Members.''

====Chair====
* Tanya Janca

====Vice Chair====
* Loredana Mancini
* Cathy Hall

====Secretary====
* Cathy Hall

====Treasurer====
* Cathy Hall

===Sub-Committee Coordinators===

''Positions can be filled by Voting and Participating Members.''

====Volunteer Coordinator - Asia====
* Vandana Verma

====Volunteer Coordinator - Europe====
* Loredana Mancini

====Volunteer Coordinator - North America====
* Wendy Istvanick

====Media Relations Coordinator====
* Katherine Cancelado

==Ballot==
This is the ballot that was sent to Voting Members on June 24, 2017

<blockquote>
Dear Voting Members of WIA,

This is your 2017 WIA Ballot. You must respond by Sunday, July 2. On Monday, July 3, I will tally the votes and announce the winners. The candidate with the most vote wins. Votes not received by the deadline will not be counted.

To vote, please reply to me with your candidate selections. You may optionally choose to cc Tiffany Long as an extra ballot counter. And you may optionally choose to "reply all" if you want your vote to be transparent to your fellow Voting Members.

Please choose one candidate for each role. You have the option to choose "None" if you do not want to elect any of the listed candidate(s) for that role. Omitting a vote for a role will cause your vote to not be counted.

For candidates running for multiple roles, if the candidate wins more than one position, they will pick the role they want, and for the other role(s), the runner-up candidate is declared the winner. For roles left empty, the incoming leadership team will decide how best to fill the role.

The candidates for 2017 are as follows:

Chair
# Tanya Janca
# None

Vice Chair
# Loredana Mancini
# Cathy Hall
# None

Secretary
# Cathy Hall
# None

Treasurer
# Cathy Hall
# None

Volunteer Coordinator - Asia
# Vandana Verma
# None

Volunteer Coordinator - Europe
# Loredana Mancini
# None

Volunteer Coordinator - North America
# Wendy Istvanick
# None

Media Relations Coordinator
# Katherine Cancelado
# None

Please let me know if you have any questions. Otherwise, I look forward to receiving your votes.

- Bil
</blockquote>

=PREVIOUS WIA ACTIVITIES=

== AppSec EU 2017 ==
Women in AppSec is kicking it up a notch at AppSec EU 2017 and we want YOU to join us! Make sure you stop by during the week to check out our events and to learn more about the group.

Events are free to attend and do not require a conference ticket.

Monday, May 8, 2017 6:00-9:00 pm Networking Session

On Monday 8th May at 6:00 pm in the Waterfront Conference Centre, we will have a group of mentors each give a brief talk about their experience followed by an "unconference" event. During the "unconference" event, we will break into groups to discuss popular technical topics. This will be a fantastic opportunity to engage in mentoring relationships and hear from women in the field. You can sign up for this free event on Meetup.com here: <nowiki>https://www.meetup.com/OWASP-Belfast/events/238434511/</nowiki>

Thursday, May 11, 2017 7:30-8:45 a.m. Mentoring Breakfast

Join us at our pre-conference WiA breakfast in the Waterfront Conference Centre at 7.30 am on Thursday 11th May. A light breakfast will be provided for table discussions on various topics. This will also be a second opportunity to chat with anyone you didn't get to during the Monday evening event. Details to register for this event will be available soon, it will also be free to attend.

=== Wondering what to expect? ===
Organisers Michelle and Claire discuss what you can expect here:

<nowiki>https://drive.google.com/open?id=0B3mw0mZ4CcgtbG5FUDJxbzVqX28</nowiki>

=== Interested in being a Mentor? ===
We’re looking for mentors to participate in both events. Both men and women are invited to contribute as mentors. This is the commitment we’re asking for:
* A picture and bio for the website
* A time commitment of two hours between the two events
** 30+ minutes at the networking event
** 1½ hours at the mentoring breakfast
Let us know if you’re interested in joining us!

<nowiki>https://docs.google.com/forms/d/e/1FAIpQLSfy0qx9hnkJiCiceeUDmaq78i9aYXeGsHNv9B95Z_ZeN5Z_KA/viewform</nowiki>

Not sure if you’re interested yet? Provide your email address for updates as they become available.

<nowiki>https://docs.google.com/forms/d/e/1FAIpQLSc2DYBKcGzESX6U8-Syohqvm_g7bLLyTBPaw5E7sUj5KO3O4A/viewform</nowiki>

'''We look forward to seeing you at AppSec EU 2017!'''

=== Meet the EU WIA planning team ===
* === Michelle Simpson === Security Consultant at NCC Group
* === Claire Burn === Field Applications Engineer at Titan-IC
* === Cathy Hall === Principal Consultant at Sila Solutions Group
* === Owen Pendelbury === Manager Cyber Risk Services - Penetration Testing @ Deloitte
* === Zoe Braiterman === Business Studies graduate from Drew University
* === Wendy Istvanick === Object Tactician at ThoughtWorks
* === Fiona Collins === IT Security Engineer, Staff at Qualcomm
* === Bev Corwin === Director of Technology at DDC
* === Loredana Mancini === Chief Operation Officer at ITWAY
* === Emily Verwee === Online Project Manager at The Arc of the United States
* === Tiffany Long === Community Manager at OWASP

== AppSec USA 2015 ==

'''AppSec USA 2015''' 
The Women in AppSec (WIA) program is for all OWASP members who believe that diversity is important to the success of an organization, as well as for women who want to make career connections with like-minded colleagues. We encourage you to attend our session on Thursday at 3:30pm in Room F, featuring the founders of InfoSec Girls, Apoorva Giri and Shruthi Kamath. 
We also invite you to join us for our networking and “Birds of a Feather” sessions on on Thursday in WIA meeting room . Stop by anytime between 10:00am and 3:30pm to meet other members and learn more about the WIA program. You can also suggest a discussion topic on the sign-up at the room entrance. 
Sponsorship opportunities for commercial organizations and OWASP chapters are also available.

'''AppSec USA 2015''' 
Currently, there is an effort to plan activities for AppSec USA 2015. Volunteers are eagerly sought to support the program at AppSec USA! We are especially excited to invite the founders of the '''InfoSec Girls''' initiative to the AppSec USA 2015 conference. To bring InfoSec Girls to AppSec USA, we need to raise $7500. We are very close to our goal and know that with the support of the OWASP community, we can easily get there! Donations above and beyond our goal will be used for future WIA programs around the world. '''Donate now:''' 

== AppSec EU 2015 ==
During AppSec EU there was a panel discussion and workshop supported by the Women in AppSec initiative. Through these sessions we hoped to encourage women to pursue a career in AppSec and help them realize it is an option for them. These sessions was be open to all so we can help build support for the women around us. Learn more here: [http://2015.appsec.eu/women-in-application-security/ http://2015.appsec.eu/women-in-application-security] 

'''Panel: "Women in AppSec - Making it Happen"''' 
During this panel session we discussed what can be done to Make it Happen for Women in AppSec going forward. What have those currently working in the field done to Make it Happen for themselves and other women; what tips and advice do they have to help you do to make a career for yourself or encourage those around you (sister, friend, daughter, etc…) to pursue a career in AppSec? What can we as professionals can do to help encourage girls to go for a career in AppSec?

'''Workshop''' 
During the workshop we introduced female attendees of the conference to what a career in App Sec can involve. We discussed application security and the many career paths available. We hope to build relationships that may lead to a mentoring program for these women.

== AppSec USA 2013 ==
Learn more about the program here: http://2013.appsecusa.org/2013/activities/owasp-women-in-application-security-appsec-program/index.html

==Previous Women in AppSec Winners==
Following their experience at AppSec, winners are encouraged to write a short piece about their experience at the conference and their participation in the Women in AppSec program. Here, they outline their experience with the Women in AppSec Program in their own words.

'''Carrie Schaper, 2013 Winner'''
{| style="background-color: transparent"
|-
! width="200" align="center" | 
! width="1000" align="center" | 
|-
| align="center" | [[Image:Carrie Schaper Small.jpg|100px]]
| align="justify" |"OWASP Appsec proved to be a great experience for me, uniting and interacting with friends, professionals, and colleagues from the Information Security space from across the US and Internationally whom were in attendance. The huge space and well organized functions such as the: trainings, expert talks, panels, bug-bounty, lock-picking village and social events all enhanced the conference experience. Participating on the Women in IT panel was a wonderful experience, as many women were in attendance and participated in collaborative discussions. OWASP Appsec held in NY this year, was a premier NY conference not to be missed. Thank you to OWASP, its attendees and organizers."
|}
 

'''Nancy Lornston, 2013 Winner'''
{| style="background-color: transparent"
|-
! width="200" align="center" | 
! width="1000" align="center" | 
|-
| align="center" | [[Image:Nancy Lorntson Small.jpg|100px]]
| align="justify" |"AppSec 2013 was an awesome experience! Nowhere in the world can you find the top security experts all in one place at one time (and participate in a marriage proposal!). The conference presentations were well organized and the speakers were prepared to share pros, cons, successes and failures of their work in order to advance the application security domain. The variety of vendors was terrific as well.

The Women in AppSec panel was an opportunity to advance women's position in the community. Each speaker shared some very candid remarks about their personal experiences and by the end, it was clear that while more work needs to be done, there is a sincere interest by companies, universities and the industry in general to work on doing the things needed to attract more women to the profession.

The training course I attended (Open source tools) lived up to it's billing and I came away with several invaluable tips and strategies to improve our program.

A huge thank you to the Women in App Sec Panel and OWASP in general for this opportunity to attend the premier Application Security Conference in the world."
|}
 

'''Tara Wilson, 2011 Winner'''
{| style="background-color: transparent"
|-
! width="200" align="center" | 
! width="1000" align="center" | 
|-
| align="center" | [[Image:Tara wilson.jpg|100px]]
| align="justify" |“Being fortunate enough to receive the Women in AppSec sponsorhsip is a unique and valuable experience. It is a great opportunity for women to have a chance to bolster their skills and dive deep into the world of application security. I found that attending the conference was not only a great way to experience what the OWASP community has to offer, but it also gives students a chance to network with a great group of people who are passionate about their field and willing to share a wealth of information.”
|}
 

'''Chandni Bhowmik, 2011 Winner'''
{| style="background-color: transparent"
|-
! width="200" align="center" | 
! width="1000" align="center" | 
|-
| align="center" | [[Image:Chandni_bhowmik.jpg|100px]]
| align="justify" |Chandni Bhowmik is currently completing an M.S. in Computer Security and Information Assurance at the Rochester Institute of Technology (RIT). Her first introduction to OWASP was through the project WebScarab during an application security lab last spring at RIT and her interest in OWASP grew ever since. Over the summer, she started programming open source web applications using built-in security features of Django and Python. She is interested in becoming an information security researcher, and hopes to leverage learning at OWASP AppSec USA 2011 in ad-hoc architecture, mobile platforms and over-all concepts of web application security. Besides secure programming, Chandni enjoys her current research involving digital image forensics and machine learning. In addition to attending school, she has interned in IT security and compliance at Paychex, a Rochester based payroll processing company, and gained industrial experience working an assistant systems engineer for Tata Consultancy Services, a global IT firm.
|}
 

<headertabs></headertabs>

Women In AppSec

2017-06-24T15:20:42Z

Bil Corry: /* Volunteer Coordinator - India */

=WELCOME=

==Women in Application Security Committee==

The purpose of Women in AppSec (WIA) Committee is to develop leadership, promote active membership and participation, and contributions by women in application security professional communities, globally and locally.

The Women in AppSec program is for anyone who believes that diversity is important to the success of the organization, as well as for women looking to learn more about AppSec or who want to make career connections with like-minded colleagues. This includes female undergraduate and graduate students, instructors, and professionals who are dedicated to information security or application development.

=FIND US=

==Email List==

[https://lists.owasp.org/mailman/listinfo/appsec_usa_women_in_security WIA List and Archive]

==Twitter==

[https://twitter.com/owaspwia @OWASPWIA]

==Slack Channel==

[https://owasp.slack.com/messages/C2NUH1J5B/ WIA Slack Channel]

You can get an OWASP Slack invite here: [https://owasp.herokuapp.com/ OWASP Slack Invite]

=WIA PURPOSE AND SCOPE=

==Purpose==

The purpose of Women in AppSec (WIA) Committee is to develop leadership, promote active membership and participation, and contributions by women in application security professional communities, globally and locally.

==Scope==

The scope for OWASP WIA Committee falls into the following areas:

# Attract women to OWASP, as active members, contributors and leaders.
# Offer opportunities for women to become engaged in AppSec and related professional communities.
# Provide inclusive targeted application security programs for all women learners.
# Provide inclusive training and mentorship for all interested OWASP women.
# Provide financial support to OWASP women members through scholarships, sponsorships, and grant making.
# Pursue fundraising, advancement and development to secure financial support for OWASP WIA activities..
# Integrate WIA track and related activities into OWASP events at all levels.
# Cultivate women for community leadership, speakers for conferences, thought leadership, learning leaders, and local chapter events.
# Collaborate with other committees and initiatives as needs present.
# Collaborate with local OWASP Chapters and Global OWASP leadership, including but not limited to offering advisory support to local and global OWASP leadership for WIA advancement and collaboratively building pro-WIA OWASP communities.
# Develop other special projects and events designed to further the purpose of WIA.

=MEMBERSHIP=

==Membership Types==

===Voting===

Voting Members are members of OWASP who have formally joined the WIA Committee. Voting Members are allowed to vote on Committee business and are allowed to serve in one of the five officer positions of the Committee.

In order to become a Voting Member, you must first become a Participating Member and participate for three months, become an OWASP member in good standing, and obtain a written endorsement from a current Voting Member or an OWASP Board of Director. Once all three criteria are met, you must formally request to join as a Voting Member to the WIA List. The Voting Members then vote via the WIA list, and if you receive a majority affirmative vote, you are then made a Voting Member.

Voting Members have an obligation to maintain participation and to reaffirm their commitment every six months (the Secretary will send an email every six months to affirm commitment, replying "no" or not replying will result in removal).

===Participating===

Participating Members are anyone that is interested in volunteering time to the WIA Committee or sub-committees. Participating Members are able to participate in all activities, with the exception of voting and serving in one of the five Committee officer roles.

In order to become a Participating member, you must express your volunteering commitment to the Secretary, who will then add you to the Membership List. Participating Members can withdraw their commitment at any time by notifying the Secretary. Participating Members do not need to be OWASP members.

==Membership List==

[https://docs.google.com/spreadsheets/d/1T7I0FJwfrI-h3XY-iL5URNNeZ-A0wxPTV0nfQHrSZVs/edit?usp=sharing Membership List]

=GOVERNANCE=

==Operating Model==

WIA is a formal Committee of OWASP. WIA is governed by the rules set forth in the [https://www.owasp.org/index.php/Governance/OWASP_Committees OWASP Committees 2.0 Operational Model].

==Committee Officers==

#Chair
##TBD for 2017 Term
##Duties
###Open/run the meetings
###Put items to vote and announce the result
###Oversee progress of committee activities
###Participates in fundraising activities/sponsorship acquisition
#Vice-Chair
##TBD for 2017 Term
##Duties
###Serve in place of the chair when the chair is not available, temporarily or permanently
###Confirm and validate results of votes
###Help the chair oversee progress of committee activities
###Participates in fundraising activities/sponsorship acquisition
###Run doodles for upcoming meetings
###Send out meeting invites
#Secretary
##TBD for 2017 Term
##Duties
###Maintain the WIA membership list and associated bookkeeping
###Take attendance/minutes at meetings
###Create an agenda for each meeting, put out a call to members for agenda items
###Post agendas and meetings
###Edit/update committee Wiki page
#Treasurer
##TBD for 2017 Term
##Duties
###Maintain budget
###Track income and expenses for all committee activities
###Report at each meeting the expenditures and incoming revenue for the month and the balance of the fund
###Check the balance of the WIA budget with the OWASP accountant quarterly
###Participates in fundraising activities/sponsorship acquisition

Note: Only Voting Members may serve as Committee Officers

==Sub-Committee Coordinators==

#Volunteer Coordinator
##TBD for 2017 Term
##Duties
###Recruit new members for WIA/volunteers for specific events
###Schedule/train volunteers as needed
###Provides direction and coordination for volunteers
###Plan for retention and replacement
###Support in fundraising activities/sponsorship acquisition
###Connect with other local active groups in security to create volunteer networking
###Maintain lessons learned in the volunteer recruiting for the different events to improve the recruiting process
###Keep informal/formal contacts with all the volunteer to be able to reach them in case of new needs
#Media Relations Coordinator
##TBD for 2017 Term
##Duties
###Maintain list of media contacts
###Maintain list of media articles mentioning WIA
###Promote WIA to media
###Prepare talking points, messaging strategy
###Work with OWASP Global to issue press releases

Note: All Committee Members may serve as Sub-Committee Coordinators

=2017 ELECTIONS=

==Timeline==
* June 23, 2017 (Friday) - Call for Candidates closes
* June 24, 2017 (Saturday) - Election emails send to voting members
* July 2, 2017 (Sunday) - Election closes
* July 3, 2017 (Monday) - Election results announced on WIA list

==Candidates==
===Committee Officers===

''Positions can only be filled by Voting Members.''

====Chair====
* Tanya Janca

====Vice Chair====
* Loredana Mancini
* Cathy Hall

====Secretary====
* Cathy Hall

====Treasurer====
* Cathy Hall

===Sub-Committee Coordinators===

''Positions can be filled by Voting and Participating Members.''

====Volunteer Coordinator - Asia====
* Vandana Verma

====Volunteer Coordinator - Europe====
* Loredana Mancini

====Volunteer Coordinator - North America====
* Wendy Istvanick

====Media Relations Coordinator====
* Katherine Cancelado

=PREVIOUS WIA ACTIVITIES=

== AppSec EU 2017 ==
Women in AppSec is kicking it up a notch at AppSec EU 2017 and we want YOU to join us! Make sure you stop by during the week to check out our events and to learn more about the group.

Events are free to attend and do not require a conference ticket.

Monday, May 8, 2017 6:00-9:00 pm Networking Session

On Monday 8th May at 6:00 pm in the Waterfront Conference Centre, we will have a group of mentors each give a brief talk about their experience followed by an "unconference" event. During the "unconference" event, we will break into groups to discuss popular technical topics. This will be a fantastic opportunity to engage in mentoring relationships and hear from women in the field. You can sign up for this free event on Meetup.com here: <nowiki>https://www.meetup.com/OWASP-Belfast/events/238434511/</nowiki>

Thursday, May 11, 2017 7:30-8:45 a.m. Mentoring Breakfast

Join us at our pre-conference WiA breakfast in the Waterfront Conference Centre at 7.30 am on Thursday 11th May. A light breakfast will be provided for table discussions on various topics. This will also be a second opportunity to chat with anyone you didn't get to during the Monday evening event. Details to register for this event will be available soon, it will also be free to attend.

=== Wondering what to expect? ===
Organisers Michelle and Claire discuss what you can expect here:

<nowiki>https://drive.google.com/open?id=0B3mw0mZ4CcgtbG5FUDJxbzVqX28</nowiki>

=== Interested in being a Mentor? ===
We’re looking for mentors to participate in both events. Both men and women are invited to contribute as mentors. This is the commitment we’re asking for:
* A picture and bio for the website
* A time commitment of two hours between the two events
** 30+ minutes at the networking event
** 1½ hours at the mentoring breakfast
Let us know if you’re interested in joining us!

<nowiki>https://docs.google.com/forms/d/e/1FAIpQLSfy0qx9hnkJiCiceeUDmaq78i9aYXeGsHNv9B95Z_ZeN5Z_KA/viewform</nowiki>

Not sure if you’re interested yet? Provide your email address for updates as they become available.

<nowiki>https://docs.google.com/forms/d/e/1FAIpQLSc2DYBKcGzESX6U8-Syohqvm_g7bLLyTBPaw5E7sUj5KO3O4A/viewform</nowiki>

'''We look forward to seeing you at AppSec EU 2017!'''

=== Meet the EU WIA planning team ===
* === Michelle Simpson === Security Consultant at NCC Group
* === Claire Burn === Field Applications Engineer at Titan-IC
* === Cathy Hall === Principal Consultant at Sila Solutions Group
* === Owen Pendelbury === Manager Cyber Risk Services - Penetration Testing @ Deloitte
* === Zoe Braiterman === Business Studies graduate from Drew University
* === Wendy Istvanick === Object Tactician at ThoughtWorks
* === Fiona Collins === IT Security Engineer, Staff at Qualcomm
* === Bev Corwin === Director of Technology at DDC
* === Loredana Mancini === Chief Operation Officer at ITWAY
* === Emily Verwee === Online Project Manager at The Arc of the United States
* === Tiffany Long === Community Manager at OWASP

== AppSec USA 2015 ==

'''AppSec USA 2015''' 
The Women in AppSec (WIA) program is for all OWASP members who believe that diversity is important to the success of an organization, as well as for women who want to make career connections with like-minded colleagues. We encourage you to attend our session on Thursday at 3:30pm in Room F, featuring the founders of InfoSec Girls, Apoorva Giri and Shruthi Kamath. 
We also invite you to join us for our networking and “Birds of a Feather” sessions on on Thursday in WIA meeting room . Stop by anytime between 10:00am and 3:30pm to meet other members and learn more about the WIA program. You can also suggest a discussion topic on the sign-up at the room entrance. 
Sponsorship opportunities for commercial organizations and OWASP chapters are also available.

'''AppSec USA 2015''' 
Currently, there is an effort to plan activities for AppSec USA 2015. Volunteers are eagerly sought to support the program at AppSec USA! We are especially excited to invite the founders of the '''InfoSec Girls''' initiative to the AppSec USA 2015 conference. To bring InfoSec Girls to AppSec USA, we need to raise $7500. We are very close to our goal and know that with the support of the OWASP community, we can easily get there! Donations above and beyond our goal will be used for future WIA programs around the world. '''Donate now:''' 

== AppSec EU 2015 ==
During AppSec EU there was a panel discussion and workshop supported by the Women in AppSec initiative. Through these sessions we hoped to encourage women to pursue a career in AppSec and help them realize it is an option for them. These sessions was be open to all so we can help build support for the women around us. Learn more here: [http://2015.appsec.eu/women-in-application-security/ http://2015.appsec.eu/women-in-application-security] 

'''Panel: "Women in AppSec - Making it Happen"''' 
During this panel session we discussed what can be done to Make it Happen for Women in AppSec going forward. What have those currently working in the field done to Make it Happen for themselves and other women; what tips and advice do they have to help you do to make a career for yourself or encourage those around you (sister, friend, daughter, etc…) to pursue a career in AppSec? What can we as professionals can do to help encourage girls to go for a career in AppSec?

'''Workshop''' 
During the workshop we introduced female attendees of the conference to what a career in App Sec can involve. We discussed application security and the many career paths available. We hope to build relationships that may lead to a mentoring program for these women.

== AppSec USA 2013 ==
Learn more about the program here: http://2013.appsecusa.org/2013/activities/owasp-women-in-application-security-appsec-program/index.html

==Previous Women in AppSec Winners==
Following their experience at AppSec, winners are encouraged to write a short piece about their experience at the conference and their participation in the Women in AppSec program. Here, they outline their experience with the Women in AppSec Program in their own words.

'''Carrie Schaper, 2013 Winner'''
{| style="background-color: transparent"
|-
! width="200" align="center" | 
! width="1000" align="center" | 
|-
| align="center" | [[Image:Carrie Schaper Small.jpg|100px]]
| align="justify" |"OWASP Appsec proved to be a great experience for me, uniting and interacting with friends, professionals, and colleagues from the Information Security space from across the US and Internationally whom were in attendance. The huge space and well organized functions such as the: trainings, expert talks, panels, bug-bounty, lock-picking village and social events all enhanced the conference experience. Participating on the Women in IT panel was a wonderful experience, as many women were in attendance and participated in collaborative discussions. OWASP Appsec held in NY this year, was a premier NY conference not to be missed. Thank you to OWASP, its attendees and organizers."
|}
 

'''Nancy Lornston, 2013 Winner'''
{| style="background-color: transparent"
|-
! width="200" align="center" | 
! width="1000" align="center" | 
|-
| align="center" | [[Image:Nancy Lorntson Small.jpg|100px]]
| align="justify" |"AppSec 2013 was an awesome experience! Nowhere in the world can you find the top security experts all in one place at one time (and participate in a marriage proposal!). The conference presentations were well organized and the speakers were prepared to share pros, cons, successes and failures of their work in order to advance the application security domain. The variety of vendors was terrific as well.

The Women in AppSec panel was an opportunity to advance women's position in the community. Each speaker shared some very candid remarks about their personal experiences and by the end, it was clear that while more work needs to be done, there is a sincere interest by companies, universities and the industry in general to work on doing the things needed to attract more women to the profession.

The training course I attended (Open source tools) lived up to it's billing and I came away with several invaluable tips and strategies to improve our program.

A huge thank you to the Women in App Sec Panel and OWASP in general for this opportunity to attend the premier Application Security Conference in the world."
|}
 

'''Tara Wilson, 2011 Winner'''
{| style="background-color: transparent"
|-
! width="200" align="center" | 
! width="1000" align="center" | 
|-
| align="center" | [[Image:Tara wilson.jpg|100px]]
| align="justify" |“Being fortunate enough to receive the Women in AppSec sponsorhsip is a unique and valuable experience. It is a great opportunity for women to have a chance to bolster their skills and dive deep into the world of application security. I found that attending the conference was not only a great way to experience what the OWASP community has to offer, but it also gives students a chance to network with a great group of people who are passionate about their field and willing to share a wealth of information.”
|}
 

'''Chandni Bhowmik, 2011 Winner'''
{| style="background-color: transparent"
|-
! width="200" align="center" | 
! width="1000" align="center" | 
|-
| align="center" | [[Image:Chandni_bhowmik.jpg|100px]]
| align="justify" |Chandni Bhowmik is currently completing an M.S. in Computer Security and Information Assurance at the Rochester Institute of Technology (RIT). Her first introduction to OWASP was through the project WebScarab during an application security lab last spring at RIT and her interest in OWASP grew ever since. Over the summer, she started programming open source web applications using built-in security features of Django and Python. She is interested in becoming an information security researcher, and hopes to leverage learning at OWASP AppSec USA 2011 in ad-hoc architecture, mobile platforms and over-all concepts of web application security. Besides secure programming, Chandni enjoys her current research involving digital image forensics and machine learning. In addition to attending school, she has interned in IT security and compliance at Paychex, a Rochester based payroll processing company, and gained industrial experience working an assistant systems engineer for Tata Consultancy Services, a global IT firm.
|}
 

<headertabs></headertabs>

Women In AppSec

2017-06-24T15:10:13Z

Bil Corry: finalized candidate list

=WELCOME=

==Women in Application Security Committee==

The purpose of Women in AppSec (WIA) Committee is to develop leadership, promote active membership and participation, and contributions by women in application security professional communities, globally and locally.

The Women in AppSec program is for anyone who believes that diversity is important to the success of the organization, as well as for women looking to learn more about AppSec or who want to make career connections with like-minded colleagues. This includes female undergraduate and graduate students, instructors, and professionals who are dedicated to information security or application development.

=FIND US=

==Email List==

[https://lists.owasp.org/mailman/listinfo/appsec_usa_women_in_security WIA List and Archive]

==Twitter==

[https://twitter.com/owaspwia @OWASPWIA]

==Slack Channel==

[https://owasp.slack.com/messages/C2NUH1J5B/ WIA Slack Channel]

You can get an OWASP Slack invite here: [https://owasp.herokuapp.com/ OWASP Slack Invite]

=WIA PURPOSE AND SCOPE=

==Purpose==

The purpose of Women in AppSec (WIA) Committee is to develop leadership, promote active membership and participation, and contributions by women in application security professional communities, globally and locally.

==Scope==

The scope for OWASP WIA Committee falls into the following areas:

# Attract women to OWASP, as active members, contributors and leaders.
# Offer opportunities for women to become engaged in AppSec and related professional communities.
# Provide inclusive targeted application security programs for all women learners.
# Provide inclusive training and mentorship for all interested OWASP women.
# Provide financial support to OWASP women members through scholarships, sponsorships, and grant making.
# Pursue fundraising, advancement and development to secure financial support for OWASP WIA activities..
# Integrate WIA track and related activities into OWASP events at all levels.
# Cultivate women for community leadership, speakers for conferences, thought leadership, learning leaders, and local chapter events.
# Collaborate with other committees and initiatives as needs present.
# Collaborate with local OWASP Chapters and Global OWASP leadership, including but not limited to offering advisory support to local and global OWASP leadership for WIA advancement and collaboratively building pro-WIA OWASP communities.
# Develop other special projects and events designed to further the purpose of WIA.

=MEMBERSHIP=

==Membership Types==

===Voting===

Voting Members are members of OWASP who have formally joined the WIA Committee. Voting Members are allowed to vote on Committee business and are allowed to serve in one of the five officer positions of the Committee.

In order to become a Voting Member, you must first become a Participating Member and participate for three months, become an OWASP member in good standing, and obtain a written endorsement from a current Voting Member or an OWASP Board of Director. Once all three criteria are met, you must formally request to join as a Voting Member to the WIA List. The Voting Members then vote via the WIA list, and if you receive a majority affirmative vote, you are then made a Voting Member.

Voting Members have an obligation to maintain participation and to reaffirm their commitment every six months (the Secretary will send an email every six months to affirm commitment, replying "no" or not replying will result in removal).

===Participating===

Participating Members are anyone that is interested in volunteering time to the WIA Committee or sub-committees. Participating Members are able to participate in all activities, with the exception of voting and serving in one of the five Committee officer roles.

In order to become a Participating member, you must express your volunteering commitment to the Secretary, who will then add you to the Membership List. Participating Members can withdraw their commitment at any time by notifying the Secretary. Participating Members do not need to be OWASP members.

==Membership List==

[https://docs.google.com/spreadsheets/d/1T7I0FJwfrI-h3XY-iL5URNNeZ-A0wxPTV0nfQHrSZVs/edit?usp=sharing Membership List]

=GOVERNANCE=

==Operating Model==

WIA is a formal Committee of OWASP. WIA is governed by the rules set forth in the [https://www.owasp.org/index.php/Governance/OWASP_Committees OWASP Committees 2.0 Operational Model].

==Committee Officers==

#Chair
##TBD for 2017 Term
##Duties
###Open/run the meetings
###Put items to vote and announce the result
###Oversee progress of committee activities
###Participates in fundraising activities/sponsorship acquisition
#Vice-Chair
##TBD for 2017 Term
##Duties
###Serve in place of the chair when the chair is not available, temporarily or permanently
###Confirm and validate results of votes
###Help the chair oversee progress of committee activities
###Participates in fundraising activities/sponsorship acquisition
###Run doodles for upcoming meetings
###Send out meeting invites
#Secretary
##TBD for 2017 Term
##Duties
###Maintain the WIA membership list and associated bookkeeping
###Take attendance/minutes at meetings
###Create an agenda for each meeting, put out a call to members for agenda items
###Post agendas and meetings
###Edit/update committee Wiki page
#Treasurer
##TBD for 2017 Term
##Duties
###Maintain budget
###Track income and expenses for all committee activities
###Report at each meeting the expenditures and incoming revenue for the month and the balance of the fund
###Check the balance of the WIA budget with the OWASP accountant quarterly
###Participates in fundraising activities/sponsorship acquisition

Note: Only Voting Members may serve as Committee Officers

==Sub-Committee Coordinators==

#Volunteer Coordinator
##TBD for 2017 Term
##Duties
###Recruit new members for WIA/volunteers for specific events
###Schedule/train volunteers as needed
###Provides direction and coordination for volunteers
###Plan for retention and replacement
###Support in fundraising activities/sponsorship acquisition
###Connect with other local active groups in security to create volunteer networking
###Maintain lessons learned in the volunteer recruiting for the different events to improve the recruiting process
###Keep informal/formal contacts with all the volunteer to be able to reach them in case of new needs
#Media Relations Coordinator
##TBD for 2017 Term
##Duties
###Maintain list of media contacts
###Maintain list of media articles mentioning WIA
###Promote WIA to media
###Prepare talking points, messaging strategy
###Work with OWASP Global to issue press releases

Note: All Committee Members may serve as Sub-Committee Coordinators

=2017 ELECTIONS=

==Timeline==
* June 23, 2017 (Friday) - Call for Candidates closes
* June 24, 2017 (Saturday) - Election emails send to voting members
* July 2, 2017 (Sunday) - Election closes
* July 3, 2017 (Monday) - Election results announced on WIA list

==Candidates==
===Committee Officers===

''Positions can only be filled by Voting Members.''

====Chair====
* Tanya Janca

====Vice Chair====
* Loredana Mancini
* Cathy Hall

====Secretary====
* Cathy Hall

====Treasurer====
* Cathy Hall

===Sub-Committee Coordinators===

''Positions can be filled by Voting and Participating Members.''

====Volunteer Coordinator - India====
* Vandana Verma

====Volunteer Coordinator - Europe====
* Loredana Mancini

====Volunteer Coordinator - North America====
* Wendy Istvanick

====Media Relations Coordinator====
* Katherine Cancelado

=PREVIOUS WIA ACTIVITIES=

== AppSec EU 2017 ==
Women in AppSec is kicking it up a notch at AppSec EU 2017 and we want YOU to join us! Make sure you stop by during the week to check out our events and to learn more about the group.

Events are free to attend and do not require a conference ticket.

Monday, May 8, 2017 6:00-9:00 pm Networking Session

On Monday 8th May at 6:00 pm in the Waterfront Conference Centre, we will have a group of mentors each give a brief talk about their experience followed by an "unconference" event. During the "unconference" event, we will break into groups to discuss popular technical topics. This will be a fantastic opportunity to engage in mentoring relationships and hear from women in the field. You can sign up for this free event on Meetup.com here: <nowiki>https://www.meetup.com/OWASP-Belfast/events/238434511/</nowiki>

Thursday, May 11, 2017 7:30-8:45 a.m. Mentoring Breakfast

Join us at our pre-conference WiA breakfast in the Waterfront Conference Centre at 7.30 am on Thursday 11th May. A light breakfast will be provided for table discussions on various topics. This will also be a second opportunity to chat with anyone you didn't get to during the Monday evening event. Details to register for this event will be available soon, it will also be free to attend.

=== Wondering what to expect? ===
Organisers Michelle and Claire discuss what you can expect here:

<nowiki>https://drive.google.com/open?id=0B3mw0mZ4CcgtbG5FUDJxbzVqX28</nowiki>

=== Interested in being a Mentor? ===
We’re looking for mentors to participate in both events. Both men and women are invited to contribute as mentors. This is the commitment we’re asking for:
* A picture and bio for the website
* A time commitment of two hours between the two events
** 30+ minutes at the networking event
** 1½ hours at the mentoring breakfast
Let us know if you’re interested in joining us!

<nowiki>https://docs.google.com/forms/d/e/1FAIpQLSfy0qx9hnkJiCiceeUDmaq78i9aYXeGsHNv9B95Z_ZeN5Z_KA/viewform</nowiki>

Not sure if you’re interested yet? Provide your email address for updates as they become available.

<nowiki>https://docs.google.com/forms/d/e/1FAIpQLSc2DYBKcGzESX6U8-Syohqvm_g7bLLyTBPaw5E7sUj5KO3O4A/viewform</nowiki>

'''We look forward to seeing you at AppSec EU 2017!'''

=== Meet the EU WIA planning team ===
* === Michelle Simpson === Security Consultant at NCC Group
* === Claire Burn === Field Applications Engineer at Titan-IC
* === Cathy Hall === Principal Consultant at Sila Solutions Group
* === Owen Pendelbury === Manager Cyber Risk Services - Penetration Testing @ Deloitte
* === Zoe Braiterman === Business Studies graduate from Drew University
* === Wendy Istvanick === Object Tactician at ThoughtWorks
* === Fiona Collins === IT Security Engineer, Staff at Qualcomm
* === Bev Corwin === Director of Technology at DDC
* === Loredana Mancini === Chief Operation Officer at ITWAY
* === Emily Verwee === Online Project Manager at The Arc of the United States
* === Tiffany Long === Community Manager at OWASP

== AppSec USA 2015 ==

'''AppSec USA 2015''' 
The Women in AppSec (WIA) program is for all OWASP members who believe that diversity is important to the success of an organization, as well as for women who want to make career connections with like-minded colleagues. We encourage you to attend our session on Thursday at 3:30pm in Room F, featuring the founders of InfoSec Girls, Apoorva Giri and Shruthi Kamath. 
We also invite you to join us for our networking and “Birds of a Feather” sessions on on Thursday in WIA meeting room . Stop by anytime between 10:00am and 3:30pm to meet other members and learn more about the WIA program. You can also suggest a discussion topic on the sign-up at the room entrance. 
Sponsorship opportunities for commercial organizations and OWASP chapters are also available.

'''AppSec USA 2015''' 
Currently, there is an effort to plan activities for AppSec USA 2015. Volunteers are eagerly sought to support the program at AppSec USA! We are especially excited to invite the founders of the '''InfoSec Girls''' initiative to the AppSec USA 2015 conference. To bring InfoSec Girls to AppSec USA, we need to raise $7500. We are very close to our goal and know that with the support of the OWASP community, we can easily get there! Donations above and beyond our goal will be used for future WIA programs around the world. '''Donate now:''' 

== AppSec EU 2015 ==
During AppSec EU there was a panel discussion and workshop supported by the Women in AppSec initiative. Through these sessions we hoped to encourage women to pursue a career in AppSec and help them realize it is an option for them. These sessions was be open to all so we can help build support for the women around us. Learn more here: [http://2015.appsec.eu/women-in-application-security/ http://2015.appsec.eu/women-in-application-security] 

'''Panel: "Women in AppSec - Making it Happen"''' 
During this panel session we discussed what can be done to Make it Happen for Women in AppSec going forward. What have those currently working in the field done to Make it Happen for themselves and other women; what tips and advice do they have to help you do to make a career for yourself or encourage those around you (sister, friend, daughter, etc…) to pursue a career in AppSec? What can we as professionals can do to help encourage girls to go for a career in AppSec?

'''Workshop''' 
During the workshop we introduced female attendees of the conference to what a career in App Sec can involve. We discussed application security and the many career paths available. We hope to build relationships that may lead to a mentoring program for these women.

== AppSec USA 2013 ==
Learn more about the program here: http://2013.appsecusa.org/2013/activities/owasp-women-in-application-security-appsec-program/index.html

==Previous Women in AppSec Winners==
Following their experience at AppSec, winners are encouraged to write a short piece about their experience at the conference and their participation in the Women in AppSec program. Here, they outline their experience with the Women in AppSec Program in their own words.

'''Carrie Schaper, 2013 Winner'''
{| style="background-color: transparent"
|-
! width="200" align="center" | 
! width="1000" align="center" | 
|-
| align="center" | [[Image:Carrie Schaper Small.jpg|100px]]
| align="justify" |"OWASP Appsec proved to be a great experience for me, uniting and interacting with friends, professionals, and colleagues from the Information Security space from across the US and Internationally whom were in attendance. The huge space and well organized functions such as the: trainings, expert talks, panels, bug-bounty, lock-picking village and social events all enhanced the conference experience. Participating on the Women in IT panel was a wonderful experience, as many women were in attendance and participated in collaborative discussions. OWASP Appsec held in NY this year, was a premier NY conference not to be missed. Thank you to OWASP, its attendees and organizers."
|}
 

'''Nancy Lornston, 2013 Winner'''
{| style="background-color: transparent"
|-
! width="200" align="center" | 
! width="1000" align="center" | 
|-
| align="center" | [[Image:Nancy Lorntson Small.jpg|100px]]
| align="justify" |"AppSec 2013 was an awesome experience! Nowhere in the world can you find the top security experts all in one place at one time (and participate in a marriage proposal!). The conference presentations were well organized and the speakers were prepared to share pros, cons, successes and failures of their work in order to advance the application security domain. The variety of vendors was terrific as well.

The Women in AppSec panel was an opportunity to advance women's position in the community. Each speaker shared some very candid remarks about their personal experiences and by the end, it was clear that while more work needs to be done, there is a sincere interest by companies, universities and the industry in general to work on doing the things needed to attract more women to the profession.

The training course I attended (Open source tools) lived up to it's billing and I came away with several invaluable tips and strategies to improve our program.

A huge thank you to the Women in App Sec Panel and OWASP in general for this opportunity to attend the premier Application Security Conference in the world."
|}
 

'''Tara Wilson, 2011 Winner'''
{| style="background-color: transparent"
|-
! width="200" align="center" | 
! width="1000" align="center" | 
|-
| align="center" | [[Image:Tara wilson.jpg|100px]]
| align="justify" |“Being fortunate enough to receive the Women in AppSec sponsorhsip is a unique and valuable experience. It is a great opportunity for women to have a chance to bolster their skills and dive deep into the world of application security. I found that attending the conference was not only a great way to experience what the OWASP community has to offer, but it also gives students a chance to network with a great group of people who are passionate about their field and willing to share a wealth of information.”
|}
 

'''Chandni Bhowmik, 2011 Winner'''
{| style="background-color: transparent"
|-
! width="200" align="center" | 
! width="1000" align="center" | 
|-
| align="center" | [[Image:Chandni_bhowmik.jpg|100px]]
| align="justify" |Chandni Bhowmik is currently completing an M.S. in Computer Security and Information Assurance at the Rochester Institute of Technology (RIT). Her first introduction to OWASP was through the project WebScarab during an application security lab last spring at RIT and her interest in OWASP grew ever since. Over the summer, she started programming open source web applications using built-in security features of Django and Python. She is interested in becoming an information security researcher, and hopes to leverage learning at OWASP AppSec USA 2011 in ad-hoc architecture, mobile platforms and over-all concepts of web application security. Besides secure programming, Chandni enjoys her current research involving digital image forensics and machine learning. In addition to attending school, she has interned in IT security and compliance at Paychex, a Rochester based payroll processing company, and gained industrial experience working an assistant systems engineer for Tata Consultancy Services, a global IT firm.
|}
 

<headertabs></headertabs>

Women In AppSec

2017-06-23T18:13:17Z

Bil Corry: split out volunteer coordinator by region

=WELCOME=

==Women in Application Security Committee==

The purpose of Women in AppSec (WIA) Committee is to develop leadership, promote active membership and participation, and contributions by women in application security professional communities, globally and locally.

The Women in AppSec program is for anyone who believes that diversity is important to the success of the organization, as well as for women looking to learn more about AppSec or who want to make career connections with like-minded colleagues. This includes female undergraduate and graduate students, instructors, and professionals who are dedicated to information security or application development.

=FIND US=

==Email List==

[https://lists.owasp.org/mailman/listinfo/appsec_usa_women_in_security WIA List and Archive]

==Twitter==

[https://twitter.com/owaspwia @OWASPWIA]

==Slack Channel==

[https://owasp.slack.com/messages/C2NUH1J5B/ WIA Slack Channel]

You can get an OWASP Slack invite here: [https://owasp.herokuapp.com/ OWASP Slack Invite]

=WIA PURPOSE AND SCOPE=

==Purpose==

The purpose of Women in AppSec (WIA) Committee is to develop leadership, promote active membership and participation, and contributions by women in application security professional communities, globally and locally.

==Scope==

The scope for OWASP WIA Committee falls into the following areas:

# Attract women to OWASP, as active members, contributors and leaders.
# Offer opportunities for women to become engaged in AppSec and related professional communities.
# Provide inclusive targeted application security programs for all women learners.
# Provide inclusive training and mentorship for all interested OWASP women.
# Provide financial support to OWASP women members through scholarships, sponsorships, and grant making.
# Pursue fundraising, advancement and development to secure financial support for OWASP WIA activities..
# Integrate WIA track and related activities into OWASP events at all levels.
# Cultivate women for community leadership, speakers for conferences, thought leadership, learning leaders, and local chapter events.
# Collaborate with other committees and initiatives as needs present.
# Collaborate with local OWASP Chapters and Global OWASP leadership, including but not limited to offering advisory support to local and global OWASP leadership for WIA advancement and collaboratively building pro-WIA OWASP communities.
# Develop other special projects and events designed to further the purpose of WIA.

=MEMBERSHIP=

==Membership Types==

===Voting===

Voting Members are members of OWASP who have formally joined the WIA Committee. Voting Members are allowed to vote on Committee business and are allowed to serve in one of the five officer positions of the Committee.

In order to become a Voting Member, you must first become a Participating Member and participate for three months, become an OWASP member in good standing, and obtain a written endorsement from a current Voting Member or an OWASP Board of Director. Once all three criteria are met, you must formally request to join as a Voting Member to the WIA List. The Voting Members then vote via the WIA list, and if you receive a majority affirmative vote, you are then made a Voting Member.

Voting Members have an obligation to maintain participation and to reaffirm their commitment every six months (the Secretary will send an email every six months to affirm commitment, replying "no" or not replying will result in removal).

===Participating===

Participating Members are anyone that is interested in volunteering time to the WIA Committee or sub-committees. Participating Members are able to participate in all activities, with the exception of voting and serving in one of the five Committee officer roles.

In order to become a Participating member, you must express your volunteering commitment to the Secretary, who will then add you to the Membership List. Participating Members can withdraw their commitment at any time by notifying the Secretary. Participating Members do not need to be OWASP members.

==Membership List==

[https://docs.google.com/spreadsheets/d/1T7I0FJwfrI-h3XY-iL5URNNeZ-A0wxPTV0nfQHrSZVs/edit?usp=sharing Membership List]

=GOVERNANCE=

==Operating Model==

WIA is a formal Committee of OWASP. WIA is governed by the rules set forth in the [https://www.owasp.org/index.php/Governance/OWASP_Committees OWASP Committees 2.0 Operational Model].

==Committee Officers==

#Chair
##TBD for 2017 Term
##Duties
###Open/run the meetings
###Put items to vote and announce the result
###Oversee progress of committee activities
###Participates in fundraising activities/sponsorship acquisition
#Vice-Chair
##TBD for 2017 Term
##Duties
###Serve in place of the chair when the chair is not available, temporarily or permanently
###Confirm and validate results of votes
###Help the chair oversee progress of committee activities
###Participates in fundraising activities/sponsorship acquisition
###Run doodles for upcoming meetings
###Send out meeting invites
#Secretary
##TBD for 2017 Term
##Duties
###Maintain the WIA membership list and associated bookkeeping
###Take attendance/minutes at meetings
###Create an agenda for each meeting, put out a call to members for agenda items
###Post agendas and meetings
###Edit/update committee Wiki page
#Treasurer
##TBD for 2017 Term
##Duties
###Maintain budget
###Track income and expenses for all committee activities
###Report at each meeting the expenditures and incoming revenue for the month and the balance of the fund
###Check the balance of the WIA budget with the OWASP accountant quarterly
###Participates in fundraising activities/sponsorship acquisition

Note: Only Voting Members may serve as Committee Officers

==Sub-Committee Coordinators==

#Volunteer Coordinator
##TBD for 2017 Term
##Duties
###Recruit new members for WIA/volunteers for specific events
###Schedule/train volunteers as needed
###Provides direction and coordination for volunteers
###Plan for retention and replacement
###Support in fundraising activities/sponsorship acquisition
###Connect with other local active groups in security to create volunteer networking
###Maintain lessons learned in the volunteer recruiting for the different events to improve the recruiting process
###Keep informal/formal contacts with all the volunteer to be able to reach them in case of new needs
#Media Relations Coordinator
##TBD for 2017 Term
##Duties
###Maintain list of media contacts
###Maintain list of media articles mentioning WIA
###Promote WIA to media
###Prepare talking points, messaging strategy
###Work with OWASP Global to issue press releases

Note: All Committee Members may serve as Sub-Committee Coordinators

=2017 ELECTIONS=

==Timeline==
* June 23, 2017 (Friday) - Call for Candidates closes
* June 24, 2017 (Saturday) - Election emails send to voting members
* July 2, 2017 (Sunday) - Election closes
* July 3, 2017 (Monday) - Election results announced on WIA list

==Candidates==
===Committee Officers===

''Positions can only be filled by Voting Members.''

====Chair====
* Bev Corwin

====Vice Chair====
* Loredana Mancini
* Cathy Hall

====Secretary====
* Cathy Hall

====Treasurer====
* Cathy Hall

===Sub-Committee Coordinators===

''Positions can be filled by Voting and Participating Members.''

====Volunteer Coordinator - North America====
* Wendy Istvanick

====Volunteer Coordinator - Europe====
* Loredana Mancini

====Media Relations Coordinator====
* Katherine Cancelado

=PREVIOUS WIA ACTIVITIES=

== AppSec EU 2017 ==
Women in AppSec is kicking it up a notch at AppSec EU 2017 and we want YOU to join us! Make sure you stop by during the week to check out our events and to learn more about the group.

Events are free to attend and do not require a conference ticket.

Monday, May 8, 2017 6:00-9:00 pm Networking Session

On Monday 8th May at 6:00 pm in the Waterfront Conference Centre, we will have a group of mentors each give a brief talk about their experience followed by an "unconference" event. During the "unconference" event, we will break into groups to discuss popular technical topics. This will be a fantastic opportunity to engage in mentoring relationships and hear from women in the field. You can sign up for this free event on Meetup.com here: <nowiki>https://www.meetup.com/OWASP-Belfast/events/238434511/</nowiki>

Thursday, May 11, 2017 7:30-8:45 a.m. Mentoring Breakfast

Join us at our pre-conference WiA breakfast in the Waterfront Conference Centre at 7.30 am on Thursday 11th May. A light breakfast will be provided for table discussions on various topics. This will also be a second opportunity to chat with anyone you didn't get to during the Monday evening event. Details to register for this event will be available soon, it will also be free to attend.

=== Wondering what to expect? ===
Organisers Michelle and Claire discuss what you can expect here:

<nowiki>https://drive.google.com/open?id=0B3mw0mZ4CcgtbG5FUDJxbzVqX28</nowiki>

=== Interested in being a Mentor? ===
We’re looking for mentors to participate in both events. Both men and women are invited to contribute as mentors. This is the commitment we’re asking for:
* A picture and bio for the website
* A time commitment of two hours between the two events
** 30+ minutes at the networking event
** 1½ hours at the mentoring breakfast
Let us know if you’re interested in joining us!

<nowiki>https://docs.google.com/forms/d/e/1FAIpQLSfy0qx9hnkJiCiceeUDmaq78i9aYXeGsHNv9B95Z_ZeN5Z_KA/viewform</nowiki>

Not sure if you’re interested yet? Provide your email address for updates as they become available.

<nowiki>https://docs.google.com/forms/d/e/1FAIpQLSc2DYBKcGzESX6U8-Syohqvm_g7bLLyTBPaw5E7sUj5KO3O4A/viewform</nowiki>

'''We look forward to seeing you at AppSec EU 2017!'''

=== Meet the EU WIA planning team ===
* === Michelle Simpson === Security Consultant at NCC Group
* === Claire Burn === Field Applications Engineer at Titan-IC
* === Cathy Hall === Principal Consultant at Sila Solutions Group
* === Owen Pendelbury === Manager Cyber Risk Services - Penetration Testing @ Deloitte
* === Zoe Braiterman === Business Studies graduate from Drew University
* === Wendy Istvanick === Object Tactician at ThoughtWorks
* === Fiona Collins === IT Security Engineer, Staff at Qualcomm
* === Bev Corwin === Director of Technology at DDC
* === Loredana Mancini === Chief Operation Officer at ITWAY
* === Emily Verwee === Online Project Manager at The Arc of the United States
* === Tiffany Long === Community Manager at OWASP

== AppSec USA 2015 ==

'''AppSec USA 2015''' 
The Women in AppSec (WIA) program is for all OWASP members who believe that diversity is important to the success of an organization, as well as for women who want to make career connections with like-minded colleagues. We encourage you to attend our session on Thursday at 3:30pm in Room F, featuring the founders of InfoSec Girls, Apoorva Giri and Shruthi Kamath. 
We also invite you to join us for our networking and “Birds of a Feather” sessions on on Thursday in WIA meeting room . Stop by anytime between 10:00am and 3:30pm to meet other members and learn more about the WIA program. You can also suggest a discussion topic on the sign-up at the room entrance. 
Sponsorship opportunities for commercial organizations and OWASP chapters are also available.

'''AppSec USA 2015''' 
Currently, there is an effort to plan activities for AppSec USA 2015. Volunteers are eagerly sought to support the program at AppSec USA! We are especially excited to invite the founders of the '''InfoSec Girls''' initiative to the AppSec USA 2015 conference. To bring InfoSec Girls to AppSec USA, we need to raise $7500. We are very close to our goal and know that with the support of the OWASP community, we can easily get there! Donations above and beyond our goal will be used for future WIA programs around the world. '''Donate now:''' 

== AppSec EU 2015 ==
During AppSec EU there was a panel discussion and workshop supported by the Women in AppSec initiative. Through these sessions we hoped to encourage women to pursue a career in AppSec and help them realize it is an option for them. These sessions was be open to all so we can help build support for the women around us. Learn more here: [http://2015.appsec.eu/women-in-application-security/ http://2015.appsec.eu/women-in-application-security] 

'''Panel: "Women in AppSec - Making it Happen"''' 
During this panel session we discussed what can be done to Make it Happen for Women in AppSec going forward. What have those currently working in the field done to Make it Happen for themselves and other women; what tips and advice do they have to help you do to make a career for yourself or encourage those around you (sister, friend, daughter, etc…) to pursue a career in AppSec? What can we as professionals can do to help encourage girls to go for a career in AppSec?

'''Workshop''' 
During the workshop we introduced female attendees of the conference to what a career in App Sec can involve. We discussed application security and the many career paths available. We hope to build relationships that may lead to a mentoring program for these women.

== AppSec USA 2013 ==
Learn more about the program here: http://2013.appsecusa.org/2013/activities/owasp-women-in-application-security-appsec-program/index.html

==Previous Women in AppSec Winners==
Following their experience at AppSec, winners are encouraged to write a short piece about their experience at the conference and their participation in the Women in AppSec program. Here, they outline their experience with the Women in AppSec Program in their own words.

'''Carrie Schaper, 2013 Winner'''
{| style="background-color: transparent"
|-
! width="200" align="center" | 
! width="1000" align="center" | 
|-
| align="center" | [[Image:Carrie Schaper Small.jpg|100px]]
| align="justify" |"OWASP Appsec proved to be a great experience for me, uniting and interacting with friends, professionals, and colleagues from the Information Security space from across the US and Internationally whom were in attendance. The huge space and well organized functions such as the: trainings, expert talks, panels, bug-bounty, lock-picking village and social events all enhanced the conference experience. Participating on the Women in IT panel was a wonderful experience, as many women were in attendance and participated in collaborative discussions. OWASP Appsec held in NY this year, was a premier NY conference not to be missed. Thank you to OWASP, its attendees and organizers."
|}
 

'''Nancy Lornston, 2013 Winner'''
{| style="background-color: transparent"
|-
! width="200" align="center" | 
! width="1000" align="center" | 
|-
| align="center" | [[Image:Nancy Lorntson Small.jpg|100px]]
| align="justify" |"AppSec 2013 was an awesome experience! Nowhere in the world can you find the top security experts all in one place at one time (and participate in a marriage proposal!). The conference presentations were well organized and the speakers were prepared to share pros, cons, successes and failures of their work in order to advance the application security domain. The variety of vendors was terrific as well.

The Women in AppSec panel was an opportunity to advance women's position in the community. Each speaker shared some very candid remarks about their personal experiences and by the end, it was clear that while more work needs to be done, there is a sincere interest by companies, universities and the industry in general to work on doing the things needed to attract more women to the profession.

The training course I attended (Open source tools) lived up to it's billing and I came away with several invaluable tips and strategies to improve our program.

A huge thank you to the Women in App Sec Panel and OWASP in general for this opportunity to attend the premier Application Security Conference in the world."
|}
 

'''Tara Wilson, 2011 Winner'''
{| style="background-color: transparent"
|-
! width="200" align="center" | 
! width="1000" align="center" | 
|-
| align="center" | [[Image:Tara wilson.jpg|100px]]
| align="justify" |“Being fortunate enough to receive the Women in AppSec sponsorhsip is a unique and valuable experience. It is a great opportunity for women to have a chance to bolster their skills and dive deep into the world of application security. I found that attending the conference was not only a great way to experience what the OWASP community has to offer, but it also gives students a chance to network with a great group of people who are passionate about their field and willing to share a wealth of information.”
|}
 

'''Chandni Bhowmik, 2011 Winner'''
{| style="background-color: transparent"
|-
! width="200" align="center" | 
! width="1000" align="center" | 
|-
| align="center" | [[Image:Chandni_bhowmik.jpg|100px]]
| align="justify" |Chandni Bhowmik is currently completing an M.S. in Computer Security and Information Assurance at the Rochester Institute of Technology (RIT). Her first introduction to OWASP was through the project WebScarab during an application security lab last spring at RIT and her interest in OWASP grew ever since. Over the summer, she started programming open source web applications using built-in security features of Django and Python. She is interested in becoming an information security researcher, and hopes to leverage learning at OWASP AppSec USA 2011 in ad-hoc architecture, mobile platforms and over-all concepts of web application security. Besides secure programming, Chandni enjoys her current research involving digital image forensics and machine learning. In addition to attending school, she has interned in IT security and compliance at Paychex, a Rochester based payroll processing company, and gained industrial experience working an assistant systems engineer for Tata Consultancy Services, a global IT firm.
|}
 

<headertabs></headertabs>

Women In AppSec

2017-06-23T17:43:19Z

Bil Corry: added a candidate to the election

=WELCOME=

==Women in Application Security Committee==

The purpose of Women in AppSec (WIA) Committee is to develop leadership, promote active membership and participation, and contributions by women in application security professional communities, globally and locally.

The Women in AppSec program is for anyone who believes that diversity is important to the success of the organization, as well as for women looking to learn more about AppSec or who want to make career connections with like-minded colleagues. This includes female undergraduate and graduate students, instructors, and professionals who are dedicated to information security or application development.

=FIND US=

==Email List==

[https://lists.owasp.org/mailman/listinfo/appsec_usa_women_in_security WIA List and Archive]

==Twitter==

[https://twitter.com/owaspwia @OWASPWIA]

==Slack Channel==

[https://owasp.slack.com/messages/C2NUH1J5B/ WIA Slack Channel]

You can get an OWASP Slack invite here: [https://owasp.herokuapp.com/ OWASP Slack Invite]

=WIA PURPOSE AND SCOPE=

==Purpose==

The purpose of Women in AppSec (WIA) Committee is to develop leadership, promote active membership and participation, and contributions by women in application security professional communities, globally and locally.

==Scope==

The scope for OWASP WIA Committee falls into the following areas:

# Attract women to OWASP, as active members, contributors and leaders.
# Offer opportunities for women to become engaged in AppSec and related professional communities.
# Provide inclusive targeted application security programs for all women learners.
# Provide inclusive training and mentorship for all interested OWASP women.
# Provide financial support to OWASP women members through scholarships, sponsorships, and grant making.
# Pursue fundraising, advancement and development to secure financial support for OWASP WIA activities..
# Integrate WIA track and related activities into OWASP events at all levels.
# Cultivate women for community leadership, speakers for conferences, thought leadership, learning leaders, and local chapter events.
# Collaborate with other committees and initiatives as needs present.
# Collaborate with local OWASP Chapters and Global OWASP leadership, including but not limited to offering advisory support to local and global OWASP leadership for WIA advancement and collaboratively building pro-WIA OWASP communities.
# Develop other special projects and events designed to further the purpose of WIA.

=MEMBERSHIP=

==Membership Types==

===Voting===

Voting Members are members of OWASP who have formally joined the WIA Committee. Voting Members are allowed to vote on Committee business and are allowed to serve in one of the five officer positions of the Committee.

In order to become a Voting Member, you must first become a Participating Member and participate for three months, become an OWASP member in good standing, and obtain a written endorsement from a current Voting Member or an OWASP Board of Director. Once all three criteria are met, you must formally request to join as a Voting Member to the WIA List. The Voting Members then vote via the WIA list, and if you receive a majority affirmative vote, you are then made a Voting Member.

Voting Members have an obligation to maintain participation and to reaffirm their commitment every six months (the Secretary will send an email every six months to affirm commitment, replying "no" or not replying will result in removal).

===Participating===

Participating Members are anyone that is interested in volunteering time to the WIA Committee or sub-committees. Participating Members are able to participate in all activities, with the exception of voting and serving in one of the five Committee officer roles.

In order to become a Participating member, you must express your volunteering commitment to the Secretary, who will then add you to the Membership List. Participating Members can withdraw their commitment at any time by notifying the Secretary. Participating Members do not need to be OWASP members.

==Membership List==

[https://docs.google.com/spreadsheets/d/1T7I0FJwfrI-h3XY-iL5URNNeZ-A0wxPTV0nfQHrSZVs/edit?usp=sharing Membership List]

=GOVERNANCE=

==Operating Model==

WIA is a formal Committee of OWASP. WIA is governed by the rules set forth in the [https://www.owasp.org/index.php/Governance/OWASP_Committees OWASP Committees 2.0 Operational Model].

==Committee Officers==

#Chair
##TBD for 2017 Term
##Duties
###Open/run the meetings
###Put items to vote and announce the result
###Oversee progress of committee activities
###Participates in fundraising activities/sponsorship acquisition
#Vice-Chair
##TBD for 2017 Term
##Duties
###Serve in place of the chair when the chair is not available, temporarily or permanently
###Confirm and validate results of votes
###Help the chair oversee progress of committee activities
###Participates in fundraising activities/sponsorship acquisition
###Run doodles for upcoming meetings
###Send out meeting invites
#Secretary
##TBD for 2017 Term
##Duties
###Maintain the WIA membership list and associated bookkeeping
###Take attendance/minutes at meetings
###Create an agenda for each meeting, put out a call to members for agenda items
###Post agendas and meetings
###Edit/update committee Wiki page
#Treasurer
##TBD for 2017 Term
##Duties
###Maintain budget
###Track income and expenses for all committee activities
###Report at each meeting the expenditures and incoming revenue for the month and the balance of the fund
###Check the balance of the WIA budget with the OWASP accountant quarterly
###Participates in fundraising activities/sponsorship acquisition

Note: Only Voting Members may serve as Committee Officers

==Sub-Committee Coordinators==

#Volunteer Coordinator
##TBD for 2017 Term
##Duties
###Recruit new members for WIA/volunteers for specific events
###Schedule/train volunteers as needed
###Provides direction and coordination for volunteers
###Plan for retention and replacement
###Support in fundraising activities/sponsorship acquisition
###Connect with other local active groups in security to create volunteer networking
###Maintain lessons learned in the volunteer recruiting for the different events to improve the recruiting process
###Keep informal/formal contacts with all the volunteer to be able to reach them in case of new needs
#Media Relations Coordinator
##TBD for 2017 Term
##Duties
###Maintain list of media contacts
###Maintain list of media articles mentioning WIA
###Promote WIA to media
###Prepare talking points, messaging strategy
###Work with OWASP Global to issue press releases

Note: All Committee Members may serve as Sub-Committee Coordinators

=2017 ELECTIONS=

==Timeline==
* June 23, 2017 (Friday) - Call for Candidates closes
* June 24, 2017 (Saturday) - Election emails send to voting members
* July 2, 2017 (Sunday) - Election closes
* July 3, 2017 (Monday) - Election results announced on WIA list

==Candidates==
===Committee Officers===

''Positions can only be filled by Voting Members.''

====Chair====
* Bev Corwin

====Vice Chair====
* Loredana Mancini
* Cathy Hall

====Secretary====
* Cathy Hall

====Treasurer====
* Cathy Hall

===Sub-Committee Coordinators===

''Positions can be filled by Voting and Participating Members.''

====Volunteer Coordinator====
*Wendy Istvanick
*Loredana Mancini

====Media Relations Coordinator====
* Katherine Cancelado

=PREVIOUS WIA ACTIVITIES=

== AppSec EU 2017 ==
Women in AppSec is kicking it up a notch at AppSec EU 2017 and we want YOU to join us! Make sure you stop by during the week to check out our events and to learn more about the group.

Events are free to attend and do not require a conference ticket.

Monday, May 8, 2017 6:00-9:00 pm Networking Session

On Monday 8th May at 6:00 pm in the Waterfront Conference Centre, we will have a group of mentors each give a brief talk about their experience followed by an "unconference" event. During the "unconference" event, we will break into groups to discuss popular technical topics. This will be a fantastic opportunity to engage in mentoring relationships and hear from women in the field. You can sign up for this free event on Meetup.com here: <nowiki>https://www.meetup.com/OWASP-Belfast/events/238434511/</nowiki>

Thursday, May 11, 2017 7:30-8:45 a.m. Mentoring Breakfast

Join us at our pre-conference WiA breakfast in the Waterfront Conference Centre at 7.30 am on Thursday 11th May. A light breakfast will be provided for table discussions on various topics. This will also be a second opportunity to chat with anyone you didn't get to during the Monday evening event. Details to register for this event will be available soon, it will also be free to attend.

=== Wondering what to expect? ===
Organisers Michelle and Claire discuss what you can expect here:

<nowiki>https://drive.google.com/open?id=0B3mw0mZ4CcgtbG5FUDJxbzVqX28</nowiki>

=== Interested in being a Mentor? ===
We’re looking for mentors to participate in both events. Both men and women are invited to contribute as mentors. This is the commitment we’re asking for:
* A picture and bio for the website
* A time commitment of two hours between the two events
** 30+ minutes at the networking event
** 1½ hours at the mentoring breakfast
Let us know if you’re interested in joining us!

<nowiki>https://docs.google.com/forms/d/e/1FAIpQLSfy0qx9hnkJiCiceeUDmaq78i9aYXeGsHNv9B95Z_ZeN5Z_KA/viewform</nowiki>

Not sure if you’re interested yet? Provide your email address for updates as they become available.

<nowiki>https://docs.google.com/forms/d/e/1FAIpQLSc2DYBKcGzESX6U8-Syohqvm_g7bLLyTBPaw5E7sUj5KO3O4A/viewform</nowiki>

'''We look forward to seeing you at AppSec EU 2017!'''

=== Meet the EU WIA planning team ===
* === Michelle Simpson === Security Consultant at NCC Group
* === Claire Burn === Field Applications Engineer at Titan-IC
* === Cathy Hall === Principal Consultant at Sila Solutions Group
* === Owen Pendelbury === Manager Cyber Risk Services - Penetration Testing @ Deloitte
* === Zoe Braiterman === Business Studies graduate from Drew University
* === Wendy Istvanick === Object Tactician at ThoughtWorks
* === Fiona Collins === IT Security Engineer, Staff at Qualcomm
* === Bev Corwin === Director of Technology at DDC
* === Loredana Mancini === Chief Operation Officer at ITWAY
* === Emily Verwee === Online Project Manager at The Arc of the United States
* === Tiffany Long === Community Manager at OWASP

== AppSec USA 2015 ==

'''AppSec USA 2015''' 
The Women in AppSec (WIA) program is for all OWASP members who believe that diversity is important to the success of an organization, as well as for women who want to make career connections with like-minded colleagues. We encourage you to attend our session on Thursday at 3:30pm in Room F, featuring the founders of InfoSec Girls, Apoorva Giri and Shruthi Kamath. 
We also invite you to join us for our networking and “Birds of a Feather” sessions on on Thursday in WIA meeting room . Stop by anytime between 10:00am and 3:30pm to meet other members and learn more about the WIA program. You can also suggest a discussion topic on the sign-up at the room entrance. 
Sponsorship opportunities for commercial organizations and OWASP chapters are also available.

'''AppSec USA 2015''' 
Currently, there is an effort to plan activities for AppSec USA 2015. Volunteers are eagerly sought to support the program at AppSec USA! We are especially excited to invite the founders of the '''InfoSec Girls''' initiative to the AppSec USA 2015 conference. To bring InfoSec Girls to AppSec USA, we need to raise $7500. We are very close to our goal and know that with the support of the OWASP community, we can easily get there! Donations above and beyond our goal will be used for future WIA programs around the world. '''Donate now:''' 

== AppSec EU 2015 ==
During AppSec EU there was a panel discussion and workshop supported by the Women in AppSec initiative. Through these sessions we hoped to encourage women to pursue a career in AppSec and help them realize it is an option for them. These sessions was be open to all so we can help build support for the women around us. Learn more here: [http://2015.appsec.eu/women-in-application-security/ http://2015.appsec.eu/women-in-application-security] 

'''Panel: "Women in AppSec - Making it Happen"''' 
During this panel session we discussed what can be done to Make it Happen for Women in AppSec going forward. What have those currently working in the field done to Make it Happen for themselves and other women; what tips and advice do they have to help you do to make a career for yourself or encourage those around you (sister, friend, daughter, etc…) to pursue a career in AppSec? What can we as professionals can do to help encourage girls to go for a career in AppSec?

'''Workshop''' 
During the workshop we introduced female attendees of the conference to what a career in App Sec can involve. We discussed application security and the many career paths available. We hope to build relationships that may lead to a mentoring program for these women.

== AppSec USA 2013 ==
Learn more about the program here: http://2013.appsecusa.org/2013/activities/owasp-women-in-application-security-appsec-program/index.html

==Previous Women in AppSec Winners==
Following their experience at AppSec, winners are encouraged to write a short piece about their experience at the conference and their participation in the Women in AppSec program. Here, they outline their experience with the Women in AppSec Program in their own words.

'''Carrie Schaper, 2013 Winner'''
{| style="background-color: transparent"
|-
! width="200" align="center" | 
! width="1000" align="center" | 
|-
| align="center" | [[Image:Carrie Schaper Small.jpg|100px]]
| align="justify" |"OWASP Appsec proved to be a great experience for me, uniting and interacting with friends, professionals, and colleagues from the Information Security space from across the US and Internationally whom were in attendance. The huge space and well organized functions such as the: trainings, expert talks, panels, bug-bounty, lock-picking village and social events all enhanced the conference experience. Participating on the Women in IT panel was a wonderful experience, as many women were in attendance and participated in collaborative discussions. OWASP Appsec held in NY this year, was a premier NY conference not to be missed. Thank you to OWASP, its attendees and organizers."
|}
 

'''Nancy Lornston, 2013 Winner'''
{| style="background-color: transparent"
|-
! width="200" align="center" | 
! width="1000" align="center" | 
|-
| align="center" | [[Image:Nancy Lorntson Small.jpg|100px]]
| align="justify" |"AppSec 2013 was an awesome experience! Nowhere in the world can you find the top security experts all in one place at one time (and participate in a marriage proposal!). The conference presentations were well organized and the speakers were prepared to share pros, cons, successes and failures of their work in order to advance the application security domain. The variety of vendors was terrific as well.

The Women in AppSec panel was an opportunity to advance women's position in the community. Each speaker shared some very candid remarks about their personal experiences and by the end, it was clear that while more work needs to be done, there is a sincere interest by companies, universities and the industry in general to work on doing the things needed to attract more women to the profession.

The training course I attended (Open source tools) lived up to it's billing and I came away with several invaluable tips and strategies to improve our program.

A huge thank you to the Women in App Sec Panel and OWASP in general for this opportunity to attend the premier Application Security Conference in the world."
|}
 

'''Tara Wilson, 2011 Winner'''
{| style="background-color: transparent"
|-
! width="200" align="center" | 
! width="1000" align="center" | 
|-
| align="center" | [[Image:Tara wilson.jpg|100px]]
| align="justify" |“Being fortunate enough to receive the Women in AppSec sponsorhsip is a unique and valuable experience. It is a great opportunity for women to have a chance to bolster their skills and dive deep into the world of application security. I found that attending the conference was not only a great way to experience what the OWASP community has to offer, but it also gives students a chance to network with a great group of people who are passionate about their field and willing to share a wealth of information.”
|}
 

'''Chandni Bhowmik, 2011 Winner'''
{| style="background-color: transparent"
|-
! width="200" align="center" | 
! width="1000" align="center" | 
|-
| align="center" | [[Image:Chandni_bhowmik.jpg|100px]]
| align="justify" |Chandni Bhowmik is currently completing an M.S. in Computer Security and Information Assurance at the Rochester Institute of Technology (RIT). Her first introduction to OWASP was through the project WebScarab during an application security lab last spring at RIT and her interest in OWASP grew ever since. Over the summer, she started programming open source web applications using built-in security features of Django and Python. She is interested in becoming an information security researcher, and hopes to leverage learning at OWASP AppSec USA 2011 in ad-hoc architecture, mobile platforms and over-all concepts of web application security. Besides secure programming, Chandni enjoys her current research involving digital image forensics and machine learning. In addition to attending school, she has interned in IT security and compliance at Paychex, a Rochester based payroll processing company, and gained industrial experience working an assistant systems engineer for Tata Consultancy Services, a global IT firm.
|}
 

<headertabs></headertabs>

Women In AppSec

2017-06-22T18:48:39Z

Bil Corry: minor formatting change

=WELCOME=

==Women in Application Security Committee==

The purpose of Women in AppSec (WIA) Committee is to develop leadership, promote active membership and participation, and contributions by women in application security professional communities, globally and locally.

The Women in AppSec program is for anyone who believes that diversity is important to the success of the organization, as well as for women looking to learn more about AppSec or who want to make career connections with like-minded colleagues. This includes female undergraduate and graduate students, instructors, and professionals who are dedicated to information security or application development.

=FIND US=

==Email List==

[https://lists.owasp.org/mailman/listinfo/appsec_usa_women_in_security WIA List and Archive]

==Twitter==

[https://twitter.com/owaspwia @OWASPWIA]

==Slack Channel==

[https://owasp.slack.com/messages/C2NUH1J5B/ WIA Slack Channel]

You can get an OWASP Slack invite here: [https://owasp.herokuapp.com/ OWASP Slack Invite]

=WIA PURPOSE AND SCOPE=

==Purpose==

The purpose of Women in AppSec (WIA) Committee is to develop leadership, promote active membership and participation, and contributions by women in application security professional communities, globally and locally.

==Scope==

The scope for OWASP WIA Committee falls into the following areas:

# Attract women to OWASP, as active members, contributors and leaders.
# Offer opportunities for women to become engaged in AppSec and related professional communities.
# Provide inclusive targeted application security programs for all women learners.
# Provide inclusive training and mentorship for all interested OWASP women.
# Provide financial support to OWASP women members through scholarships, sponsorships, and grant making.
# Pursue fundraising, advancement and development to secure financial support for OWASP WIA activities..
# Integrate WIA track and related activities into OWASP events at all levels.
# Cultivate women for community leadership, speakers for conferences, thought leadership, learning leaders, and local chapter events.
# Collaborate with other committees and initiatives as needs present.
# Collaborate with local OWASP Chapters and Global OWASP leadership, including but not limited to offering advisory support to local and global OWASP leadership for WIA advancement and collaboratively building pro-WIA OWASP communities.
# Develop other special projects and events designed to further the purpose of WIA.

=MEMBERSHIP=

==Membership Types==

===Voting===

Voting Members are members of OWASP who have formally joined the WIA Committee. Voting Members are allowed to vote on Committee business and are allowed to serve in one of the five officer positions of the Committee.

In order to become a Voting Member, you must first become a Participating Member and participate for three months, become an OWASP member in good standing, and obtain a written endorsement from a current Voting Member or an OWASP Board of Director. Once all three criteria are met, you must formally request to join as a Voting Member to the WIA List. The Voting Members then vote via the WIA list, and if you receive a majority affirmative vote, you are then made a Voting Member.

Voting Members have an obligation to maintain participation and to reaffirm their commitment every six months (the Secretary will send an email every six months to affirm commitment, replying "no" or not replying will result in removal).

===Participating===

Participating Members are anyone that is interested in volunteering time to the WIA Committee or sub-committees. Participating Members are able to participate in all activities, with the exception of voting and serving in one of the five Committee officer roles.

In order to become a Participating member, you must express your volunteering commitment to the Secretary, who will then add you to the Membership List. Participating Members can withdraw their commitment at any time by notifying the Secretary. Participating Members do not need to be OWASP members.

==Membership List==

[https://docs.google.com/spreadsheets/d/1T7I0FJwfrI-h3XY-iL5URNNeZ-A0wxPTV0nfQHrSZVs/edit?usp=sharing Membership List]

=GOVERNANCE=

==Operating Model==

WIA is a formal Committee of OWASP. WIA is governed by the rules set forth in the [https://www.owasp.org/index.php/Governance/OWASP_Committees OWASP Committees 2.0 Operational Model].

==Committee Officers==

#Chair
##TBD for 2017 Term
##Duties
###Open/run the meetings
###Put items to vote and announce the result
###Oversee progress of committee activities
###Participates in fundraising activities/sponsorship acquisition
#Vice-Chair
##TBD for 2017 Term
##Duties
###Serve in place of the chair when the chair is not available, temporarily or permanently
###Confirm and validate results of votes
###Help the chair oversee progress of committee activities
###Participates in fundraising activities/sponsorship acquisition
###Run doodles for upcoming meetings
###Send out meeting invites
#Secretary
##TBD for 2017 Term
##Duties
###Maintain the WIA membership list and associated bookkeeping
###Take attendance/minutes at meetings
###Create an agenda for each meeting, put out a call to members for agenda items
###Post agendas and meetings
###Edit/update committee Wiki page
#Treasurer
##TBD for 2017 Term
##Duties
###Maintain budget
###Track income and expenses for all committee activities
###Report at each meeting the expenditures and incoming revenue for the month and the balance of the fund
###Check the balance of the WIA budget with the OWASP accountant quarterly
###Participates in fundraising activities/sponsorship acquisition

Note: Only Voting Members may serve as Committee Officers

==Sub-Committee Coordinators==

#Volunteer Coordinator
##TBD for 2017 Term
##Duties
###Recruit new members for WIA/volunteers for specific events
###Schedule/train volunteers as needed
###Provides direction and coordination for volunteers
###Plan for retention and replacement
###Support in fundraising activities/sponsorship acquisition
###Connect with other local active groups in security to create volunteer networking
###Maintain lessons learned in the volunteer recruiting for the different events to improve the recruiting process
###Keep informal/formal contacts with all the volunteer to be able to reach them in case of new needs
#Media Relations Coordinator
##TBD for 2017 Term
##Duties
###Maintain list of media contacts
###Maintain list of media articles mentioning WIA
###Promote WIA to media
###Prepare talking points, messaging strategy
###Work with OWASP Global to issue press releases

Note: All Committee Members may serve as Sub-Committee Coordinators

=2017 ELECTIONS=

==Timeline==
* June 23, 2017 (Friday) - Call for Candidates closes
* June 24, 2017 (Saturday) - Election emails send to voting members
* July 2, 2017 (Sunday) - Election closes
* July 3, 2017 (Monday) - Election results announced on WIA list

==Candidates==
===Committee Officers===

''Positions can only be filled by Voting Members.''

====Chair====
* Bev Corwin

====Vice Chair====
* Owen Pendlebury
* Loredana Mancini
* Cathy Hall

====Secretary====
* Owen Pendlebury
* Cathy Hall

====Treasurer====
* Owen Pendlebury
* Cathy Hall

===Sub-Committee Coordinators===

''Positions can be filled by Voting and Participating Members.''

====Volunteer Coordinator====
*Wendy Istvanick
*Owen Pendlebury
*Loredana Mancini

====Media Relations Coordinator====
* None

=PREVIOUS WIA ACTIVITIES=

== AppSec USA 2015 ==

'''AppSec USA 2015''' 
The Women in AppSec (WIA) program is for all OWASP members who believe that diversity is important to the success of an organization, as well as for women who want to make career connections with like-minded colleagues. We encourage you to attend our session on Thursday at 3:30pm in Room F, featuring the founders of InfoSec Girls, Apoorva Giri and Shruthi Kamath. 
We also invite you to join us for our networking and “Birds of a Feather” sessions on on Thursday in WIA meeting room . Stop by anytime between 10:00am and 3:30pm to meet other members and learn more about the WIA program. You can also suggest a discussion topic on the sign-up at the room entrance. 
Sponsorship opportunities for commercial organizations and OWASP chapters are also available.

'''AppSec USA 2015''' 
Currently, there is an effort to plan activities for AppSec USA 2015. Volunteers are eagerly sought to support the program at AppSec USA! We are especially excited to invite the founders of the '''InfoSec Girls''' initiative to the AppSec USA 2015 conference. To bring InfoSec Girls to AppSec USA, we need to raise $7500. We are very close to our goal and know that with the support of the OWASP community, we can easily get there! Donations above and beyond our goal will be used for future WIA programs around the world. '''Donate now:''' 

== AppSec EU 2015 ==
During AppSec EU there was a panel discussion and workshop supported by the Women in AppSec initiative. Through these sessions we hoped to encourage women to pursue a career in AppSec and help them realize it is an option for them. These sessions was be open to all so we can help build support for the women around us. Learn more here: [http://2015.appsec.eu/women-in-application-security/ http://2015.appsec.eu/women-in-application-security] 

'''Panel: "Women in AppSec - Making it Happen"''' 
During this panel session we discussed what can be done to Make it Happen for Women in AppSec going forward. What have those currently working in the field done to Make it Happen for themselves and other women; what tips and advice do they have to help you do to make a career for yourself or encourage those around you (sister, friend, daughter, etc…) to pursue a career in AppSec? What can we as professionals can do to help encourage girls to go for a career in AppSec?

'''Workshop''' 
During the workshop we introduced female attendees of the conference to what a career in App Sec can involve. We discussed application security and the many career paths available. We hope to build relationships that may lead to a mentoring program for these women.

== AppSec USA 2013 ==
Learn more about the program here: http://2013.appsecusa.org/2013/activities/owasp-women-in-application-security-appsec-program/index.html

==Previous Women in AppSec Winners==
Following their experience at AppSec, winners are encouraged to write a short piece about their experience at the conference and their participation in the Women in AppSec program. Here, they outline their experience with the Women in AppSec Program in their own words.

'''Carrie Schaper, 2013 Winner'''
{| style="background-color: transparent"
|-
! width="200" align="center" | 
! width="1000" align="center" | 
|-
| align="center" | [[Image:Carrie Schaper Small.jpg|100px]]
| align="justify" |"OWASP Appsec proved to be a great experience for me, uniting and interacting with friends, professionals, and colleagues from the Information Security space from across the US and Internationally whom were in attendance. The huge space and well organized functions such as the: trainings, expert talks, panels, bug-bounty, lock-picking village and social events all enhanced the conference experience. Participating on the Women in IT panel was a wonderful experience, as many women were in attendance and participated in collaborative discussions. OWASP Appsec held in NY this year, was a premier NY conference not to be missed. Thank you to OWASP, its attendees and organizers."
|}
 

'''Nancy Lornston, 2013 Winner'''
{| style="background-color: transparent"
|-
! width="200" align="center" | 
! width="1000" align="center" | 
|-
| align="center" | [[Image:Nancy Lorntson Small.jpg|100px]]
| align="justify" |"AppSec 2013 was an awesome experience! Nowhere in the world can you find the top security experts all in one place at one time (and participate in a marriage proposal!). The conference presentations were well organized and the speakers were prepared to share pros, cons, successes and failures of their work in order to advance the application security domain. The variety of vendors was terrific as well.

The Women in AppSec panel was an opportunity to advance women's position in the community. Each speaker shared some very candid remarks about their personal experiences and by the end, it was clear that while more work needs to be done, there is a sincere interest by companies, universities and the industry in general to work on doing the things needed to attract more women to the profession.

The training course I attended (Open source tools) lived up to it's billing and I came away with several invaluable tips and strategies to improve our program.

A huge thank you to the Women in App Sec Panel and OWASP in general for this opportunity to attend the premier Application Security Conference in the world."
|}
 

'''Tara Wilson, 2011 Winner'''
{| style="background-color: transparent"
|-
! width="200" align="center" | 
! width="1000" align="center" | 
|-
| align="center" | [[Image:Tara wilson.jpg|100px]]
| align="justify" |“Being fortunate enough to receive the Women in AppSec sponsorhsip is a unique and valuable experience. It is a great opportunity for women to have a chance to bolster their skills and dive deep into the world of application security. I found that attending the conference was not only a great way to experience what the OWASP community has to offer, but it also gives students a chance to network with a great group of people who are passionate about their field and willing to share a wealth of information.”
|}
 

'''Chandni Bhowmik, 2011 Winner'''
{| style="background-color: transparent"
|-
! width="200" align="center" | 
! width="1000" align="center" | 
|-
| align="center" | [[Image:Chandni_bhowmik.jpg|100px]]
| align="justify" |Chandni Bhowmik is currently completing an M.S. in Computer Security and Information Assurance at the Rochester Institute of Technology (RIT). Her first introduction to OWASP was through the project WebScarab during an application security lab last spring at RIT and her interest in OWASP grew ever since. Over the summer, she started programming open source web applications using built-in security features of Django and Python. She is interested in becoming an information security researcher, and hopes to leverage learning at OWASP AppSec USA 2011 in ad-hoc architecture, mobile platforms and over-all concepts of web application security. Besides secure programming, Chandni enjoys her current research involving digital image forensics and machine learning. In addition to attending school, she has interned in IT security and compliance at Paychex, a Rochester based payroll processing company, and gained industrial experience working an assistant systems engineer for Tata Consultancy Services, a global IT firm.
|}
 

<headertabs></headertabs>

Women In AppSec

2017-06-22T18:42:10Z

Bil Corry: add tab on elections with candidates

=WELCOME=

==Women in Application Security Committee==

The purpose of Women in AppSec (WIA) Committee is to develop leadership, promote active membership and participation, and contributions by women in application security professional communities, globally and locally.

The Women in AppSec program is for anyone who believes that diversity is important to the success of the organization, as well as for women looking to learn more about AppSec or who want to make career connections with like-minded colleagues. This includes female undergraduate and graduate students, instructors, and professionals who are dedicated to information security or application development.

=FIND US=

==Email List==

[https://lists.owasp.org/mailman/listinfo/appsec_usa_women_in_security WIA List and Archive]

==Twitter==

[https://twitter.com/owaspwia @OWASPWIA]

==Slack Channel==

[https://owasp.slack.com/messages/C2NUH1J5B/ WIA Slack Channel]

You can get an OWASP Slack invite here: [https://owasp.herokuapp.com/ OWASP Slack Invite]

=WIA PURPOSE AND SCOPE=

==Purpose==

The purpose of Women in AppSec (WIA) Committee is to develop leadership, promote active membership and participation, and contributions by women in application security professional communities, globally and locally.

==Scope==

The scope for OWASP WIA Committee falls into the following areas:

# Attract women to OWASP, as active members, contributors and leaders.
# Offer opportunities for women to become engaged in AppSec and related professional communities.
# Provide inclusive targeted application security programs for all women learners.
# Provide inclusive training and mentorship for all interested OWASP women.
# Provide financial support to OWASP women members through scholarships, sponsorships, and grant making.
# Pursue fundraising, advancement and development to secure financial support for OWASP WIA activities..
# Integrate WIA track and related activities into OWASP events at all levels.
# Cultivate women for community leadership, speakers for conferences, thought leadership, learning leaders, and local chapter events.
# Collaborate with other committees and initiatives as needs present.
# Collaborate with local OWASP Chapters and Global OWASP leadership, including but not limited to offering advisory support to local and global OWASP leadership for WIA advancement and collaboratively building pro-WIA OWASP communities.
# Develop other special projects and events designed to further the purpose of WIA.

=MEMBERSHIP=

==Membership Types==

===Voting===

Voting Members are members of OWASP who have formally joined the WIA Committee. Voting Members are allowed to vote on Committee business and are allowed to serve in one of the five officer positions of the Committee.

In order to become a Voting Member, you must first become a Participating Member and participate for three months, become an OWASP member in good standing, and obtain a written endorsement from a current Voting Member or an OWASP Board of Director. Once all three criteria are met, you must formally request to join as a Voting Member to the WIA List. The Voting Members then vote via the WIA list, and if you receive a majority affirmative vote, you are then made a Voting Member.

Voting Members have an obligation to maintain participation and to reaffirm their commitment every six months (the Secretary will send an email every six months to affirm commitment, replying "no" or not replying will result in removal).

===Participating===

Participating Members are anyone that is interested in volunteering time to the WIA Committee or sub-committees. Participating Members are able to participate in all activities, with the exception of voting and serving in one of the five Committee officer roles.

In order to become a Participating member, you must express your volunteering commitment to the Secretary, who will then add you to the Membership List. Participating Members can withdraw their commitment at any time by notifying the Secretary. Participating Members do not need to be OWASP members.

==Membership List==

[https://docs.google.com/spreadsheets/d/1T7I0FJwfrI-h3XY-iL5URNNeZ-A0wxPTV0nfQHrSZVs/edit?usp=sharing Membership List]

=GOVERNANCE=

==Operating Model==

WIA is a formal Committee of OWASP. WIA is governed by the rules set forth in the [https://www.owasp.org/index.php/Governance/OWASP_Committees OWASP Committees 2.0 Operational Model].

==Committee Officers==

#Chair
##TBD for 2017 Term
##Duties
###Open/run the meetings
###Put items to vote and announce the result
###Oversee progress of committee activities
###Participates in fundraising activities/sponsorship acquisition
#Vice-Chair
##TBD for 2017 Term
##Duties
###Serve in place of the chair when the chair is not available, temporarily or permanently
###Confirm and validate results of votes
###Help the chair oversee progress of committee activities
###Participates in fundraising activities/sponsorship acquisition
###Run doodles for upcoming meetings
###Send out meeting invites
#Secretary
##TBD for 2017 Term
##Duties
###Maintain the WIA membership list and associated bookkeeping
###Take attendance/minutes at meetings
###Create an agenda for each meeting, put out a call to members for agenda items
###Post agendas and meetings
###Edit/update committee Wiki page
#Treasurer
##TBD for 2017 Term
##Duties
###Maintain budget
###Track income and expenses for all committee activities
###Report at each meeting the expenditures and incoming revenue for the month and the balance of the fund
###Check the balance of the WIA budget with the OWASP accountant quarterly
###Participates in fundraising activities/sponsorship acquisition

Note: Only Voting Members may serve as Committee Officers

==Sub-Committee Coordinators==

#Volunteer Coordinator
##TBD for 2017 Term
##Duties
###Recruit new members for WIA/volunteers for specific events
###Schedule/train volunteers as needed
###Provides direction and coordination for volunteers
###Plan for retention and replacement
###Support in fundraising activities/sponsorship acquisition
###Connect with other local active groups in security to create volunteer networking
###Maintain lessons learned in the volunteer recruiting for the different events to improve the recruiting process
###Keep informal/formal contacts with all the volunteer to be able to reach them in case of new needs
#Media Relations Coordinator
##TBD for 2017 Term
##Duties
###Maintain list of media contacts
###Maintain list of media articles mentioning WIA
###Promote WIA to media
###Prepare talking points, messaging strategy
###Work with OWASP Global to issue press releases

Note: All Committee Members may serve as Sub-Committee Coordinators

=2017 ELECTIONS=

==Timeline==
* June 23, 2017 (Friday) - Call for Candidates closes
* June 24, 2017 (Saturday) - Election emails send to voting members
* July 2, 2017 (Sunday) - Election closes
* July 3, 2017 (Monday) - Election results announced on WIA list

==Candidates==
===Committee Officers===

Positions can only be filled by Voting Members.

====Chair====
* Bev Corwin

====Vice Chair====
* Owen Pendlebury
* Loredana Mancini
* Cathy Hall

====Secretary====
* Owen Pendlebury
* Cathy Hall

====Treasurer====
* Owen Pendlebury
* Cathy Hall

===Sub-Committee Coordinators===

Positions can be filled by Voting and Participating Members.

====Volunteer Coordinator====
*Wendy Istvanick
*Owen Pendlebury
*Loredana Mancini

====Media Relations Coordinator====
* None

=PREVIOUS WIA ACTIVITIES=

== AppSec USA 2015 ==

'''AppSec USA 2015''' 
The Women in AppSec (WIA) program is for all OWASP members who believe that diversity is important to the success of an organization, as well as for women who want to make career connections with like-minded colleagues. We encourage you to attend our session on Thursday at 3:30pm in Room F, featuring the founders of InfoSec Girls, Apoorva Giri and Shruthi Kamath. 
We also invite you to join us for our networking and “Birds of a Feather” sessions on on Thursday in WIA meeting room . Stop by anytime between 10:00am and 3:30pm to meet other members and learn more about the WIA program. You can also suggest a discussion topic on the sign-up at the room entrance. 
Sponsorship opportunities for commercial organizations and OWASP chapters are also available.

'''AppSec USA 2015''' 
Currently, there is an effort to plan activities for AppSec USA 2015. Volunteers are eagerly sought to support the program at AppSec USA! We are especially excited to invite the founders of the '''InfoSec Girls''' initiative to the AppSec USA 2015 conference. To bring InfoSec Girls to AppSec USA, we need to raise $7500. We are very close to our goal and know that with the support of the OWASP community, we can easily get there! Donations above and beyond our goal will be used for future WIA programs around the world. '''Donate now:''' 

== AppSec EU 2015 ==
During AppSec EU there was a panel discussion and workshop supported by the Women in AppSec initiative. Through these sessions we hoped to encourage women to pursue a career in AppSec and help them realize it is an option for them. These sessions was be open to all so we can help build support for the women around us. Learn more here: [http://2015.appsec.eu/women-in-application-security/ http://2015.appsec.eu/women-in-application-security] 

'''Panel: "Women in AppSec - Making it Happen"''' 
During this panel session we discussed what can be done to Make it Happen for Women in AppSec going forward. What have those currently working in the field done to Make it Happen for themselves and other women; what tips and advice do they have to help you do to make a career for yourself or encourage those around you (sister, friend, daughter, etc…) to pursue a career in AppSec? What can we as professionals can do to help encourage girls to go for a career in AppSec?

'''Workshop''' 
During the workshop we introduced female attendees of the conference to what a career in App Sec can involve. We discussed application security and the many career paths available. We hope to build relationships that may lead to a mentoring program for these women.

== AppSec USA 2013 ==
Learn more about the program here: http://2013.appsecusa.org/2013/activities/owasp-women-in-application-security-appsec-program/index.html

==Previous Women in AppSec Winners==
Following their experience at AppSec, winners are encouraged to write a short piece about their experience at the conference and their participation in the Women in AppSec program. Here, they outline their experience with the Women in AppSec Program in their own words.

'''Carrie Schaper, 2013 Winner'''
{| style="background-color: transparent"
|-
! width="200" align="center" | 
! width="1000" align="center" | 
|-
| align="center" | [[Image:Carrie Schaper Small.jpg|100px]]
| align="justify" |"OWASP Appsec proved to be a great experience for me, uniting and interacting with friends, professionals, and colleagues from the Information Security space from across the US and Internationally whom were in attendance. The huge space and well organized functions such as the: trainings, expert talks, panels, bug-bounty, lock-picking village and social events all enhanced the conference experience. Participating on the Women in IT panel was a wonderful experience, as many women were in attendance and participated in collaborative discussions. OWASP Appsec held in NY this year, was a premier NY conference not to be missed. Thank you to OWASP, its attendees and organizers."
|}
 

'''Nancy Lornston, 2013 Winner'''
{| style="background-color: transparent"
|-
! width="200" align="center" | 
! width="1000" align="center" | 
|-
| align="center" | [[Image:Nancy Lorntson Small.jpg|100px]]
| align="justify" |"AppSec 2013 was an awesome experience! Nowhere in the world can you find the top security experts all in one place at one time (and participate in a marriage proposal!). The conference presentations were well organized and the speakers were prepared to share pros, cons, successes and failures of their work in order to advance the application security domain. The variety of vendors was terrific as well.

The Women in AppSec panel was an opportunity to advance women's position in the community. Each speaker shared some very candid remarks about their personal experiences and by the end, it was clear that while more work needs to be done, there is a sincere interest by companies, universities and the industry in general to work on doing the things needed to attract more women to the profession.

The training course I attended (Open source tools) lived up to it's billing and I came away with several invaluable tips and strategies to improve our program.

A huge thank you to the Women in App Sec Panel and OWASP in general for this opportunity to attend the premier Application Security Conference in the world."
|}
 

'''Tara Wilson, 2011 Winner'''
{| style="background-color: transparent"
|-
! width="200" align="center" | 
! width="1000" align="center" | 
|-
| align="center" | [[Image:Tara wilson.jpg|100px]]
| align="justify" |“Being fortunate enough to receive the Women in AppSec sponsorhsip is a unique and valuable experience. It is a great opportunity for women to have a chance to bolster their skills and dive deep into the world of application security. I found that attending the conference was not only a great way to experience what the OWASP community has to offer, but it also gives students a chance to network with a great group of people who are passionate about their field and willing to share a wealth of information.”
|}
 

'''Chandni Bhowmik, 2011 Winner'''
{| style="background-color: transparent"
|-
! width="200" align="center" | 
! width="1000" align="center" | 
|-
| align="center" | [[Image:Chandni_bhowmik.jpg|100px]]
| align="justify" |Chandni Bhowmik is currently completing an M.S. in Computer Security and Information Assurance at the Rochester Institute of Technology (RIT). Her first introduction to OWASP was through the project WebScarab during an application security lab last spring at RIT and her interest in OWASP grew ever since. Over the summer, she started programming open source web applications using built-in security features of Django and Python. She is interested in becoming an information security researcher, and hopes to leverage learning at OWASP AppSec USA 2011 in ad-hoc architecture, mobile platforms and over-all concepts of web application security. Besides secure programming, Chandni enjoys her current research involving digital image forensics and machine learning. In addition to attending school, she has interned in IT security and compliance at Paychex, a Rochester based payroll processing company, and gained industrial experience working an assistant systems engineer for Tata Consultancy Services, a global IT firm.
|}
 

<headertabs></headertabs>

Women In AppSec

2017-06-21T23:05:50Z

Bil Corry: add slack invite link

Women In AppSec

2017-06-21T19:54:31Z

Bil Corry: Added duties to roles

Women In AppSec

2017-06-20T22:03:47Z

Bil Corry: Corrected typos, added more to governance

Women In AppSec

2017-06-20T21:35:03Z

Bil Corry: Added membership types and governance link.

Women In AppSec

2017-06-20T21:10:56Z

Bil Corry: added back in headertabs

Women In AppSec

2017-06-20T20:55:06Z

Bil Corry: Removed and/or updated aged content for the Committee

OWASP Board History

2016-11-04T19:36:37Z

Bil Corry: Updating for 2017 election results

The data here was compiled from the OWASP Foundation Tax Returns and official election results. Asterisked years were taken from other sources and may be incomplete.

{| class="wikitable" border="1"
|-
! style="background: #0A2A29; color: white" | 2004 BoD*
! style="background: #0A2A29; color: white" | 2005 BoD*
! style="background: #0A2A29; color: white" | 2006 BoD*
! style="background: #0A2A29; color: white" | 2007 BoD
! style="background: #0A2A29; color: white" | 2008 BoD
! style="background: #0A2A29; color: white" | 2009 BoD
! style="background: #0A2A29; color: white" | 2010 BoD
! style="background: #0A2A29; color: white" | 2011 BoD
! style="background: #0A2A29; color: white" | 2012 BoD
! style="background: #0A2A29; color: white" | 2013 BoD
! style="background: #0A2A29; color: white" | 2014 BoD
! style="background: #0A2A29; color: white" | 2015 BoD
! style="background: #0A2A29; color: white" | 2016 BoD
! style="background: #0A2A29; color: white" | 2017 BoD
|- style="background: #64FE2E; color: black"
| Jeff Williams
| Jeff Williams
| Jeff Williams
| Jeff Williams
| Jeff Williams
| Jeff Williams
| Jeff Williams
| Jeff Williams
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
|- style="background: #2ECCFA; color: black"
| Dave Wichers
| Dave Wichers
| Dave Wichers
| Dave Wichers
| Dave Wichers
| Dave Wichers
| Dave Wichers
| Dave Wichers
| Dave Wichers
| Dave Wichers
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
|- style="background: #CC2EFA; color: black"
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| David Anderson
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
|- style="background: #00FF80; color: black"
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| Dinis Cruz
| Dinis Cruz
| Dinis Cruz
| Dinis Cruz
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
|- style="background: #FA5858; color: black"
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| Sebastien Deleersnyder
| Sebastien Deleersnyder
| Sebastien Deleersnyder
| Sebastien Deleersnyder
| Sebastien Deleersnyder
| Sebastien Deleersnyder
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
|- style="background: #FE9A2E; color: black"
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| Tom Brennan
| Tom Brennan
| Tom Brennan
| Tom Brennan
| Tom Brennan
| Tom Brennan
| Tom Brennan
| style="background: #0A2A29; color: black" |
| Tom Brennan
| Tom Brennan
|- style="background: #01DF01; color: black"
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| Matt Tesauro
| Matt Tesauro
| Matt Tesauro
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
|- style="background: #8181F7; color: black"
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| Eoin Keary
| Eoin Keary
| Eoin Keary
| Eoin Keary
| Eoin Keary
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
|- style="background: #F7FE2E; color: black"
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| Michael Coates
| Michael Coates
| Michael Coates
| Michael Coates
| Michael Coates
| Michael Coates
|- style="background: #0066FF; color: black"
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| Jim Manico
| Jim Manico
| Jim Manico
| Jim Manico
| style="background: #0A2A29; color: black" |
|- style="background: #FFCC00; color: black"
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| Fabio Cerullo
| Fabio Cerullo
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
|- style="background: #339933; color: black"
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| Tobias Gondrom
| Tobias Gondrom
| Tobias Gondrom
| Tobias Gondrom
|- style="background: #CC6600; color: black"
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| Josh Sokol
| Josh Sokol
| Josh Sokol
| Josh Sokol
|- style="background: #64FE2E; color: black"
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| Andrew van der Stock
| Andrew van der Stock
| Andrew van der Stock
|- style="background: #2ECCFA; color: black"
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| Matthew Konda
| Matthew Konda
| Matthew Konda
|- style="background: #FFC744; color: black"
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| Johanna Curiel
|}

OWASP Board History

2015-10-28T21:36:32Z

Bil Corry: Updated with 2016 Election results

The data here was compiled from the OWASP Foundation Tax Returns and official election results. Asterisked years were taken from other sources and may be incomplete.

{| class="wikitable" border="1"
|-
! style="background: #0A2A29; color: white" | 2004 BoD*
! style="background: #0A2A29; color: white" | 2005 BoD*
! style="background: #0A2A29; color: white" | 2006 BoD*
! style="background: #0A2A29; color: white" | 2007 BoD
! style="background: #0A2A29; color: white" | 2008 BoD
! style="background: #0A2A29; color: white" | 2009 BoD
! style="background: #0A2A29; color: white" | 2010 BoD
! style="background: #0A2A29; color: white" | 2011 BoD
! style="background: #0A2A29; color: white" | 2012 BoD
! style="background: #0A2A29; color: white" | 2013 BoD
! style="background: #0A2A29; color: white" | 2014 BoD
! style="background: #0A2A29; color: white" | 2015 BoD
! style="background: #0A2A29; color: white" | 2016 BoD
|- style="background: #64FE2E; color: black"
| Jeff Williams
| Jeff Williams
| Jeff Williams
| Jeff Williams
| Jeff Williams
| Jeff Williams
| Jeff Williams
| Jeff Williams
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
|- style="background: #2ECCFA; color: black"
| Dave Wichers
| Dave Wichers
| Dave Wichers
| Dave Wichers
| Dave Wichers
| Dave Wichers
| Dave Wichers
| Dave Wichers
| Dave Wichers
| Dave Wichers
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
|- style="background: #CC2EFA; color: black"
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| David Anderson
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
|- style="background: #00FF80; color: black"
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| Dinis Cruz
| Dinis Cruz
| Dinis Cruz
| Dinis Cruz
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
|- style="background: #FA5858; color: black"
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| Sebastien Deleersnyder
| Sebastien Deleersnyder
| Sebastien Deleersnyder
| Sebastien Deleersnyder
| Sebastien Deleersnyder
| Sebastien Deleersnyder
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
|- style="background: #FE9A2E; color: black"
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| Tom Brennan
| Tom Brennan
| Tom Brennan
| Tom Brennan
| Tom Brennan
| Tom Brennan
| Tom Brennan
| style="background: #0A2A29; color: black" |
| Tom Brennan
|- style="background: #01DF01; color: black"
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| Matt Tesauro
| Matt Tesauro
| Matt Tesauro
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
|- style="background: #8181F7; color: black"
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| Eoin Keary
| Eoin Keary
| Eoin Keary
| Eoin Keary
| Eoin Keary
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
|- style="background: #F7FE2E; color: black"
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| Michael Coates
| Michael Coates
| Michael Coates
| Michael Coates
| Michael Coates
|- style="background: #0066FF; color: black"
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| Jim Manico
| Jim Manico
| Jim Manico
| Jim Manico
|- style="background: #FFCC00; color: black"
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| Fabio Cerullo
| Fabio Cerullo
| style="background: #0A2A29; color: black" |
|- style="background: #339933; color: black"
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| Tobias Gondrom
| Tobias Gondrom
| Tobias Gondrom
|- style="background: #CC6600; color: black"
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| Josh Sokol
| Josh Sokol
| Josh Sokol
|- style="background: #64FE2E; color: black"
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| Andrew van der Stock
| Andrew van der Stock
|- style="background: #2ECCFA; color: black"
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| Matthew Konda
| Matthew Konda
|}

OWASP Board History

2015-08-11T08:42:43Z

Bil Corry:

The data here was compiled from the OWASP Foundation Tax Returns and official election results. Asterisked years were taken from other sources and may be incomplete.

{| class="wikitable" border="1"
|-
! style="background: #0A2A29; color: white" | 2004 BoD*
! style="background: #0A2A29; color: white" | 2005 BoD*
! style="background: #0A2A29; color: white" | 2006 BoD*
! style="background: #0A2A29; color: white" | 2007 BoD
! style="background: #0A2A29; color: white" | 2008 BoD
! style="background: #0A2A29; color: white" | 2009 BoD
! style="background: #0A2A29; color: white" | 2010 BoD
! style="background: #0A2A29; color: white" | 2011 BoD
! style="background: #0A2A29; color: white" | 2012 BoD
! style="background: #0A2A29; color: white" | 2013 BoD
! style="background: #0A2A29; color: white" | 2014 BoD
! style="background: #0A2A29; color: white" | 2015 BoD
! style="background: #0A2A29; color: white" | 2016 BoD
|- style="background: #64FE2E; color: black"
| Jeff Williams
| Jeff Williams
| Jeff Williams
| Jeff Williams
| Jeff Williams
| Jeff Williams
| Jeff Williams
| Jeff Williams
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
|- style="background: #2ECCFA; color: black"
| Dave Wichers
| Dave Wichers
| Dave Wichers
| Dave Wichers
| Dave Wichers
| Dave Wichers
| Dave Wichers
| Dave Wichers
| Dave Wichers
| Dave Wichers
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
|- style="background: #CC2EFA; color: black"
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| David Anderson
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
|- style="background: #00FF80; color: black"
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| Dinis Cruz
| Dinis Cruz
| Dinis Cruz
| Dinis Cruz
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
|- style="background: #FA5858; color: black"
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| Sebastien Deleersnyder
| Sebastien Deleersnyder
| Sebastien Deleersnyder
| Sebastien Deleersnyder
| Sebastien Deleersnyder
| Sebastien Deleersnyder
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
|- style="background: #FE9A2E; color: black"
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| Tom Brennan
| Tom Brennan
| Tom Brennan
| Tom Brennan
| Tom Brennan
| Tom Brennan
| Tom Brennan
| style="background: #0A2A29; color: black" |
| style="background: #FFFFFF; color: black" |
|- style="background: #01DF01; color: black"
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| Matt Tesauro
| Matt Tesauro
| Matt Tesauro
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
|- style="background: #8181F7; color: black"
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| Eoin Keary
| Eoin Keary
| Eoin Keary
| Eoin Keary
| Eoin Keary
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
|- style="background: #F7FE2E; color: black"
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| Michael Coates
| Michael Coates
| Michael Coates
| Michael Coates
| style="background: #FFFFFF; color: black" |
|- style="background: #0066FF; color: black"
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| Jim Manico
| Jim Manico
| Jim Manico
| Jim Manico
|- style="background: #FFCC00; color: black"
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| Fabio Cerullo
| Fabio Cerullo
| style="background: #0A2A29; color: black" |
|- style="background: #339933; color: black"
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| Tobias Gondrom
| Tobias Gondrom
| style="background: #FFFFFF; color: black" |
|- style="background: #CC6600; color: black"
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| Josh Sokol
| Josh Sokol
| style="background: #FFFFFF; color: black" |
|- style="background: #64FE2E; color: black"
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| Andrew van der Stock
| Andrew van der Stock
|- style="background: #2ECCFA; color: black"
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| Matthew Konda
| Matthew Konda
|}

OWASP Board History

2015-07-24T12:04:40Z

Bil Corry: Added 2016 in anticipation of the upcoming elections

The data here was compiled from the OWASP Foundation Tax Returns and official election results. Asterisked years were taken from other sources and may be incomplete.

{| class="wikitable" border="1"
|-
! style="background: #0A2A29; color: white" | 2004 BoD*
! style="background: #0A2A29; color: white" | 2005 BoD*
! style="background: #0A2A29; color: white" | 2006 BoD*
! style="background: #0A2A29; color: white" | 2007 BoD
! style="background: #0A2A29; color: white" | 2008 BoD
! style="background: #0A2A29; color: white" | 2009 BoD
! style="background: #0A2A29; color: white" | 2010 BoD
! style="background: #0A2A29; color: white" | 2011 BoD
! style="background: #0A2A29; color: white" | 2012 BoD
! style="background: #0A2A29; color: white" | 2013 BoD
! style="background: #0A2A29; color: white" | 2014 BoD
! style="background: #0A2A29; color: white" | 2015 BoD
! style="background: #0A2A29; color: white" | 2016 BoD
|- style="background: #64FE2E; color: black"
| Jeff Williams
| Jeff Williams
| Jeff Williams
| Jeff Williams
| Jeff Williams
| Jeff Williams
| Jeff Williams
| Jeff Williams
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
|- style="background: #2ECCFA; color: black"
| Dave Wichers
| Dave Wichers
| Dave Wichers
| Dave Wichers
| Dave Wichers
| Dave Wichers
| Dave Wichers
| Dave Wichers
| Dave Wichers
| Dave Wichers
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
|- style="background: #CC2EFA; color: black"
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| David Anderson
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
|- style="background: #00FF80; color: black"
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| Dinis Cruz
| Dinis Cruz
| Dinis Cruz
| Dinis Cruz
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
|- style="background: #FA5858; color: black"
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| Sebastien Deleersnyder
| Sebastien Deleersnyder
| Sebastien Deleersnyder
| Sebastien Deleersnyder
| Sebastien Deleersnyder
| Sebastien Deleersnyder
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
|- style="background: #FE9A2E; color: black"
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| Tom Brennan
| Tom Brennan
| Tom Brennan
| Tom Brennan
| Tom Brennan
| Tom Brennan
| Tom Brennan
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
|- style="background: #01DF01; color: black"
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| Matt Tesauro
| Matt Tesauro
| Matt Tesauro
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
|- style="background: #8181F7; color: black"
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| Eoin Keary
| Eoin Keary
| Eoin Keary
| Eoin Keary
| Eoin Keary
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
|- style="background: #F7FE2E; color: black"
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| Michael Coates
| Michael Coates
| Michael Coates
| Michael Coates
| style="background: #FFFFFF; color: black" |
|- style="background: #0066FF; color: black"
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| Jim Manico
| Jim Manico
| Jim Manico
| Jim Manico
|- style="background: #FFCC00; color: black"
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| Fabio Cerullo
| Fabio Cerullo
| style="background: #FFFFFF; color: black" |
|- style="background: #339933; color: black"
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| Tobias Gondrom
| Tobias Gondrom
| style="background: #FFFFFF; color: black" |
|- style="background: #CC6600; color: black"
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| Josh Sokol
| Josh Sokol
| style="background: #FFFFFF; color: black" |
|- style="background: #64FE2E; color: black"
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| Andrew van der Stock
| Andrew van der Stock
|- style="background: #2ECCFA; color: black"
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| Matthew Konda
| Matthew Konda
|}

OWASP Board History

2014-11-04T20:27:08Z

Bil Corry: Updated with 2015 BoD election results

The data here was compiled from the OWASP Foundation Tax Returns and official election results. Asterisked years were taken from other sources and may be incomplete.

{| class="wikitable" border="1"
|-
! style="background: #0A2A29; color: white" | 2004 BoD*
! style="background: #0A2A29; color: white" | 2005 BoD*
! style="background: #0A2A29; color: white" | 2006 BoD*
! style="background: #0A2A29; color: white" | 2007 BoD
! style="background: #0A2A29; color: white" | 2008 BoD
! style="background: #0A2A29; color: white" | 2009 BoD
! style="background: #0A2A29; color: white" | 2010 BoD
! style="background: #0A2A29; color: white" | 2011 BoD
! style="background: #0A2A29; color: white" | 2012 BoD
! style="background: #0A2A29; color: white" | 2013 BoD
! style="background: #0A2A29; color: white" | 2014 BoD
! style="background: #0A2A29; color: white" | 2015 BoD
|- style="background: #64FE2E; color: black"
| Jeff Williams
| Jeff Williams
| Jeff Williams
| Jeff Williams
| Jeff Williams
| Jeff Williams
| Jeff Williams
| Jeff Williams
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
|- style="background: #2ECCFA; color: black"
| Dave Wichers
| Dave Wichers
| Dave Wichers
| Dave Wichers
| Dave Wichers
| Dave Wichers
| Dave Wichers
| Dave Wichers
| Dave Wichers
| Dave Wichers
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
|- style="background: #CC2EFA; color: black"
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| David Anderson
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
|- style="background: #00FF80; color: black"
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| Dinis Cruz
| Dinis Cruz
| Dinis Cruz
| Dinis Cruz
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
|- style="background: #FA5858; color: black"
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| Sebastien Deleersnyder
| Sebastien Deleersnyder
| Sebastien Deleersnyder
| Sebastien Deleersnyder
| Sebastien Deleersnyder
| Sebastien Deleersnyder
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
|- style="background: #FE9A2E; color: black"
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| Tom Brennan
| Tom Brennan
| Tom Brennan
| Tom Brennan
| Tom Brennan
| Tom Brennan
| Tom Brennan
| style="background: #0A2A29; color: black" |
|- style="background: #01DF01; color: black"
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| Matt Tesauro
| Matt Tesauro
| Matt Tesauro
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
|- style="background: #8181F7; color: black"
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| Eoin Keary
| Eoin Keary
| Eoin Keary
| Eoin Keary
| Eoin Keary
| style="background: #0A2A29; color: black" |
|- style="background: #F7FE2E; color: black"
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| Michael Coates
| Michael Coates
| Michael Coates
| Michael Coates
|- style="background: #0066FF; color: black"
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| Jim Manico
| Jim Manico
| Jim Manico
|- style="background: #FFCC00; color: black"
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| Fabio Cerullo
| Fabio Cerullo
|- style="background: #339933; color: black"
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| Tobias Gondrom
| Tobias Gondrom
|- style="background: #CC6600; color: black"
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| Josh Sokol
| Josh Sokol
|- style="background: #64FE2E; color: black"
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| Andrew van der Stock
|- style="background: #2ECCFA; color: black"
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| Matthew Konda
|}

OWASP Board History

2014-09-12T07:14:12Z

Bil Corry: Getting ready for 2015 elections

The data here was compiled from the OWASP Foundation Tax Returns and official election results. Asterisked years were taken from other sources and may be incomplete.

{| class="wikitable" border="1"
|-
! style="background: #0A2A29; color: white" | 2004 BoD*
! style="background: #0A2A29; color: white" | 2005 BoD*
! style="background: #0A2A29; color: white" | 2006 BoD*
! style="background: #0A2A29; color: white" | 2007 BoD
! style="background: #0A2A29; color: white" | 2008 BoD
! style="background: #0A2A29; color: white" | 2009 BoD
! style="background: #0A2A29; color: white" | 2010 BoD
! style="background: #0A2A29; color: white" | 2011 BoD
! style="background: #0A2A29; color: white" | 2012 BoD
! style="background: #0A2A29; color: white" | 2013 BoD
! style="background: #0A2A29; color: white" | 2014 BoD
! style="background: #0A2A29; color: white" | 2015 BoD
|- style="background: #64FE2E; color: black"
| Jeff Williams
| Jeff Williams
| Jeff Williams
| Jeff Williams
| Jeff Williams
| Jeff Williams
| Jeff Williams
| Jeff Williams
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
|- style="background: #2ECCFA; color: black"
| Dave Wichers
| Dave Wichers
| Dave Wichers
| Dave Wichers
| Dave Wichers
| Dave Wichers
| Dave Wichers
| Dave Wichers
| Dave Wichers
| Dave Wichers
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
|- style="background: #CC2EFA; color: black"
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| David Anderson
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
|- style="background: #00FF80; color: black"
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| Dinis Cruz
| Dinis Cruz
| Dinis Cruz
| Dinis Cruz
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
|- style="background: #FA5858; color: black"
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| Sebastien Deleersnyder
| Sebastien Deleersnyder
| Sebastien Deleersnyder
| Sebastien Deleersnyder
| Sebastien Deleersnyder
| Sebastien Deleersnyder
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
|- style="background: #FE9A2E; color: black"
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| Tom Brennan
| Tom Brennan
| Tom Brennan
| Tom Brennan
| Tom Brennan
| Tom Brennan
| Tom Brennan
| style="background: #0A2A29; color: black" |
|- style="background: #01DF01; color: black"
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| Matt Tesauro
| Matt Tesauro
| Matt Tesauro
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
|- style="background: #8181F7; color: black"
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| Eoin Keary
| Eoin Keary
| Eoin Keary
| Eoin Keary
| Eoin Keary
| style="background: #0A2A29; color: black" |
|- style="background: #F7FE2E; color: black"
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| Michael Coates
| Michael Coates
| Michael Coates
| Michael Coates
|- style="background: #0066FF; color: black"
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| Jim Manico
| Jim Manico
| style="background: #A4A4A4; color: black" | Candidate
|- style="background: #FFCC00; color: black"
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| Fabio Cerullo
| Fabio Cerullo
|- style="background: #339933; color: black"
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| Tobias Gondrom
| Tobias Gondrom
|- style="background: #CC6600; color: black"
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| Josh Sokol
| Josh Sokol
|- style="background: #A4A4A4; color: black"
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| Candidate
|- style="background: #A4A4A4; color: black"
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| style="background: #0A2A29; color: black" |
| Candidate
|}

Transparency Policy

2014-06-21T12:50:57Z

Bil Corry: Added addtional exclusions, note about complying with court orders

=Transparency Policy=

==Policy Status==
<blockquote>'''WORKING DRAFT''' - this is a working draft being discussed on the [https://lists.owasp.org/mailman/listinfo/governance Governance List]. When completed, this will be presented to the [https://www.owasp.org/index.php/About_The_Open_Web_Application_Security_Project#2014_Global_Board_Members Board of Directors] for adoption. Once accepted, this notice will be updated to reflect the the policy is binding on members.</blockquote>

=="O" is for Open: An introduction==

The "O" in OWASP is for "Open" - Section 1.03 of the [https://www.owasp.org/images/9/92/April2014OWASPFoundationByLaws.pdf OWASP Bylaws] defines the value "Open" to mean:

<blockquote> "Everything at OWASP is radically transparent from our finances to our code."</blockquote>

This raises the question, what does "radically transparent" mean? Is there anything that can't be disclosed to the membership and/or public?

This policy defines what is not allowed to be disclosed, either because of legal, ethical, or privacy obligations.

== Radical Transparency ==

OWASP is committed to making its governance, processes, and finances transparent, so that any outside observer can determine how decisions were considered and ultimately agreed upon. When and where possible, OWASP must provide transparency.

There are, however, certain areas where transparency cannot be provided, either because it violates a law, is unethical, or goes against the expectation of privacy. The rule of thumb for transparency is to default all information as public, or if it must be restricted, the mandate is to make it as widely available as possible.

Levels of information restriction:
# Public (most open)
# All OWASP members, staff, Board of Directors
# Some members and/or staff, Board of Directors
# Executive Director, Compliance Officer, Board of Directors
# Executive Director, Board of Directors
# Board of Directors (most restricted)

== Exclusions from Radical Transparency ==

In this section, an attempt is made to enumerate situations where OWASP cannot provide transparency. Note that this list is not exhaustive, and future situations where there is a question about transparency should use this as a guide.

While OWASP excludes the following information from public disclosure, OWASP will disclose information when compelled by a legally-binding court order.

{| border="1" cellspacing="0" cellpadding="5"
|-
! Exclusion
! Notes
|-
| Staff records as maintained for Human Resources purposes
| Restricted to just staff and BoD members with a legitimate need to access the records. Must never be disclosed unless permission is given from the staff member that the record pertains to.
|-
| Information pertaining to legal action, or pending legal action
| Restricted to just staff and BoD members with a legitimate need to access information. Must never be disclosed publicly either before, during, or after the legal action unless permitted by legal counsel.
|-
| Information pertaining to a whistlerblower complaint, ethics complaint, or similar, including the allegation, the investigation, and the outcome.
| Restricted to just the Compliance officer, BoD members, Executive Director, and select staff when required. Must never be disclosed publicly either before, during, or after the processing of the complaint via the [https://www.owasp.org/index.php/Governance/Whistleblower_Policy Whistlerblower policy]. Should the complaint be made public, then the Board of Directors may choose which information, if any, to release based on the situation and the best interest of the organization.
|-
| Information covered under a Non-Disclosure Agreement (NDA). OWASP should strive to avoid NDAs, but when an NDA is required, that information must be protected per the terms of the NDA. The Board of Directors must always be a party to the NDA, at a minimum.
| Restricted to just the parties covered by the NDA.
|-
| Sensitive data, such as tax ID numbers of individuals, credit card numbers, home addresses, phone numbers, and similar must not be disclosed except as authorized by the owner of the data.
| Restricted to just staff and/or BoD members with a legitimate need to access the data.
|-
| Contents of individual OWASP email accounts.
| Restricted to the person assigned to the OWASP email account.
|}

== Policy Violations ==

All members must comply with this policy, or will be subject to [https://www.owasp.org/index.php/Governance/Whistleblower_Policy disciplinary action], including the possibility of suspension or revocation of membership, exclusion from OWASP events and email lists, or other such action as determined.

Transparency Policy

2014-06-19T14:47:19Z

Bil Corry: Added the whistleblower exception

=Transparency Policy=

==Policy Status==
<blockquote>'''WORKING DRAFT''' - this is a working draft being discussed on the [https://lists.owasp.org/mailman/listinfo/governance Governance List]. When completed, this will be presented to the [https://www.owasp.org/index.php/About_The_Open_Web_Application_Security_Project#2014_Global_Board_Members Board of Directors] for adoption. Once accepted, this notice will be updated to reflect the the policy is binding on members.</blockquote>

=="O" is for Open: An introduction==

The "O" in OWASP is for "Open" - Section 1.03 of the [https://www.owasp.org/images/9/92/April2014OWASPFoundationByLaws.pdf OWASP Bylaws] defines the value "Open" to mean:

<blockquote> "Everything at OWASP is radically transparent from our finances to our code."</blockquote>

This raises the question, what does "radically transparent" mean? Is there anything that can't be disclosed to the membership and/or public?

This policy defines what is not allowed to be disclosed, either because of legal, ethical, or privacy obligations.

== Radical Transparency ==

OWASP is committed to making its governance, processes, and finances transparent, so that any outside observer can determine how decisions were considered and ultimately agreed upon. When and where possible, OWASP must provide transparency.

There are, however, certain areas where transparency cannot be provided, either because it violates a law, is unethical, or goes against the expectation of privacy. The rule of thumb for transparency is to default all information as public, or if it must be restricted, the mandate is to make it as widely available as possible.

Levels of information restriction:
# Public (most open)
# All OWASP members, staff, Board of Directors
# Some members and/or staff, Board of Directors
# Executive Director, Compliance Officer, Board of Directors
# Executive Director, Board of Directors
# Board of Directors (most restricted)

== Exclusions from Radical Transparency ==

In this section, an attempt is made to enumerate situations where OWASP cannot provide transparency. Note that this list is not exhaustive, and future situations where there is a question about transparency should use this as a guide.

{| border="1" cellspacing="0" cellpadding="5"
|-
! Exclusion
! Notes
|-
| Staff records as maintained for Human Resources purposes
| Restricted to just staff and BoD members with a legitimate need to access records. Must never be disclosed unless permission is given from the staff member that the record pertains to.
|-
| Information pertaining to legal action, or pending legal action
| Restricted to just staff and BoD members with a legitimate need to access information. Must never be disclosed publicly either before, during, or after the legal action unless permitted by legal counsel.
|-
| Information pertaining to a whistlerblower complaint, ethics complaint, or similar, including the allegation, the investigation, and the outcome.
| Restricted to just the Compliance officer, BoD members, Executive Director, and select staff when required. Must never be disclosed publicly either before, during, or after the processing of the complaint via the [https://www.owasp.org/index.php/Governance/Whistleblower_Policy Whistlerblower policy]. Should the complaint be made public, then the Board of Directors may choose which information, if any, to release based on the situation and the best interest of the organization.
|}

== Policy Violations ==

All members must comply with this policy, or will be subject to [https://www.owasp.org/index.php/Governance/Whistleblower_Policy disciplinary action], including the possibility of suspension or revocation of membership, exclusion from OWASP events and email lists, or other such action as determined.

Transparency Policy

2014-06-19T14:34:14Z

Bil Corry: cleanup of links

Transparency Policy

2014-06-19T14:32:45Z

Bil Corry: minor rewording of the policy violations section based on a suggestion from Josh Sokol

=Transparency Policy=

==Policy Status==
<blockquote>'''WORKING DRAFT''' - this is a working draft being discussed on the [[https://lists.owasp.org/mailman/listinfo/governance Governance List]]. When completed, this will be presented to the [[https://www.owasp.org/index.php/About_The_Open_Web_Application_Security_Project#2014_Global_Board_Members Board of Directors]] for adoption. Once accepted, this notice will be updated to reflect the the policy is binding on members.</blockquote>

=="O" is for Open: An introduction==

The "O" in OWASP is for "Open" - Section 1.03 of the [[https://www.owasp.org/images/9/92/April2014OWASPFoundationByLaws.pdf OWASP Bylaws]] defines the value "Open" to mean:

<blockquote> "Everything at OWASP is radically transparent from our finances to our code."</blockquote>

This raises the question, what does "radically transparent" mean? Is there anything that can't be disclosed to the membership and/or public?

This policy defines what is not allowed to be disclosed, either because of legal, ethical, or privacy obligations.

== Radical Transparency ==

OWASP is committed to making its governance, processes, and finances transparent, so that any outside observer can determine how decisions were considered and ultimately agreed upon. When and where possible, OWASP must provide transparency.

There are, however, certain areas where transparency cannot be provided, either because it violates a law, is unethical, or goes against the expectation of privacy. The rule of thumb for transparency is to default all information as public, or if it must be restricted, the mandate is to make it as widely available as possible.

Levels of information restriction:
# Public (most open)
# All OWASP members, staff, Board of Directors
# Some members and/or staff, Board of Directors
# Executive Director, Compliance Officer, Board of Directors
# Executive Director, Board of Directors
# Board of Directors (most restricted)

== Exclusions from Radical Transparency ==

In this section, an attempt is made to enumerate situations where OWASP cannot provide transparency. Note that this list is not exhaustive, and future situations where there is a question about transparency should use this as a guide.

{| border="1" cellspacing="0" cellpadding="5"
|-
! Exclusion
! Notes
|-
| Staff records as maintained for Human Resources purposes
| Restricted to just staff and BoD members with a legitimate need to access records. Must never be disclosed unless permission is given from the staff member that the record pertains to.
|-
| Information pertaining to legal action, or pending legal action
| Restricted to just staff and BoD members with a legitimate need to access information. Must never be disclosed publicly either before, during, or after the legal action unless permitted by legal counsel.
|}

== Policy Violations ==

All members must comply with this policy, or will be subject to [[https://www.owasp.org/index.php/Governance/Whistleblower_Policy disciplinary action]], including the possibility of suspension or revocation of membership, exclusion from OWASP events and email lists, or other such action as determined.

Transparency Policy

2014-06-19T10:08:17Z

Bil Corry: Created page

=Transparency Policy=

==Policy Status==
<blockquote>'''WORKING DRAFT''' - this is a working draft being discussed on the [[https://lists.owasp.org/mailman/listinfo/governance Governance List]]. When completed, this will be presented to the [[https://www.owasp.org/index.php/About_The_Open_Web_Application_Security_Project#2014_Global_Board_Members Board of Directors]] for adoption. Once accepted, this notice will be updated to reflect the the policy is binding on members.</blockquote>

=="O" is for Open: An introduction==

The "O" in OWASP is for "Open" - Section 1.03 of the [[https://www.owasp.org/images/9/92/April2014OWASPFoundationByLaws.pdf OWASP Bylaws]] defines the value "Open" to mean:

<blockquote> "Everything at OWASP is radically transparent from our finances to our code."</blockquote>

This raises the question, what does "radically transparent" mean? Is there anything that can't be disclosed to the membership and/or public?

This policy defines what is not allowed to be disclosed, either because of legal, ethical, or privacy obligations.

== Radical Transparency ==

OWASP is committed to making its governance, processes, and finances transparent, so that any outside observer can determine how decisions were considered and ultimately agreed upon. When and where possible, OWASP must provide transparency.

There are, however, certain areas where transparency cannot be provided, either because it violates a law, is unethical, or goes against the expectation of privacy. The rule of thumb for transparency is to default all information as public, or if it must be restricted, the mandate is to make it as widely available as possible.

Levels of information restriction:
# Public (most open)
# All OWASP members, staff, Board of Directors
# Some members and/or staff, Board of Directors
# Executive Director, Compliance Officer, Board of Directors
# Executive Director, Board of Directors
# Board of Directors (most restricted)

== Exclusions from Radical Transparency ==

In this section, an attempt is made to enumerate situations where OWASP cannot provide transparency. Note that this list is not exhaustive, and future situations where there is a question about transparency should use this as a guide.

{| border="1" cellspacing="0" cellpadding="5"
|-
! Exclusion
! Notes
|-
| Staff records as maintained for Human Resources purposes
| Restricted to just staff and BoD members with a legitimate need to access records. Must never be disclosed unless permission is given from the staff member that the record pertains to.
|-
| Information pertaining to legal action, or pending legal action
| Restricted to just staff and BoD members with a legitimate need to access information. Must never be disclosed publicly either before, during, or after the legal action unless permitted by legal counsel.
|}

== Policy Violations ==

All members must comply with this policy, or will be subject to [[https://www.owasp.org/index.php/Governance/Whistleblower_Policy disciplinary action]], including suspension or revocation of membership, and/or exclusion from OWASP events, email lists, or other such action as determined.

Governance

2014-06-19T09:13:40Z

Bil Corry: added link to Transparency Policy

= Purpose =
Describe high level governance and process at OWASP

__TOC__

= OWASP Foundation=
== OWASP Global Board==
* [https://www.owasp.org/index.php/About_The_Open_Web_Application_Security_Project#2013_Global_Board_Members Current OWASP Board]
* OWASP Elections
** [https://www.owasp.org/index.php/2013_Board_Elections 2013]
** [https://www.owasp.org/index.php/Membership/2012_Election 2012]
** [https://www.owasp.org/index.php/Membership/2011Election 2011]
* [https://www.owasp.org/index.php/Governance/Board_Orientation Global Board Orientation and On-boarding Process]
* [https://www.owasp.org/index.php/Governance/Board_Commitment_Agreement Board Orientation Agreement] and [https://www.owasp.org/index.php/Governance/Board_Code_of_Conduct Board Code of Conduct]
* [https://www.owasp.org/index.php/OWASP_Board_Meetings Global Board Meetings]
* [https://www.owasp.org/index.php/OWASP_Board_Votes Board Voting Record]
== OWASP Operations Team==
* [https://www.owasp.org/index.php/About_The_Open_Web_Application_Security_Project#Employees_of_the_OWASP_Foundation Current Operations Staff]
* [https://www.owasp.org/index.php/About_The_Open_Web_Application_Security_Project#Budgets Foundation Budget]
* [https://www.owasp.org/index.php/About_The_Open_Web_Application_Security_Project#Tax_Filings OWASP Tax Filings]
== Policies ==
* [https://www.owasp.org/index.php/OWASP_Foundation_ByLaws OWASP Foundation By-laws]
* [https://www.owasp.org/index.php/Governance/Conflict_of_Interest_Policy Conflict of Interest Policy and Annual Conflict Questionnaire]
* [https://www.owasp.org/index.php/Governance/Whistleblower_Policy Whistleblower and Anti-Retaliation Policy]
* [https://www.owasp.org/index.php/Governance/Conference_Policies Conference Policies: Anti-Harrassment, Privacy Policy, OWASP Code of Ethics]
* [https://www.owasp.org/index.php/Governance/ConflictHandling Handling a Conflict]
* [https://www.owasp.org/index.php/OWASP_brand_usage_rules Brand Usage Rules]
*[https://www.owasp.org/index.php/Governance/Social_Media_Policy Social Media Policy]
* [https://www.owasp.org/index.php/Governance/Signatory_Policy Foundation Signatory Policy]
* [https://owasp.org/index.php/Governance/CorporateSponsorship Corporate Membership Model]
* [https://docs.google.com/document/d/1ADEy8NhgIqi5vyV0JSvOfeIqfIRQSzlOCLCmhEuPAWA/edit?usp=sharing Project Sponsorship Operational Guidelines]
* [https://www.owasp.org/index.php/Transparency_Policy Transparency Policy: "O" is for Open]

* Funding and Spending Guidelines:
** [https://docs.google.com/a/owasp.org/document/d/1yX68nS20qj7QNTcDkKCD3hSfFEbJaBKjoWjc2wF_aLA/edit OWASP Grant Funding and Spending Policy]
** [https://www.owasp.org/index.php/Funding - Community, Initiative, and Outreach Funding (replaces and expands OWASP on the Move)]
** [https://docs.google.com/document/d/15XuKIezpBpNH4BQYwSJ8i9125ga8IBE0IpvkO14RukI/edit?usp=sharing Project Spending Guidelines]

==Request for Comments & Policies under Review==

= Discussing Governance at OWASP =
We have an open mailing list for discussing the overall topic of governance at OWASP.

[https://lists.owasp.org/mailman/listinfo/governance https://lists.owasp.org/mailman/listinfo/governance]

Habla

2014-04-21T23:54:02Z

Bil Corry: PoC

The OWASP Top Ten is important, especially A8.

Read more about [https://www.owasp.org/index.php?title=Top_10_2013-A8-Cross-Site_Request_Forgery_(CSRF)&setlang=es A8 aka CSRF]

Board

2013-11-09T11:48:13Z

Bil Corry: added link to historical board members

__NOTOC__

= About the OWASP Board =

== Current OWASP Global Board ==

[[User:MichaelCoates|Michael Coates]] - OWASP Chair - San Fransisco, CA USA
 michael.coates(at)owasp.org

[[User:Sdeleersnyder|Sebastien Deleersnyder]] - Vice Chair - Belgium
 seba(at)owasp.org

[[User:Wichers|Dave Wichers]] - Treasurer - Maryland, USA
 dave.wichers(at)owasp.org

[[User:EoinKeary|Eoin Keary]] - Secretary - Dublin, Ireland
 eoin(at)owasp.org

[[User:Brennan|Tom Brennan]] - Special Projects: New Jersey, USA
 tom.brennan(at)owasp.org

[[User:Jmanico|Jim Manico]] - Special Projects: Hawaii, USA
 jim.manico(at)owasp.org

== OWASP Board Elections ==
=== 2013 Election ===
[https://www.owasp.org/index.php/2013_Board_Elections 2013 Board Election]
=== 2012 Election ===
[https://www.owasp.org/index.php/Membership/2012_Election 2012 Board Election]
=== 2011 Election ===
[https://www.owasp.org/index.php/Membership/2011Election 2011 Board Election]
=== 2009 Election ===
[https://www.owasp.org/index.php/Board_Election_2009 2009 Board Election]

= Agenda for 2013 Meetings =

* Teleconference Information: https://www3.gotomeeting.com/join/942894438
* 12:00pm - 1:30pm EST
* [https://www.owasp.org/index.php/International_Toll_Free_Calling_Information International Toll Free Calling Info]
* [https://docs.google.com/a/owasp.org/spreadsheet/ccc?key=0ApZ9zE0hx0LNdG5uRzNYZE8ycDFabnBWNkU4SFpwREE Board Meeting Attendance Tracking]

* '''Note''' - Beginning with the March 2013 meeting, all board meetings are recorded.

* Meeting Template found [https://www.owasp.org/index.php/Board-Meeting-template here]

== Upcoming 2013 Meetings ==

*[[November 11, 2013]] - cancelled due to in person meeting on Nov. 22

*[[November 22, 2013]] - In person meeting at AppSec USA - New York, NY

*[[December 9, 2013]]

== Past 2013 Meetings ==
*[[October 14, 2013]]

*[[September 9, 2013]]

*[[August 12, 2013]] - canceled due to in person meeting on Aug 19

*[[In person meeting at AppSec EU - Hamburg, Germany; August 19-24]]

*[[July 8, 2013]]

*[[June 10, 2013]]

*[[May 31, 2013]]

*[[May 13, 2013]]

*[[April 8, 2013]]

*[[March 11, 2013]]

*[[January 14, 2013]]

*[[February 11, 2013]]

= Board Communication and Documentation =

[https://www.owasp.org/images/0/05/OWASP_Foundation_ByLaws.pdf ByLaws] 
[https://docs.google.com/a/owasp.org/folder/d/0BxI4iTO_QojvNW9jaXFyWGZwR28/edit Weekly Board/Staff Communication Documents] 
[https://www.google.com/calendar/embed?src=owasp.org_d1dcflbc5oul9nji1ftc3pjji8@group.calendar.google.com&ctz=Pacific/Honolulu OWASP Board Calendar]

= Archive and Voting History =

[https://www.owasp.org/index.php/OWASP_Board_History Historical Board Members by Year]

[https://www.owasp.org/index.php/OWASP_Board_Votes Historical Board Votes]

== Agenda for 2012 Meetings ==

[https://docs.google.com/a/owasp.org/spreadsheet/ccc?key=0ApZ9zE0hx0LNdG5uRzNYZE8ycDFabnBWNkU4SFpwREE Board Meeting Attendance Tracking]

OWASP Foundation [https://www.owasp.org/images/a/ae/2012ByLawsFINAL.pdf ByLaws]

[https://www.owasp.org/index.php/Global_Committee_Pages Global Committees]

*[[January 9, 2012]]

*[[February 6, 2012]]

*[[February 15, 2012]]

*[[March 12, 2012]]

*[[April 5, 2012]]

*[[May 14,2012]]

*[[June 11, 2012]]

*[[July 11, 2012]]

*[[Aug 13, 2012]]

*[[Sept 10, 2012]]

*[[Oct 8, 2012]]

*[[Oct 24, 2012]]

*[[Nov 12, 2012]]

*[[Nov 26, 2012]] - 2013 Budget Focused

*[[Dec 10, 2012]]

*[[Dec 27, 2012]] - 2013 Budget Focused

== Agendas for 2011 Meetings ==

*[[January 3, 2011]]

*[[March 7, 2011]]

*[[April_4_2011]]

*[[May_2_2011]]

*[[June 6, 2011]]

*[[July 11, 2011]]

*[[August 8, 2011]]

*[[September 6, 2011]]

*[[September 20, 2011]]

*[[September 22, 2011]]

*[[October 10, 2011]]

*[[November 14, 2011]]

*[[December 5, 2011]]

== Minutes for 2011 Meetings ==

<hr>

* [https://www.owasp.org/index.php/OWASP_Board_Votes Board Votes Historical]

<hr>

*[[Minutes January 3, 2011]]

*[[Minutes March 8, 2011]]

*[[Minutes April 4, 2011]]

*[[Minutes May 2, 2011]]

*[https://docs.google.com/a/owasp.org/document/d/1VD9ZHEwht9tmM8FKEQ6DBrtmL_gTAhSSnQhiFXYkJ7I/edit?hl=en_US&authkey=CIavkP4B June 6 2011]

*[https://docs.google.com/a/owasp.org/document/d/1VMwYrP6owtZ-SchBxUcWTIF-ITvzUX8PjUkLPwr2ipg/edit?hl=en_US&authkey=CIGTx5sD July 11 2011]

*[https://docs.google.com/a/owasp.org/document/d/1CLu9aQpS7LdeX87rJ5N9cuJ-RGGVzDWf34l6gdMml7M/edit?hl=en_US&authkey=CI-U5qEP August 8, 2011]

*[https://docs.google.com/a/owasp.org/document/d/1HM32VcvWb0hizD5_mhWMULLaouzuRgA3ZYjODRZwyAs/edit?hl=en_US September 6, 2011]

*[https://docs.google.com/a/owasp.org/document/d/1Y-8tZisUZM5ZKP8AxJqvkiNtFanVFM0m--bMG2PZ3ww/edit October 10, 2011]

*[https://docs.google.com/a/owasp.org/document/d/13-aHX2pSUXjCP8ivsbls6u1VX1BVSYewyMUH8LI7zpQ/edit November 14, 2011]

== Agendas for 2010 Meetings ==
*[[January 5, 2010]]

*[[February 2, 2010]]

*[[March 2, 2010]] Postponed until March 9, 2010

*[[April 6, 2010]]

*[[May 4, 2010]]

*[[June 7, 2010]]

*[[July 12, 2010]]

*[[August 2, 2010]]

*[[September 8, 2010]]

*[[October 11, 2010]]

*[[November 9, 2010]]

*[[December_6_2010]]

== Minutes of 2010 Meetings ==

*[[Jan 5, 2010]]

*[[Feb 2, 2010]]

*[[March 2, 2010]]

*[[Minutes April 6, 2010]]

*[[Minutes May 11, 2010]]

*[[Minutes June 7, 2010]]

*[[Minutes July 12, 2010]]

*[[Minutes October 11, 2010]]

*[[Minutes November 9, 2010]]

*[[Minutes_December_6,_2010]]

*[[OWASP Board Meetings January Agenda]]
*[[OWASP Board Meetings February Agenda]]
*[[OWASP Board Meetings March Agenda]]
*[[OWASP Board Meetings April09 Agenda]]
*[[OWASP Board Meetings May09 Agenda]]
*[[OWASP Board Meetings June 09 Agenda]]
*[[OWASP Board Meeting July 7, 2009 Agenda]]
*[[OWASP Board Meeting August 4, 2009 Agenda]]
*[[OWASP Board Meeting September 1, 2009 Agenda]]
*[[OWASP Board Meeting October 6, 2009 Agenda]]
*[[OWASP Board Meeting November 10, 2009 Agenda]]
*[[OWASP Board Meeting December 1, 2009 Agenda]]

== Details of 2009 Meetings ==
* [[OWASP Board Meetings 01-06-09]]
* [[OWASP Board Meetings 02-03-09]]
* [[OWASP Board Meetings 03-10-09]]
* [[OWASP Board Meetings April 09]]
* [[OWASP Board Meetings May 09]]
* [[OWASP Board Meetings June 09]]
* [[OWASP Board Meeting July 09]]
* [[OWASP Board Meeting August 09]]
* [[OWASP Board Meeting September 09]]
* [[OWASP Board Meeting October 09]]
* [[OWASP Board Meeting December 09]]

== Agendas for 2008 Meetings ==
*[[OWASP Board Meetings March Agenda]]
*[[OWASP Board Meetings April Agenda]]
*[[OWASP Board Meetings May Agenda]]
*[[OWASP Board Meetings June Agenda]]
*[[OWASP Board Meetings July Agenda]]
*[[OWASP Board Meetings August Agenda]]
*[[OWASP Board Meetings September Agenda]]
*[[OWASP Board Meetings October Agenda]]
*[[OWASP Board Meetings December Agenda]]

== Details of 2008 Meetings ==
* [[OWASP Board Meetings 2-7-08]]
* [[OWASP Board Meetings 3-6-08]]
* [[OWASP Board Meetings 5-6-08]]
* [[OWASP Board Meetings 6-3-08]]
* [[OWASP Board Meetings 8-14-08]]
* [[OWASP Board Meetings 9-2-08]]
* [[Owasp Board Meetings 10-07-08]]
* [[Owasp Board Meetings 11-07-08]]
* [[Owasp Board Meetings 12-02-08]]

<headertabs/>

OWASP Board History

2013-11-09T11:44:01Z

Bil Corry: added 2014 election results

OWASP Foundation ByLaws

2013-06-08T10:32:06Z

Bil Corry: Added original bylaws from 2004

= Current =

== March 3, 2013 ==

https://www.owasp.org/images/0/05/OWASP_Foundation_ByLaws.pdf

= Historical =

== June 23, 2011 ==

https://www.owasp.org/images/d/d6/2011-06-OWASP-BYLAWS.pdf

Unofficial wiki version - [[OWASP Foundation ByLaws Wiki 2011-JUN-23]]

== March 15, 2004 ==

https://www.owasp.org/images/0/0d/OWASP_ByLaws.pdf

OWASP Periodic Table of Vulnerabilities

2013-06-02T12:05:41Z

Bil Corry: fixed minor formatting issue

= Main =

== Introduction ==

After 25 years of software engineering since the first Internet worm was written to exploit a buffer overflow vulnerability, web developers are still building insecure software. It is time for a new approach. The vast majority of software bug classes can be eliminated by building protections into perimeter technologies, platform infrastructures, and application frameworks before a developer even writes a single line of custom code. By allowing developers to focus on just a small subset of bug classes, training and standards programs can be more targeted and effective so developers can write secure code much more efficiently.

Vulnerabilities and weaknesses from industry-recognized indexes including OWASP Top 10, WASC TCv2, and CWE-25 are analyzed to determine which of the protection options are ideal for solving the software security problem. Where changes to internet standards and protocols are required, alternatives in perimeter, framework, or custom code solutions are also provided until the internet-scale solutions are in place. If a solution can be completely implemented in perimeter or infrastructure technologies, only that solution is provided. Similarly, if any part of the solution can be provided in standard or custom frameworks, that solution is not recommended to be implemented in custom code. The guiding principle is essentially: "implement security controls as far from custom code as possible." Only if there is no other way to solve a particular security problem is a custom code solution recommended.

== Browsers, Standards, and Protocols ==

The most scalable and effective approach to addressing vulnerability classes is to fix the browsers, standards, and protocols that enable web applications. This approach can sometimes increase security for every application on the internet without changing a single custom application. The amount of industry collaboration required to implement a protocol/standard change can be enormous, but some classes of vulnerabilities simply cannot be addressed without this kind of change (e.g. Clickjacking). A solution at this level is also incredibly powerful: a CSP-based solution to Cross-Site Scripting might allow most application owners to write a simple policy file instead of implementing a costly framework or custom code solution to protect their existing application assets.

== Perimeter Technologies ==

Less scalable, but almost as effective, is to address vulnerabilities in perimeter technologies such as application firewalls, load balancers, geocaching services (e.g. Akamai), and proxies. These technologies can shield vulnerable applications without requiring changes to the applications themselves. While most classes of vulnerability depend heavily on the application code and aren't easily solved by a generic perimeter solution, some are generalizable to the point where a perimeter solution could protect any application behind it before an attack even has a chance to do damage. Anti-automation and protocol validation are especially good solutions for perimeter technologies to address.

== Generic Application Frameworks ==

The next most scalable approach requires upgrading popular application frameworks so they are robust against common attack classes. Common web application platforms such as Java Struts/J2EE, Ruby on Rails, and PHP can theoretically prevent developers from introducing most classes of vulnerability in the first place. However, the current state of the framework industry is more driven by features than by security; any conflict between the two is usually decided in favor of adding features and ease of use, as opposed to difficult-to-use security enhancements. Some frameworks even have built-in vulnerabilities out of the box!

Improvements to application frameworks won't immediately help protect existing applications (though they would make any new applications built on the platform much safer). Many applications currently rely on insecure features of their frameworks that would be eliminated or refactored when the framework is secured. Existing applications would need to follow an upgrade path provided by a "secure" branch of existing frameworks before these solutions could take effect. Many applications don't even use popular frameworks at all, and so could never be helped by improvements to common development platforms.

Generic Framework solution guidelines would, however, help application owners prioritize refactoring efforts for their existing applications in order to make their application code more robust against future development mistakes. This is true whether their applications use popular frameworks or not. Implementing a robust solution to a vulnerability class is much more cost-effective in the long run than training every developer to understand every vulnerability and continuously patching new instances of the vulnerability each time they appear. Cross-Site Scripting is a classic example of the "whac-a-mole vulnerability" that recurrently wastes developer time and attention and could be solved more holistically with a framework wrapper.

== Custom Application Frameworks ==

Some solutions are unique to a specific application and can't be defended by a generic framework solution. For example, a generic framework might ship with a Social Security Number (SSN) validator, but a custom framework solution would be needed for a CustomWidgetItem validator. The SSN data type is well-defined and not unique to a specific application or business, but the CustomWidgetItem is unique to that application and has its own validation rules.

Organizations should still customize application frameworks to support their own application-specific APIs and security controls. Developers can leverage these controls during development instead of having to build the controls in during their daily coding efforts. If developers use a CustomWidgetItem object that has already been validated by framework code, it is much more likely that they will use it safely than if they have to remember to do their own validation each time they use the object.

== Custom Code ==
If none of the other solution options are possible for a given vulnerability class, developers will be required to protect against that class in every line of code that they write, which does not scale effectively at all. Some classes of attacks, such as Abuse of Functionality, depend completely on the custom code and cannot be abstracted at all into other solution models.

The set of vulnerabilities which must be eliminated in custom code is only a small fraction of the total vulnerability space. By focusing training and testing efforts on just this set of issues, after addressing all other problems in a more scalable manner, developers have a much better chance of building secure applications in the future.

= Periodic Table of Vulnerabilities =
{|class="wikitable"
! rowspan="2" colspan="2" align="center" style="background:#D8D8D8; border-width:3px 1px 3px 3px;"| '''VULNERABILITY'''
! colspan="5" align="center" style="background:#D8D8D8; border-width:3px 3px 1px 1px;"|'''LOCATION OF SECURITY CONTROL'''
|-
! align="center" style="background:#D8D8D8; border-width:1px 1px 3px 1px;"|'''Standards'''
! align="center" style="background:#D8D8D8; border-width:1px 1px 3px 1px;"|'''Infrastructure/Perimeter'''
! align="center" style="background:#D8D8D8; border-width:1px 1px 3px 1px;"|'''Generic Framework'''
! align="center" style="background:#D8D8D8; border-width:1px 1px 3px 1px;"|'''Custom Framework'''
! align="center" style="background:#D8D8D8; border-width:1px 3px 3px 1px;"|'''Custom Code'''
|-
| width="11%" style="background:#f0f0f0; border-width:2px 1px 2px 3px;" | '''[[OWASP Periodic Table of Vulnerabilities - Abuse of Functionality|Abuse of Functionality]]'''|| width="4%" align="center" style="background:#f0f0f0; border-width:3px 1px 2px 1px;" | AF || width="17%" style="border-width:3px 1px 2px 1px;" | || width="17%" style="border-width:3px 1px 2px 1px;" | || width="17%" style="border-width:3px 1px 2px 1px;" | || width="17%" style="border-width:3px 1px 2px 1px;" | || width="17%" style="border-width:3px 3px 2px 1px;" | All features should have defined abuse cases and implemented protections against these abuses.
|-
| style="background:#f0f0f0; border-width:2px 1px 2px 3px;" | '''[[OWASP Periodic Table of Vulnerabilities - Application Misconfiguration|Application Misconfiguration]]''' || align="center" style="background:#f0f0f0; border-width:2px 1px 2px 1px;" | AM || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | Ensure proper application settings are deployed in configuration file/s. Varies by platform and technology stack.|| style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | ||style="border-width:2px 3px 2px 1px;" |
|-
| style="background:#f0f0f0; border-width:2px 1px 2px 3px;" | '''[[OWASP Periodic Table of Vulnerabilities - Brute Force (Generic) / Insufficient Anti-automation|Brute Force (Generic) / Insufficient Anti-automation]]''' || align="center" style="background:#f0f0f0; border-width:2px 1px 2px 1px;" | BF || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | Perimeter technologies including geocaching/proxy services must support automatic and/or manual "panic button" anti-automation, enforcing progressive CAPTCHA for unvalidated requests, triggering on excessive 5XX responses, or direct signal from application.|| style="border-width:2px 1px 2px 1px;" | Provide configurable per-user/session request rate limits.|| style="border-width:2px 1px 2px 1px;" | Provide a common configurable anti-automation framework available to any feature.|| style="border-width:2px 3px 2px 1px;" | Any feature sensitive to high transaction rates should expose configurable rate limits per user or globally per feature.
|-
| style="background:#f0f0f0; border-width:2px 1px 2px 3px;" | '''[[OWASP Periodic Table of Vulnerabilities - Brute Force Login|Brute Force Login]]''' || align="center" style="background:#f0f0f0; border-width:2px 1px 2px 1px;" | BL || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | Provide capabilities to detect brute force attacks and help enforce lockout or CAPTCHA based on signals from the application.|| style="border-width:2px 1px 2px 1px;" | Provide configurable progressive lockout/delay for failed authentication requests to a single account and detection/alerting for fixed-password variable-username attacks. Provide configurable CAPTCHA enforcement.|| style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 3px 2px 1px;" |
|-
| style="background:#f0f0f0; border-width:2px 1px 2px 3px;" | '''[[OWASP Periodic Table of Vulnerabilities - Brute Force Session Identifier|Brute Force Session Identifier]]''' || align="center" style="background:#f0f0f0; border-width:2px 1px 2px 1px;" | BI || style="border-width:2px 1px 2px 1px;" | Define a new standard for transmitting session information.|| style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | Detect and alert on a configurable rate of session ID cache misses. Provide configurable session lockout if source IP for a session changes during an event. Ensure that token generation is secure, random, and from a sufficiently large key space.|| style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 3px 2px 1px;" |
|-
| style="background:#f0f0f0; border-width:2px 1px 2px 3px;" | '''[[OWASP Periodic Table of Vulnerabilities - Brute Force Predictable Resource Location/Insecure Indexing|Brute Force Predictable Resource Location/Insecure Indexing]]''' || align="center" style="background:#f0f0f0; border-width:2px 1px 2px 1px;" | BP || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | Generic anti-automation response should trigger during spikes in 4XX responses.|| style="border-width:2px 1px 2px 1px;" | Provide a configurable GUID-based obfuscator for sensitive parameter values. Do not expose administrative interfaces on the same path as user interfaces.|| style="border-width:2px 1px 2px 1px;" | Require authentication wherever possible. Create independent interfaces for administrative access and enforce stricter authentication rules.|| style="border-width:2px 3px 2px 1px;" |
|-
| style="background:#f0f0f0; border-width:2px 1px 2px 3px;" | '''[[OWASP Periodic Table of Vulnerabilities - Buffer Overflow|Buffer Overflow]]'''|| align="center" style="background:#f0f0f0; border-width:2px 1px 2px 1px;" | BO || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | Defend infrastructure from known exploit signatures (e.g. CodeRed) and alert/block parameter anomalies.|| style="border-width:2px 1px 2px 1px;" | Build on a memory-managed code platform or otherwise prohibit direct memory management.|| style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 3px 2px 1px;" |
|-
| style="background:#f0f0f0; border-width:2px 1px 2px 3px;" | '''[[OWASP Periodic Table of Vulnerabilities - Clickjacking|Clickjacking]]''' || align="center" style="background:#f0f0f0; border-width:2px 1px 2px 1px;" | CJ || style="border-width:2px 1px 2px 1px;" | Browser vendors should standardize on CSP directives to support safe framing options for framed sites.|| style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | Support configurable options for setting X-Frame-Options header and automatically embedding framebusting code in HTML/Script/CSS for older user agents that do not support XFO.|| style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 3px 2px 1px;" |
|-
| style="background:#f0f0f0; border-width:2px 1px 2px 3px;" | '''[[OWASP Periodic Table of Vulnerabilities - Content Spoofing|Content Spoofing]]''' || align="center" style="background:#f0f0f0; border-width:2px 1px 2px 1px;" | CS || style="border-width:2px 1px 2px 1px;" | Provide a new response status code for "File not found, but show custom 404 content body AND replace the URL displayed in the title bar because the current requested URL will confuse users".|| style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | If the framework supports user-supplied content, such content must be clearly marked as such in the display context.|| style="border-width:2px 3px 2px 1px;" |
|-
| style="background:#f0f0f0; border-width:2px 1px 2px 3px;" | '''[[OWASP Periodic Table of Vulnerabilities - Cookie Theft/Session Hijacking|Cookie Theft/Session Hijacking]]''' || align="center" style="background:#f0f0f0; border-width:2px 1px 2px 1px;" | CT || style="border-width:2px 1px 2px 1px;" | Define a new standard for transmitting session information to replace cookies.|| style="border-width:2px 1px 2px 1px;" | Terminate/regenerate session if the session token is transmitted insecurely. Help enforce cookie/session management rules.|| style="border-width:2px 1px 2px 1px;" | Enforce Secure and HttpOnly flags for all cookies. Alert user and deauthorize oldest session when multiple simultaneous login is detected. Terminate session if User-Agent string or other client fingerprinting changes. Terminate session if user acceses login page.|| style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 3px 2px 1px;" |
|-
| style="background:#f0f0f0; border-width:2px 1px 2px 3px;" | '''[[OWASP Periodic Table of Vulnerabilities - Cross-Site Scripting (XSS)|Cross-Site Scripting (XSS)]]''' || align="center" style="background:#f0f0f0; border-width:2px 1px 2px 1px;" | XS || style="border-width:2px 1px 2px 1px;" | Browser vendors and standards bodies should agree on markup for elements to contain dynamic content (e.g. Flash, JavaScript, HTML, etc.) inline without allowing the dynamic content to perform malicious actions such as navigating the parent window, reading or writing data across trust boundaries, or other undesirable behaviors as determined by the owner of the containing page.|| style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | Automatically sanitize any dynamic content before writing it into HTML, XML, or other documents that might be rendered by user agents that execute active content. If dynamic content must include dangerous elements, provide APIs which filter and sanitize potentially dangerous attributes of these elements. Exceptions and attribute configurations should be described by a policy file instead of hard-coded into the framework itself or into function calls. || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 3px 2px 1px;" |
|-
| style="background:#f0f0f0; border-width:2px 1px 2px 3px;" | '''[[OWASP Periodic Table of Vulnerabilities - Cross-Site Scripting (XSS) - DOM-Based|Cross-Site Scripting (XSS) - DOM-Based]]''' || align="center" style="background:#f0f0f0; border-width:2px 1px 2px 1px;" | XD || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | "Web 2.0" frameworks must expose an API for page creation/modification that does not use document.write/ln or allow dynamic data to be injected into innerHTML or similar DOM element attributes.|| style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 3px 2px 1px;" |
|-
| style="background:#f0f0f0; border-width:2px 1px 2px 3px;" | '''[[OWASP Periodic Table of Vulnerabilities - Cross-Site Request Forgery|Cross-Site Request Forgery]]''' || align="center" style="background:#f0f0f0; border-width:2px 1px 2px 1px;" | XF || style="border-width:2px 1px 2px 1px;" | Change default browser behavior to look for policy file for cross-domain writes instead of "default allow", transitioning through CSP framework.|| style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | Automatically generate and check tokens for all POST requests by default, with configuration-based exclusion list. Disallow state changes via GET requests, enforcing RFC.|| style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 3px 2px 1px;" |
|-
| style="background:#f0f0f0; border-width:2px 1px 2px 3px;" | '''[[OWASP Periodic Table of Vulnerabilities - Denial of Service (Application Based)|Denial of Service (Application Based)]]''' || align="center" style="background:#f0f0f0; border-width:2px 1px 2px 1px;" | DA || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | See Brute Force (Generic)|| style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 3px 2px 1px;" | Profile resource-dependent transactions and build transaction queues and alerting when queues reach thresholds. Enforce transaction-based rate limits.
|-
| style="background:#f0f0f0; border-width:2px 1px 2px 3px;" | '''[[OWASP Periodic Table of Vulnerabilities - Denial of Service (Connection Based)|Denial of Service (Connection Based)]]''' || align="center" style="background:#f0f0f0; border-width:2px 1px 2px 1px;" | DS || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | Recognize and dynamically adapt to deliberately slowed connection attempts by dropping slower connections during a detected event. The perimeter should protect itself and the Web server from saturation by slow connections.|| style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 3px 2px 1px;" |
|-
| style="background:#f0f0f0; border-width:2px 1px 2px 3px;" | '''[[OWASP Periodic Table of Vulnerabilities - Directory Indexing|Directory Indexing]]''' || align="center" style="background:#f0f0f0; border-width:2px 1px 2px 1px;" | DI || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | Disable directory listings in the web- or application-server configuration by default.|| style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 3px 2px 1px;" |
|-
| style="background:#f0f0f0; border-width:2px 1px 2px 3px;" | '''[[OWASP Periodic Table of Vulnerabilities - Fingerprinting|Fingerprinting]]''' || align="center" style="background:#f0f0f0; border-width:2px 1px 2px 1px;" | FP || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | Infrastructure should not leak any information which can be used to identify the platform or infrastructure technology. Perimeter technologies should strip all such information from outgoing responses.|| style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | URL structure should not reveal the underlying technology. Default content should be removed when possible. Tools that assist development or debugging should not be hosted or accessible.|| style="border-width:2px 3px 2px 1px;" |
|-
| style="background:#f0f0f0; border-width:2px 1px 2px 3px;" | '''[[OWASP Periodic Table of Vulnerabilities - Format String|Format String]]''' || align="center" style="background:#f0f0f0; border-width:2px 1px 2px 1px;" | FS || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | Alert and/or block on known format string signatures.|| style="border-width:2px 1px 2px 1px;" | Prohibit access to vulnerable APIs and provide safe wrappers of those APIs instead.|| style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 3px 2px 1px;" |
|-
| style="background:#f0f0f0; border-width:2px 1px 2px 3px;" | '''[[OWASP Periodic Table of Vulnerabilities - HTTP Request/Response Smuggling|HTTP Request/Response Smuggling]]''' || align="center" style="background:#f0f0f0; border-width:2px 1px 2px 1px;" | HS || style="border-width:2px 1px 2px 1px;" | Tighten RFC standards to describe precise behavior for malformed request/response data. Shame non-conforming implementations into compliance. Increase SSL adoption to prevent proxy tampering.|| style="border-width:2px 1px 2px 1px;" | Enforce strict parity match between requests and responses, discarding extraneous Content-Length headers and canonicalizing requests/responses.|| style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 3px 2px 1px;" |
|-
| style="background:#f0f0f0; border-width:2px 1px 2px 3px;" | '''[[OWASP Periodic Table of Vulnerabilities - HTTP Response Splitting|HTTP Response Splitting]]''' || align="center" style="background:#f0f0f0; border-width:2px 1px 2px 1px;" | HR || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | Automatically URL-encode CRLF characters in dynamic data before writing to HTTP response headers.|| style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 3px 2px 1px;" |
|-
| style="background:#f0f0f0; border-width:2px 1px 2px 3px;" | '''[[OWASP Periodic Table of Vulnerabilities - HTTP Request Splitting|HTTP Request Splitting]]''' || align="center" style="background:#f0f0f0; border-width:2px 1px 2px 1px;" | HQ || style="border-width:2px 1px 2px 1px;" | Tighten RFC standards to describe precise behavior for malformed requests. Shame non-conforming implementations into compliance. Increase SSL adoption to prevent proxy poisoning.|| style="border-width:2px 1px 2px 1px;" | Enforce strict canonicalization on all incoming HTTP requests.|| style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 3px 2px 1px;" |
|-
| style="background:#f0f0f0; border-width:2px 1px 2px 3px;" | '''[[OWASP Periodic Table of Vulnerabilities - Implicit Logout|Implicit Logout]]''' || align="center" style="background:#f0f0f0; border-width:2px 1px 2px 1px;" | IG || style="border-width:2px 1px 2px 1px;" | Define a new standard for handling sessions. Define CSP or other standard for triggering a logout flow when user browses away from a site. At least destroy session cookies.|| style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | Detect when a user browses away from the site and automatically log the user out of the application.|| style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 3px 2px 1px;" |
|-
| style="background:#f0f0f0; border-width:2px 1px 2px 3px;" | '''[[OWASP Periodic Table of Vulnerabilities - Improper Filesystem Permissions|Improper Filesystem Permissions]]''' || align="center" style="background:#f0f0f0; border-width:2px 1px 2px 1px;" | IF || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | Ensure that proper file and directory permissions are applied. Enforce stricter default permissions.|| style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 3px 2px 1px;" |
|-
| style="background:#f0f0f0; border-width:2px 1px 2px 3px;" | '''[[OWASP Periodic Table of Vulnerabilities - Improper Input Handling|Improper Input Handling]]''' || align="center" style="background:#f0f0f0; border-width:2px 1px 2px 1px;" | II || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | Provide canonicalization and positive validation APIs for common data types, with configurable rules to reject or sanitize bad data.|| style="border-width:2px 1px 2px 1px;" | Provide canonicalization and positive validation APIs for custom data types, strictly enforcing business rules, with configurable rules to reject or sanitize bad data.|| style="border-width:2px 3px 2px 1px;" | Never use primitives in custom code.
|-
| style="background:#f0f0f0; border-width:2px 1px 2px 3px;" | '''[[OWASP Periodic Table of Vulnerabilities - Improper Output Handling|Improper Output Handling]]''' || align="center" style="background:#f0f0f0; border-width:2px 1px 2px 1px;" | IH || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | Provide context-sensitive encoders for all common data types in all output contexts, ensuring no custom code can write directly to output.|| style="border-width:2px 1px 2px 1px;" | Provide context-sensitive encoders for all custom data types in all output contexts, ensuring no custom code can write directly to output.|| style="border-width:2px 3px 2px 1px;" |
|-
| style="background:#f0f0f0; border-width:2px 1px 2px 3px;" | '''[[OWASP Periodic Table of Vulnerabilities - Information Leakage|Information Leakage]]''' || align="center" style="background:#f0f0f0; border-width:2px 1px 2px 1px;" | IL || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | Alert, block, or sanitize classified data in responses. Automatically scrub HTML, JavaScript, CSS, and other data formats of comment data and stack traces. Configure platform to return generic error codes by default and log locally. || style="border-width:2px 1px 2px 1px;" | Provide common error-handling framework and APIs which take two error messages as parameters: one to be displayed to the user and one to be written to logs. Provide configurable content expiration/caching interface; default to no-cache, no-store.|| style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 3px 2px 1px;" | Don't leak information via error parity mismatches.
|-
| style="background:#f0f0f0; border-width:2px 1px 2px 3px;" | '''[[OWASP Periodic Table of Vulnerabilities - Insufficient Authentication/Authorization|Insufficient Authentication/Authorization]]''' || align="center" style="background:#f0f0f0; border-width:2px 1px 2px 1px;" | IA || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | Provide configuration-based authentication and authorization platform.|| style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 3px 2px 1px;" | Apply least-privilege principle to all transactions, requiring authentication and authorization where applicable.
|-
| style="background:#f0f0f0; border-width:2px 1px 2px 3px;" | '''[[OWASP Periodic Table of Vulnerabilities - Insufficient Data Protection|Insufficient Data Protection]]''' || align="center" style="background:#f0f0f0; border-width:2px 1px 2px 1px;" | ID || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | Provide a configuration-based suite of encryption utilities for all data security needs including HMAC, symmetric, password hash, and asymmetric encryption requirements.|| style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 3px 2px 1px;" |
|-
| style="background:#f0f0f0; border-width:2px 1px 2px 3px;" | '''[[OWASP Periodic Table of Vulnerabilities - Insufficient Password Recovery|Insufficient Password Recovery]]''' || align="center" style="background:#f0f0f0; border-width:2px 1px 2px 1px;" | IR || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | Provide generic credential recovery with configurable "secret question" and multi-factor side-channel authentication functionality (e.g. SMS, email, etc.).|| style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 3px 2px 1px;" |
|-
| style="background:#f0f0f0; border-width:2px 1px 2px 3px;" | '''[[OWASP Periodic Table of Vulnerabilities - Insufficient Process Validation|Insufficient Process Validation]]''' || align="center" style="background:#f0f0f0; border-width:2px 1px 2px 1px;" | IP || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | Require state validation rules to be specified for multi-step flows.|| style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 3px 2px 1px;" | Enforce state validation for asynchronous transactions.
|-
| style="background:#f0f0f0; border-width:2px 1px 2px 3px;" | '''[[OWASP Periodic Table of Vulnerabilities - Insufficient Session Expiration|Insufficient Session Expiration]]''' || align="center" style="background:#f0f0f0; border-width:2px 1px 2px 1px;" | IS || style="border-width:2px 1px 2px 1px;" | Define a new standard for instructing the browser about session timeouts and how to handle them.|| style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | Provide and enforce configurable absolute and inactivity-based session timeouts.|| style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 3px 2px 1px;" |
|-
| style="background:#f0f0f0; border-width:2px 1px 2px 3px;" | '''[[OWASP Periodic Table of Vulnerabilities - Insufficient Transport Layer Protection|Insufficient Transport Layer Protection]]''' || align="center" style="background:#f0f0f0; border-width:2px 1px 2px 1px;" | IT || style="border-width:2px 1px 2px 1px;" | Fix DNS and browser technologies so that the intent of domain owners can be more strictly followed.|| style="border-width:2px 1px 2px 1px;" | Enforce Strict Transport Security and redirect any HTTP request to HTTPS.|| style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 3px 2px 1px;" |
|-
| style="background:#f0f0f0; border-width:2px 1px 2px 3px;" | '''[[OWASP Periodic Table of Vulnerabilities - Integer Overflow/Underflow|Integer Overflow/Underflow]]''' || align="center" style="background:#f0f0f0; border-width:2px 1px 2px 1px;" | IO || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | Provide safe wrappers for primitive numeric types.|| style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 3px 2px 1px;" | Never use primitives without strict checking for underflow/overflow conditions.
|-
| style="background:#f0f0f0; border-width:2px 1px 2px 3px;" | '''[[OWASP Periodic Table of Vulnerabilities - LDAP Injection|LDAP Injection]]''' || align="center" style="background:#f0f0f0; border-width:2px 1px 2px 1px;" | LI || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | Provide safe libraries for LDAP communication which properly encode dynamic data.|| style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 3px 2px 1px;" |
|-
| style="background:#f0f0f0; border-width:2px 1px 2px 3px;" | '''[[OWASP Periodic Table of Vulnerabilities - Mail Command Injection|Mail Command Injection]]''' || align="center" style="background:#f0f0f0; border-width:2px 1px 2px 1px;" | MI || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | Provide safe libraries for SMTP and IMAP interaction that properly encode dynamic data.|| style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 3px 2px 1px;" |
|-
| style="background:#f0f0f0; border-width:2px 1px 2px 3px;" | '''[[OWASP Periodic Table of Vulnerabilities - Null Byte Injection|Null Byte Injection]]''' || align="center" style="background:#f0f0f0; border-width:2px 1px 2px 1px;" | NB || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | Alert and/or block on known null byte attacks.|| style="border-width:2px 1px 2px 1px;" | Provide safe libraries that automatically encode dynamic data in any context which uses null bytes as control characters.|| style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 3px 2px 1px;" |
|-
| style="background:#f0f0f0; border-width:2px 1px 2px 3px;" | '''[[OWASP Periodic Table of Vulnerabilities - OS Commanding|OS Commanding]]''' || align="center" style="background:#f0f0f0; border-width:2px 1px 2px 1px;" | OC || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | Build safe wrappers for system calls which prevent dynamic data from changing the intended meaning of the call.|| style="border-width:2px 3px 2px 1px;" |
|-
| style="background:#f0f0f0; border-width:2px 1px 2px 3px;" | '''[[OWASP Periodic Table of Vulnerabilities - Path Traversal|Path Traversal]]''' || align="center" style="background:#f0f0f0; border-width:2px 1px 2px 1px;" | PT || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | Canonicalize URLs and prevent directory access outside the web root.|| style="border-width:2px 1px 2px 1px;" | Provide safe libraries for accessing the file system which canonicalize path references and enforce proper access control.|| style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 3px 2px 1px;" |
|-
| style="background:#f0f0f0; border-width:2px 1px 2px 3px;" | '''[[OWASP Periodic Table of Vulnerabilities - Race Conditions|Race Conditions]]''' || align="center" style="background:#f0f0f0; border-width:2px 1px 2px 1px;" | RC || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | Prevent singletons from instantiating class-scope objects. Provide transaction integrity for task queues.|| style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 3px 2px 1px;" |
|-
| style="background:#f0f0f0; border-width:2px 1px 2px 3px;" | '''[[OWASP Periodic Table of Vulnerabilities - Remote File Inclusion|Remote File Inclusion]]''' || align="center" style="background:#f0f0f0; border-width:2px 1px 2px 1px;" | RF || style="border-width:2px 1px 2px 1px;" | Define a standard for safe inclusion of 3rd-party code and content which enforces namespace separation and mediates namespace/DOM access.|| style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | Provide proxy library to sanitize/sandbox third-party code and content for safe inclusion (e.g. Caja).|| style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 3px 2px 1px;" |
|-
| style="background:#f0f0f0; border-width:2px 1px 2px 3px;" | '''[[OWASP Periodic Table of Vulnerabilities - Routing Detour|Routing Detour]]''' || align="center" style="background:#f0f0f0; border-width:2px 1px 2px 1px;" | RD || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | Provide configuration-based whitelist for WS Routing destinations.|| style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 3px 2px 1px;" |
|-
| style="background:#f0f0f0; border-width:2px 1px 2px 3px;" | '''[[OWASP Periodic Table of Vulnerabilities - Server Misconfiguration|Server Misconfiguration]]''' || align="center" style="background:#f0f0f0; border-width:2px 1px 2px 1px;" | SM || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | Ensure proper application settings are deployed in configuration file/s. Provide secure default settings.|| style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 3px 2px 1px;" |
|-
| style="background:#f0f0f0; border-width:2px 1px 2px 3px;" | '''[[OWASP Periodic Table of Vulnerabilities - Session Fixation|Session Fixation]]''' || align="center" style="background:#f0f0f0; border-width:2px 1px 2px 1px;" | SF || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | Do not start sessions with user-provided tokens and rotate session IDs periodically during longer sessions. Reissue new tokens automatically whenever the privilege level of the user changes.|| style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 3px 2px 1px;" |
|-
| style="background:#f0f0f0; border-width:2px 1px 2px 3px;" | '''[[OWASP Periodic Table of Vulnerabilities - SOAP Array Abuse, XML Attribute Blowup, XML Entity Expansion|SOAP Array Abuse, XML Attribute Blowup, XML Entity Expansion]]''' || align="center" style="background:#f0f0f0; border-width:2px 1px 2px 1px;" | SA || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | Perform schema validation of XML structure on incoming requests.|| style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 3px 2px 1px;" |
|-
| style="background:#f0f0f0; border-width:2px 1px 2px 3px;" | '''[[OWASP Periodic Table of Vulnerabilities - SSI Injection|SSI Injection]]''' || align="center" style="background:#f0f0f0; border-width:2px 1px 2px 1px;" | SS || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | Do not support SSI with dynamic file names.|| style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 3px 2px 1px;" |
|-
| style="background:#f0f0f0; border-width:2px 1px 2px 3px;" | '''[[OWASP Periodic Table of Vulnerabilities - SQL Injection|SQL Injection]]''' || align="center" style="background:#f0f0f0; border-width:2px 1px 2px 1px;" | SI || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | Provide safe libraries for communicating with SQL servers which enforce parameterized query patterns.|| style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 3px 2px 1px;" | Do not create queries with dynamic data in stored procedures.
|-
| style="background:#f0f0f0; border-width:2px 1px 2px 3px;" | '''[[OWASP Periodic Table of Vulnerabilities - URL Redirector Abuse|URL Redirector Abuse]]''' || align="center" style="background:#f0f0f0; border-width:2px 1px 2px 1px;" | UR || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | Provide configurable white list for redirection URLs in 3XX responses, Refresh headers, and JavaScript redirects.|| style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 3px 2px 1px;" |
|-
| style="background:#f0f0f0; border-width:2px 1px 2px 3px;" | '''[[OWASP Periodic Table of Vulnerabilities - Weak Authentication Methods|Weak HTTP Authentication Methods]]''' || align="center" style="background:#f0f0f0; border-width:2px 1px 2px 1px;" | WA || style="border-width:2px 1px 2px 1px;" | Define a new, safe standard for HTTP-based authentication. || style="border-width:2px 1px 2px 1px;" | Reject HTTP Basic Auth, NTLM, and Digest Authentication requests. Block or proxy inline 3rd-party content.|| style="border-width:2px 1px 2px 1px;" | Block or proxy inline 3rd-party content.|| style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 3px 2px 1px;" |
|-
| style="background:#f0f0f0; border-width:2px 1px 2px 3px;" | '''[[OWASP Periodic Table of Vulnerabilities - XML External Entities|XML External Entities]]''' || align="center" style="background:#f0f0f0; border-width:2px 1px 2px 1px;" | XE || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | Disable External Entities within the XML parser. Enforce strict, static, internal DTDs.|| style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 3px 2px 1px;" |
|-
| style="background:#f0f0f0; border-width:2px 1px 2px 3px;" | '''[[OWASP Periodic Table of Vulnerabilities - XML Injection|XML Injection]]''' || align="center" style="background:#f0f0f0; border-width:2px 1px 2px 1px;" | XI || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | Provide safe libraries for constructing XML documents which automatically encode dynamic data.|| style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 3px 2px 1px;" |
|-
| style="background:#f0f0f0; border-width:2px 1px 3px 3px;" | '''[[OWASP Periodic Table of Vulnerabilities - XPath/XQuery Injection|XPath/XQuery Injection]]''' || align="center" style="background:#f0f0f0; border-width:2px 1px 3px 1px;" | XP || style="border-width:2px 1px 3px 1px;" | || style="border-width:2px 1px 3px 1px;" | || style="border-width:2px 1px 3px 1px;" | Provide safe libraries for constructing XPath queries with dynamic data. Provide safe libraries for XQuery construction which parameterize query values.|| style="border-width:2px 1px 3px 1px;" | || style="border-width:2px 3px 3px 1px;" |
|}

= Release Formats =

* [[Media:Periodic Table Infographic.pdf|Compressed view]] - One-pager that highlights the vulnerability classes that developers will still have to worry about at the top, with "solved" vulnerabilities ordered toward the bottom.
* Infographic - Cartoony, visually-appealing storyboard introduction of the project, its goals, and high-level approach.
* [[OWASP Periodic Table of Vulnerabilities#Periodic Table of Vulnerabilities|Working View/Summary]] - Working view summarizes solutions in respective columns for quick reference but doesn't provide details. May link to detailed sections.
* Solution Detail (see linked issues on summary view) - Detailed view combines references, detailed solution designs, discussion/controversy detail, and other relevant information for each solution recommendation. The detail view does NOT explain what each vulnerability/weakness is - it only references existing vulnerability descriptions from other projects (e.g. OWASP Top 10, WASC TCv2, CWE, etc.). A short summary of root cause(s) is included, but only to the level of depth required to suggest all of the solution design elements that need to be addressed.
* Solution Checklist - Summary of solutions grouped by target (e.g. perimeter or framework) so that maintainers of standards, frameworks, and perimeter technologies can view the solutions required for their areas ONLY. May require templating to generate list automatically, or short summaries in place of detailed descriptions.
* Periodic Table View - Vulns/Weaknesses laid out like the table of chemical elements, with solution target along the top and some measure of severity progressing down through the "periods". Top 10 could be highlighted in some way. Issues may show up in multiple periods. Poster-size so we can get all the relevant information in each "element".

= Project About =
{{:Projects/OWASP_Periodic_Table_of_Vulnerabilities}}

__NOTOC__ <headertabs /> 

{{OWASP Builders}}
[[Category:OWASP Project]]

OWASP Periodic Table of Vulnerabilities

2013-06-02T11:52:53Z

Bil Corry: slight edit

= Main =

== Introduction ==

After 25 years of software engineering since the first Internet worm was written to exploit a buffer overflow vulnerability, web developers are still building insecure software. It is time for a new approach. The vast majority of software bug classes can be eliminated by building protections into perimeter technologies, platform infrastructures, and application frameworks before a developer even writes a single line of custom code. By allowing developers to focus on just a small subset of bug classes, training and standards programs can be more targeted and effective so developers can write secure code much more efficiently.

Vulnerabilities and weaknesses from industry-recognized indexes including OWASP Top 10, WASC TCv2, and CWE-25 are analyzed to determine which of the protection options are ideal for solving the software security problem. Where changes to internet standards and protocols are required, alternatives in perimeter, framework, or custom code solutions are also provided until the internet-scale solutions are in place. If a solution can be completely implemented in perimeter or infrastructure technologies, only that solution is provided. Similarly, if any part of the solution can be provided in standard or custom frameworks, that solution is not recommended to be implemented in custom code. The guiding principle is essentially: "implement security controls as far from custom code as possible." Only if there is no other way to solve a particular security problem is a custom code solution recommended.

== Browsers, Standards, and Protocols ==

The most scalable and effective approach to addressing vulnerability classes is to fix the browsers, standards, and protocols that enable web applications. This approach can sometimes increase security for every application on the internet without changing a single custom application. The amount of industry collaboration required to implement a protocol/standard change can be enormous, but some classes of vulnerabilities simply cannot be addressed without this kind of change (e.g. Clickjacking). A solution at this level is also incredibly powerful: a CSP-based solution to Cross-Site Scripting might allow most application owners to write a simple policy file instead of implementing a costly framework or custom code solution to protect their existing application assets.

== Perimeter Technologies ==

Less scalable, but almost as effective, is to address vulnerabilities in perimeter technologies such as application firewalls, load balancers, geocaching services (e.g. Akamai), and proxies. These technologies can shield vulnerable applications without requiring changes to the applications themselves. While most classes of vulnerability depend heavily on the application code and aren't easily solved by a generic perimeter solution, some are generalizable to the point where a perimeter solution could protect any application behind it before an attack even has a chance to do damage. Anti-automation and protocol validation are especially good solutions for perimeter technologies to address.

== Generic Application Frameworks ==

The next most scalable approach requires upgrading popular application frameworks so they are robust against common attack classes. Common web application platforms such as Java Struts/J2EE, Ruby on Rails, and PHP can theoretically prevent developers from introducing most classes of vulnerability in the first place. However, the current state of the framework industry is more driven by features than by security; any conflict between the two is usually decided in favor of adding features and ease of use, as opposed to difficult-to-use security enhancements. Some frameworks even have built-in vulnerabilities out of the box!

Improvements to application frameworks won't immediately help protect existing applications (though they would make any new applications built on the platform much safer). Many applications currently rely on insecure features of their frameworks that would be eliminated or refactored when the framework is secured. Existing applications would need to follow an upgrade path provided by a "secure" branch of existing frameworks before these solutions could take effect. Many applications don't even use popular frameworks at all, and so could never be helped by improvements to common development platforms.

Generic Framework solution guidelines would, however, help application owners prioritize refactoring efforts for their existing applications in order to make their application code more robust against future development mistakes. This is true whether their applications use popular frameworks or not. Implementing a robust solution to a vulnerability class is much more cost-effective in the long run than training every developer to understand every vulnerability and continuously patching new instances of the vulnerability each time they appear. Cross-Site Scripting is a classic example of the "whac-a-mole vulnerability" that recurrently wastes developer time and attention and could be solved more holistically with a framework wrapper.

== Custom Application Frameworks ==

Some solutions are unique to a specific application and can't be defended by a generic framework solution. For example, a generic framework might ship with a Social Security Number (SSN) validator, but a custom framework solution would be needed for a CustomWidgetItem validator. The SSN data type is well-defined and not unique to a specific application or business, but the CustomWidgetItem is unique to that application and has its own validation rules.

Organizations should still customize application frameworks to support their own application-specific APIs and security controls. Developers can leverage these controls during development instead of having to build the controls in during their daily coding efforts. If developers use a CustomWidgetItem object that has already been validated by framework code, it is much more likely that they will use it safely than if they have to remember to do their own validation each time they use the object.

== Custom Code ==
If none of the other solution options are possible for a given vulnerability class, developers will be required to protect against that class in every line of code that they write, which does not scale effectively at all. Some classes of attacks, such as Abuse of Functionality, depend completely on the custom code and cannot be abstracted at all into other solution models.

The set of vulnerabilities which must be eliminated in custom code is only a small fraction of the total vulnerability space. By focusing training and testing efforts on just this set of issues, after addressing all other problems in a more scalable manner, developers have a much better chance of building secure applications in the future.

= Periodic Table of Vulnerabilities =
{|class="wikitable"
! rowspan="2" colspan="2" align="center" style="background:#D8D8D8; border-width:3px 1px 3px 3px;"| '''VULNERABILITY'''
! colspan="5" align="center" style="background:#D8D8D8; border-width:3px 3px 1px 1px;"|'''LOCATION OF SECURITY CONTROL'''
|-
! align="center" style="background:#D8D8D8; border-width:1px 1px 3px 1px;"|'''Standards'''
! align="center" style="background:#D8D8D8; border-width:1px 1px 3px 1px;"|'''Infrastructure/Perimeter'''
! align="center" style="background:#D8D8D8; border-width:1px 1px 3px 1px;"|'''Generic Framework'''
! align="center" style="background:#D8D8D8; border-width:1px 1px 3px 1px;"|'''Custom Framework'''
! align="center" style="background:#D8D8D8; border-width:1px 3px 3px 1px;"|'''Custom Code'''
|-
| width="11%" style="background:#f0f0f0; border-width:2px 1px 2px 3px;" | '''[[OWASP Periodic Table of Vulnerabilities - Abuse of Functionality|Abuse of Functionality]]'''|| width="4%" align="center" style="background:#f0f0f0; border-width:3px 1px 2px 1px;" | AF || width="17%" style="border-width:3px 1px 2px 1px;" | || width="17%" style="border-width:3px 1px 2px 1px;" | || width="17%" style="border-width:3px 1px 2px 1px;" | || width="17%" style="border-width:3px 1px 2px 1px;" | || width="17%" style="border-width:3px 3px 2px 1px;" | All features should have defined abuse cases and implemented protections against these abuses.
|-
| style="background:#f0f0f0; border-width:2px 1px 2px 3px;" | '''[[OWASP Periodic Table of Vulnerabilities - Application Misconfiguration|Application Misconfiguration]]''' || align="center" style="background:#f0f0f0; border-width:2px 1px 2px 1px;" | AM || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | Ensure proper application settings are deployed in configuration file/s. Varies by platform and technology stack.|| style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | ||style="border-width:2px 3px 2px 1px;" |
|-
| style="background:#f0f0f0; border-width:2px 1px 2px 3px;" | '''[[OWASP Periodic Table of Vulnerabilities - Brute Force (Generic) / Insufficient Anti-automation|Brute Force (Generic) / Insufficient Anti-automation]]''' || align="center" style="background:#f0f0f0; border-width:2px 1px 2px 1px;" | BF || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | Perimeter technologies including geocaching/proxy services must support automatic and/or manual "panic button" anti-automation, enforcing progressive CAPTCHA for unvalidated requests, triggering on excessive 5XX responses, or direct signal from application.|| style="border-width:2px 1px 2px 1px;" | Provide configurable per-user/session request rate limits.|| style="border-width:2px 1px 2px 1px;" | Provide a common configurable anti-automation framework available to any feature.|| style="border-width:2px 3px 2px 1px;" | Any feature sensitive to high transaction rates should expose configurable rate limits per user or globally per feature.
|-
| style="background:#f0f0f0; border-width:2px 1px 2px 3px;" | '''[[OWASP Periodic Table of Vulnerabilities - Brute Force Login|Brute Force Login]]''' || align="center" style="background:#f0f0f0; border-width:2px 1px 2px 1px;" | BL || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | Provide capabilities to detect brute force attacks and help enforce lockout or CAPTCHA based on signals from the application.|| style="border-width:2px 1px 2px 1px;" | Provide configurable progressive lockout/delay for failed authentication requests to a single account and detection/alerting for fixed-password variable-username attacks. Provide configurable CAPTCHA enforcement.|| style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 3px 2px 1px;" |
|-
| style="background:#f0f0f0; border-width:2px 1px 2px 3px;" | '''[[OWASP Periodic Table of Vulnerabilities - Brute Force Session Identifier|Brute Force Session Identifier]]''' || align="center" style="background:#f0f0f0; border-width:2px 1px 2px 1px;" | BI || style="border-width:2px 1px 2px 1px;" | Define a new standard for transmitting session information.|| style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | Detect and alert on a configurable rate of session ID cache misses. Provide configurable session lockout if source IP for a session changes during an event. Ensure that token generation is secure, random, and from a sufficiently large key space.|| style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 3px 2px 1px;" |
|-
| style="background:#f0f0f0; border-width:2px 1px 2px 3px;" | '''[[OWASP Periodic Table of Vulnerabilities - Brute Force Predictable Resource Location/Insecure Indexing|Brute Force Predictable Resource Location/Insecure Indexing]]''' || align="center" style="background:#f0f0f0; border-width:2px 1px 2px 1px;" | BP || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | Generic anti-automation response should trigger during spikes in 4XX responses.|| style="border-width:2px 1px 2px 1px;" | Provide a configurable GUID-based obfuscator for sensitive parameter values. Do not expose administrative interfaces on the same path as user interfaces.|| style="border-width:2px 1px 2px 1px;" | Require authentication wherever possible. Create independent interfaces for administrative access and enforce stricter authentication rules.|| style="border-width:2px 3px 2px 1px;" |
|-
| style="background:#f0f0f0; border-width:2px 1px 2px 3px;" | '''[[OWASP Periodic Table of Vulnerabilities - Buffer Overflow|Buffer Overflow]]'''|| align="center" style="background:#f0f0f0; border-width:2px 1px 2px 1px;" | BO || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | Defend infrastructure from known exploit signatures (e.g. CodeRed) and alert/block parameter anomalies.|| style="border-width:2px 1px 2px 1px;" | Build on a memory-managed code platform or otherwise prohibit direct memory management.|| style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 3px 2px 1px;" |
|-
| style="background:#f0f0f0; border-width:2px 1px 2px 3px;" | '''[[OWASP Periodic Table of Vulnerabilities - Clickjacking|Clickjacking]]''' || align="center" style="background:#f0f0f0; border-width:2px 1px 2px 1px;" | CJ || style="border-width:2px 1px 2px 1px;" | Browser vendors should standardize on CSP directives to support safe framing options for framed sites.|| style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | Support configurable options for setting X-Frame-Options header and automatically embedding framebusting code in HTML/Script/CSS for older user agents that do not support XFO.|| style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 3px 2px 1px;" |
|-
| style="background:#f0f0f0; border-width:2px 1px 2px 3px;" | '''[[OWASP Periodic Table of Vulnerabilities - Content Spoofing|Content Spoofing]]''' || align="center" style="background:#f0f0f0; border-width:2px 1px 2px 1px;" | CS || style="border-width:2px 1px 2px 1px;" | Provide a new response status code for "File not found, but show custom 404 content body AND replace the URL displayed in the title bar because the current requested URL will confuse users".|| style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | If the framework supports user-supplied content, such content must be clearly marked as such in the display context.|| style="border-width:2px 3px 2px 1px;" |
|-
| style="background:#f0f0f0; border-width:2px 1px 2px 3px;" | '''[[OWASP Periodic Table of Vulnerabilities - Cookie Theft/Session Hijacking|Cookie Theft/Session Hijacking]]''' || align="center" style="background:#f0f0f0; border-width:2px 1px 2px 1px;" | CT || style="border-width:2px 1px 2px 1px;" | Define a new standard for transmitting session information to replace cookies.|| style="border-width:2px 1px 2px 1px;" | Terminate/regenerate session if the session token is transmitted insecurely. Help enforce cookie/session management rules.|| style="border-width:2px 1px 2px 1px;" | Enforce Secure and HttpOnly flags for all cookies. Alert user and deauthorize oldest session when multiple simultaneous login is detected. Terminate session if User-Agent string or other client fingerprinting changes. Terminate session if user acceses login page.|| style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 3px 2px 1px;" |
|-
| style="background:#f0f0f0; border-width:2px 1px 2px 3px;" | '''[[OWASP Periodic Table of Vulnerabilities - Cross-Site Scripting (XSS)|Cross-Site Scripting (XSS)]]''' || align="center" style="background:#f0f0f0; border-width:2px 1px 2px 1px;" | XS || style="border-width:2px 1px 2px 1px;" | Browser vendors and standards bodies should agree on markup for elements to contain dynamic content (e.g. Flash, JavaScript, HTML, etc.) inline without allowing the dynamic content to perform malicious actions such as navigating the parent window, reading or writing data across trust boundaries, or other undesirable behaviors as determined by the owner of the containing page.|| style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | Automatically sanitize any dynamic content before writing it into HTML, XML, or other documents that might be rendered by user agents that execute active content. If dynamic content must include dangerous elements, provide APIs which filter and sanitize potentially dangerous attributes of these elements. Exceptions and attribute configurations should be described by a policy file instead of hard-coded into the framework itself or into function calls. || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 3px 2px 1px;" |
|-
| style="background:#f0f0f0; border-width:2px 1px 2px 3px;" | '''[[OWASP Periodic Table of Vulnerabilities - Cross-Site Scripting (XSS) - DOM-Based|Cross-Site Scripting (XSS) - DOM-Based]]''' || align="center" style="background:#f0f0f0; border-width:2px 1px 2px 1px;" | XD || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | "Web 2.0" frameworks must expose an API for page creation/modification that does not use document.write/ln or allow dynamic data to be injected into innerHTML or similar DOM element attributes.|| style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 3px 2px 1px;" |
|-
| style="background:#f0f0f0; border-width:2px 1px 2px 3px;" | '''[[OWASP Periodic Table of Vulnerabilities - Cross-Site Request Forgery|Cross-Site Request Forgery]]''' || align="center" style="background:#f0f0f0; border-width:2px 1px 2px 1px;" | XF || style="border-width:2px 1px 2px 1px;" | Change default browser behavior to look for policy file for cross-domain writes instead of "default allow", transitioning through CSP framework.|| style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | Automatically generate and check tokens for all POST requests by default, with configuration-based exclusion list. Disallow state changes via GET requests, enforcing RFC.|| style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 3px 2px 1px;" |
|-
| style="background:#f0f0f0; border-width:2px 1px 2px 3px;" | '''[[OWASP Periodic Table of Vulnerabilities - Denial of Service (Application Based)|Denial of Service (Application Based)]]''' || align="center" style="background:#f0f0f0; border-width:2px 1px 2px 1px;" | DA || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | See Brute Force (Generic)|| style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 3px 2px 1px;" | Profile resource-dependent transactions and build transaction queues and alerting when queues reach thresholds. Enforce transaction-based rate limits.
|-
| style="background:#f0f0f0; border-width:2px 1px 2px 3px;" | '''[[OWASP Periodic Table of Vulnerabilities - Denial of Service (Connection Based)|Denial of Service (Connection Based)]]''' || align="center" style="background:#f0f0f0; border-width:2px 1px 2px 1px;" | DS || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | Recognize and dynamically adapt to deliberately slowed connection attempts by dropping slower connections during a detected event. The perimeter should protect itself and the Web server from saturation by slow connections.|| style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 3px 2px 1px;" |
|-
| style="background:#f0f0f0; border-width:2px 1px 2px 3px;" | '''[[OWASP Periodic Table of Vulnerabilities - Directory Indexing|Directory Indexing]]''' || align="center" style="background:#f0f0f0; border-width:2px 1px 2px 1px;" | DI || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | Disable directory listings in the web- or application-server configuration by default.|| style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 3px 2px 1px;" |
|-
| style="background:#f0f0f0; border-width:2px 1px 2px 3px;" | '''[[OWASP Periodic Table of Vulnerabilities - Fingerprinting|Fingerprinting]]''' || align="center" style="background:#f0f0f0; border-width:2px 1px 2px 1px;" | FP || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | Infrastructure should not leak any information which can be used to identify the platform or infrastructure technology. Perimeter technologies should strip all such information from outgoing responses.|| style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | URL structure should not reveal the underlying technology. Default content should be removed when possible. Tools that assist development or debugging should not be hosted or accessible.|| style="border-width:2px 3px 2px 1px;" |
|-
| style="background:#f0f0f0; border-width:2px 1px 2px 3px;" | '''[[OWASP Periodic Table of Vulnerabilities - Format String|Format String]]''' || align="center" style="background:#f0f0f0; border-width:2px 1px 2px 1px;" | FS || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | Alert and/or block on known format string signatures.|| style="border-width:2px 1px 2px 1px;" | Prohibit access to vulnerable APIs and provide safe wrappers of those APIs instead.|| style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 3px 2px 1px;" |
|-
| style="background:#f0f0f0; border-width:2px 1px 2px 3px;" | '''[[OWASP Periodic Table of Vulnerabilities - HTTP Request/Response Smuggling|HTTP Request/Response Smuggling]]''' || align="center" style="background:#f0f0f0; border-width:2px 1px 2px 1px;" | HS || style="border-width:2px 1px 2px 1px;" | Tighten RFC standards to describe precise behavior for malformed request/response data. Shame non-conforming implementations into compliance. Increase SSL adoption to prevent proxy tampering.|| style="border-width:2px 1px 2px 1px;" | Enforce strict parity match between requests and responses, discarding extraneous Content-Length headers and canonicalizing requests/responses.|| style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 3px 2px 1px;" |
|-
| style="background:#f0f0f0; border-width:2px 1px 2px 3px;" | '''[[OWASP Periodic Table of Vulnerabilities - HTTP Response Splitting|HTTP Response Splitting]]''' || align="center" style="background:#f0f0f0; border-width:2px 1px 2px 1px;" | HR || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | Automatically URL-encode CRLF characters in dynamic data before writing to HTTP response headers.|| style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 3px 2px 1px;" |
|-
| style="background:#f0f0f0; border-width:2px 1px 2px 3px;" | '''[[OWASP Periodic Table of Vulnerabilities - HTTP Request Splitting|HTTP Request Splitting]]''' || align="center" style="background:#f0f0f0; border-width:2px 1px 2px 1px;" | HQ || style="border-width:2px 1px 2px 1px;" | Tighten RFC standards to describe precise behavior for malformed requests. Shame non-conforming implementations into compliance. Increase SSL adoption to prevent proxy poisoning.|| style="border-width:2px 1px 2px 1px;" | Enforce strict canonicalization on all incoming HTTP requests.|| style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 3px 2px 1px;" |
|-
| style="background:#f0f0f0; border-width:2px 1px 2px 3px;" | '''[[OWASP Periodic Table of Vulnerabilities - Implicit Logout|Implicit Logout]]''' || align="center" style="background:#f0f0f0; border-width:2px 1px 2px 1px;" | IG || style="border-width:2px 1px 2px 1px;" | Define a new standard for handling sessions. Define CSP or other standard for triggering a logout flow when user browses away from a site. At least destroy session cookies.|| style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | Detect when a user browses away from the site and automatically log the user out of the application.|| style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 3px 2px 1px;" |
|-
| style="background:#f0f0f0; border-width:2px 1px 2px 3px;" | '''[[OWASP Periodic Table of Vulnerabilities - Improper Filesystem Permissions|Improper Filesystem Permissions]]''' || align="center" style="background:#f0f0f0; border-width:2px 1px 2px 1px;" | IF || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | Ensure that proper file and directory permissions are applied. Enforce stricter default permissions.|| style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 3px 2px 1px;" |
|-
| style="background:#f0f0f0; border-width:2px 1px 2px 3px;" | '''[[OWASP Periodic Table of Vulnerabilities - Improper Input Handling|Improper Input Handling]]''' || align="center" style="background:#f0f0f0; border-width:2px 1px 2px 1px;" | II || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | Provide canonicalization and positive validation APIs for common data types, with configurable rules to reject or sanitize bad data.|| style="border-width:2px 1px 2px 1px;" | Provide canonicalization and positive validation APIs for custom data types, strictly enforcing business rules, with configurable rules to reject or sanitize bad data.|| style="border-width:2px 3px 2px 1px;" | Never use primitives in custom code.
|-
| style="background:#f0f0f0; border-width:2px 1px 2px 3px;" | '''[[OWASP Periodic Table of Vulnerabilities - Improper Output Handling|Improper Output Handling]]''' || align="center" style="background:#f0f0f0; border-width:2px 1px 2px 1px;" | IH || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | Provide context-sensitive encoders for all common data types in all output contexts, ensuring no custom code can write directly to output.|| style="border-width:2px 1px 2px 1px;" | Provide context-sensitive encoders for all custom data types in all output contexts, ensuring no custom code can write directly to output.|| style="border-width:2px 3px 2px 1px;" |
|-
| style="background:#f0f0f0; border-width:2px 1px 2px 3px;" | '''[[OWASP Periodic Table of Vulnerabilities - Information Leakage|Information Leakage]]''' || align="center" style="background:#f0f0f0; border-width:2px 1px 2px 1px;" | IL || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | Alert, block, or sanitize classified data in responses. Automatically scrub HTML, JavaScript, CSS, and other data formats of comment data and stack traces. Configure platform to return generic error codes by default and log locally. || style="border-width:2px 1px 2px 1px;" | Provide common error-handling framework and APIs which take two error messages as parameters: one to be displayed to the user and one to be written to logs. Provide configurable content expiration/caching interface; default to no-cache, no-store.|| style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 3px 2px 1px;" | Don't leak information via error parity mismatches.
|-
| style="background:#f0f0f0; border-width:2px 1px 2px 3px;" | '''[[OWASP Periodic Table of Vulnerabilities - Insufficient Authentication/Authorization|Insufficient Authentication/Authorization]]''' || align="center" style="background:#f0f0f0; border-width:2px 1px 2px 1px;" | IA || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | Provide configuration-based authentication and authorization platform.|| style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 3px 2px 1px;" | Apply least-privilege principle to all transactions, requiring authentication and authorization where applicable.
|-
| style="background:#f0f0f0; border-width:2px 1px 2px 3px;" | '''[[OWASP Periodic Table of Vulnerabilities - Insufficient Data Protection|Insufficient Data Protection]]''' || align="center" style="background:#f0f0f0; border-width:2px 1px 2px 1px;" | ID || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | Provide a configuration-based suite of encryption utilities for all data security needs including HMAC, symmetric, password hash, and asymmetric encryption requirements.|| style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 3px 2px 1px;" |
|-
| style="background:#f0f0f0; border-width:2px 1px 2px 3px;" | '''[[OWASP Periodic Table of Vulnerabilities - Insufficient Password Recovery|Insufficient Password Recovery]]''' || align="center" style="background:#f0f0f0; border-width:2px 1px 2px 1px;" | IR || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | Provide generic credential recovery with configurable "secret question" and multi-factor side-channel authentication functionality (e.g. SMS, email, etc.).|| style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 3px 2px 1px;" |
|-
| style="background:#f0f0f0; border-width:2px 1px 2px 3px;" | '''[[OWASP Periodic Table of Vulnerabilities - Insufficient Process Validation|Insufficient Process Validation]]''' || align="center" style="background:#f0f0f0; border-width:2px 1px 2px 1px;" | IP || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | Require state validation rules to be specified for multi-step flows.|| style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 3px 2px 1px;" | Enforce state validation for asynchronous transactions.
|-
| style="background:#f0f0f0; border-width:2px 1px 2px 3px;" | '''[[OWASP Periodic Table of Vulnerabilities - Insufficient Session Expiration|Insufficient Session Expiration]]''' || align="center" style="background:#f0f0f0; border-width:2px 1px 2px 1px;" | IS || style="border-width:2px 1px 2px 1px;" | Define a new standard for instructing the browser about session timeouts and how to handle them.|| style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | Provide and enforce configurable absolute and inactivity-based session timeouts.|| style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 3px 2px 1px;" |
|-
| style="background:#f0f0f0; border-width:2px 1px 2px 3px;" | '''[[OWASP Periodic Table of Vulnerabilities - Insufficient Transport Layer Protection|Insufficient Transport Layer Protection]]''' || align="center" style="background:#f0f0f0; border-width:2px 1px 2px 1px;" | IT || style="border-width:2px 1px 2px 1px;" | Fix DNS and browser technologies so that the intent of domain owners can be more strictly followed.|| style="border-width:2px 1px 2px 1px;" | Enforce Strict Transport Security and redirect any HTTP request to HTTPS.|| style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 3px 1px;" |
|-
| style="background:#f0f0f0; border-width:2px 1px 2px 3px;" | '''[[OWASP Periodic Table of Vulnerabilities - Integer Overflow/Underflow|Integer Overflow/Underflow]]''' || align="center" style="background:#f0f0f0; border-width:2px 1px 2px 1px;" | IO || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | Provide safe wrappers for primitive numeric types.|| style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 3px 2px 1px;" | Never use primitives without strict checking for underflow/overflow conditions.
|-
| style="background:#f0f0f0; border-width:2px 1px 2px 3px;" | '''[[OWASP Periodic Table of Vulnerabilities - LDAP Injection|LDAP Injection]]''' || align="center" style="background:#f0f0f0; border-width:2px 1px 2px 1px;" | LI || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | Provide safe libraries for LDAP communication which properly encode dynamic data.|| style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 3px 2px 1px;" |
|-
| style="background:#f0f0f0; border-width:2px 1px 2px 3px;" | '''[[OWASP Periodic Table of Vulnerabilities - Mail Command Injection|Mail Command Injection]]''' || align="center" style="background:#f0f0f0; border-width:2px 1px 2px 1px;" | MI || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | Provide safe libraries for SMTP and IMAP interaction that properly encode dynamic data.|| style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 3px 2px 1px;" |
|-
| style="background:#f0f0f0; border-width:2px 1px 2px 3px;" | '''[[OWASP Periodic Table of Vulnerabilities - Null Byte Injection|Null Byte Injection]]''' || align="center" style="background:#f0f0f0; border-width:2px 1px 2px 1px;" | NB || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | Alert and/or block on known null byte attacks.|| style="border-width:2px 1px 2px 1px;" | Provide safe libraries that automatically encode dynamic data in any context which uses null bytes as control characters.|| style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 3px 2px 1px;" |
|-
| style="background:#f0f0f0; border-width:2px 1px 2px 3px;" | '''[[OWASP Periodic Table of Vulnerabilities - OS Commanding|OS Commanding]]''' || align="center" style="background:#f0f0f0; border-width:2px 1px 2px 1px;" | OC || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | Build safe wrappers for system calls which prevent dynamic data from changing the intended meaning of the call.|| style="border-width:2px 3px 2px 1px;" |
|-
| style="background:#f0f0f0; border-width:2px 1px 2px 3px;" | '''[[OWASP Periodic Table of Vulnerabilities - Path Traversal|Path Traversal]]''' || align="center" style="background:#f0f0f0; border-width:2px 1px 2px 1px;" | PT || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | Canonicalize URLs and prevent directory access outside the web root.|| style="border-width:2px 1px 2px 1px;" | Provide safe libraries for accessing the file system which canonicalize path references and enforce proper access control.|| style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 3px 2px 1px;" |
|-
| style="background:#f0f0f0; border-width:2px 1px 2px 3px;" | '''[[OWASP Periodic Table of Vulnerabilities - Race Conditions|Race Conditions]]''' || align="center" style="background:#f0f0f0; border-width:2px 1px 2px 1px;" | RC || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | Prevent singletons from instantiating class-scope objects. Provide transaction integrity for task queues.|| style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 3px 2px 1px;" |
|-
| style="background:#f0f0f0; border-width:2px 1px 2px 3px;" | '''[[OWASP Periodic Table of Vulnerabilities - Remote File Inclusion|Remote File Inclusion]]''' || align="center" style="background:#f0f0f0; border-width:2px 1px 2px 1px;" | RF || style="border-width:2px 1px 2px 1px;" | Define a standard for safe inclusion of 3rd-party code and content which enforces namespace separation and mediates namespace/DOM access.|| style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | Provide proxy library to sanitize/sandbox third-party code and content for safe inclusion (e.g. Caja).|| style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 3px 2px 1px;" |
|-
| style="background:#f0f0f0; border-width:2px 1px 2px 3px;" | '''[[OWASP Periodic Table of Vulnerabilities - Routing Detour|Routing Detour]]''' || align="center" style="background:#f0f0f0; border-width:2px 1px 2px 1px;" | RD || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | Provide configuration-based whitelist for WS Routing destinations.|| style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 3px 2px 1px;" |
|-
| style="background:#f0f0f0; border-width:2px 1px 2px 3px;" | '''[[OWASP Periodic Table of Vulnerabilities - Server Misconfiguration|Server Misconfiguration]]''' || align="center" style="background:#f0f0f0; border-width:2px 1px 2px 1px;" | SM || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | Ensure proper application settings are deployed in configuration file/s. Provide secure default settings.|| style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 3px 2px 1px;" |
|-
| style="background:#f0f0f0; border-width:2px 1px 2px 3px;" | '''[[OWASP Periodic Table of Vulnerabilities - Session Fixation|Session Fixation]]''' || align="center" style="background:#f0f0f0; border-width:2px 1px 2px 1px;" | SF || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | Do not start sessions with user-provided tokens and rotate session IDs periodically during longer sessions. Reissue new tokens automatically whenever the privilege level of the user changes.|| style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 3px 2px 1px;" |
|-
| style="background:#f0f0f0; border-width:2px 1px 2px 3px;" | '''[[OWASP Periodic Table of Vulnerabilities - SOAP Array Abuse, XML Attribute Blowup, XML Entity Expansion|SOAP Array Abuse, XML Attribute Blowup, XML Entity Expansion]]''' || align="center" style="background:#f0f0f0; border-width:2px 1px 2px 1px;" | SA || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | Perform schema validation of XML structure on incoming requests.|| style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 3px 2px 1px;" |
|-
| style="background:#f0f0f0; border-width:2px 1px 2px 3px;" | '''[[OWASP Periodic Table of Vulnerabilities - SSI Injection|SSI Injection]]''' || align="center" style="background:#f0f0f0; border-width:2px 1px 2px 1px;" | SS || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | Do not support SSI with dynamic file names.|| style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 3px 2px 1px;" |
|-
| style="background:#f0f0f0; border-width:2px 1px 2px 3px;" | '''[[OWASP Periodic Table of Vulnerabilities - SQL Injection|SQL Injection]]''' || align="center" style="background:#f0f0f0; border-width:2px 1px 2px 1px;" | SI || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | Provide safe libraries for communicating with SQL servers which enforce parameterized query patterns.|| style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 3px 2px 1px;" | Do not create queries with dynamic data in stored procedures.
|-
| style="background:#f0f0f0; border-width:2px 1px 2px 3px;" | '''[[OWASP Periodic Table of Vulnerabilities - URL Redirector Abuse|URL Redirector Abuse]]''' || align="center" style="background:#f0f0f0; border-width:2px 1px 2px 1px;" | UR || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | Provide configurable white list for redirection URLs in 3XX responses, Refresh headers, and JavaScript redirects.|| style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 3px 2px 1px;" |
|-
| style="background:#f0f0f0; border-width:2px 1px 2px 3px;" | '''[[OWASP Periodic Table of Vulnerabilities - Weak Authentication Methods|Weak HTTP Authentication Methods]]''' || align="center" style="background:#f0f0f0; border-width:2px 1px 2px 1px;" | WA || style="border-width:2px 1px 2px 1px;" | Define a new, safe standard for HTTP-based authentication. || style="border-width:2px 1px 2px 1px;" | Reject HTTP Basic Auth, NTLM, and Digest Authentication requests. Block or proxy inline 3rd-party content.|| style="border-width:2px 1px 2px 1px;" | Block or proxy inline 3rd-party content.|| style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 3px 2px 1px;" |
|-
| style="background:#f0f0f0; border-width:2px 1px 2px 3px;" | '''[[OWASP Periodic Table of Vulnerabilities - XML External Entities|XML External Entities]]''' || align="center" style="background:#f0f0f0; border-width:2px 1px 2px 1px;" | XE || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | Disable External Entities within the XML parser. Enforce strict, static, internal DTDs.|| style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 3px 2px 1px;" |
|-
| style="background:#f0f0f0; border-width:2px 1px 2px 3px;" | '''[[OWASP Periodic Table of Vulnerabilities - XML Injection|XML Injection]]''' || align="center" style="background:#f0f0f0; border-width:2px 1px 2px 1px;" | XI || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | Provide safe libraries for constructing XML documents which automatically encode dynamic data.|| style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 3px 2px 1px;" |
|-
| style="background:#f0f0f0; border-width:2px 1px 3px 3px;" | '''[[OWASP Periodic Table of Vulnerabilities - XPath/XQuery Injection|XPath/XQuery Injection]]''' || align="center" style="background:#f0f0f0; border-width:2px 1px 3px 1px;" | XP || style="border-width:2px 1px 3px 1px;" | || style="border-width:2px 1px 3px 1px;" | || style="border-width:2px 1px 3px 1px;" | Provide safe libraries for constructing XPath queries with dynamic data. Provide safe libraries for XQuery construction which parameterize query values.|| style="border-width:2px 1px 3px 1px;" | || style="border-width:2px 3px 3px 1px;" |
|}

= Release Formats =

* [[Media:Periodic Table Infographic.pdf|Compressed view]] - One-pager that highlights the vulnerability classes that developers will still have to worry about at the top, with "solved" vulnerabilities ordered toward the bottom.
* Infographic - Cartoony, visually-appealing storyboard introduction of the project, its goals, and high-level approach.
* [[OWASP Periodic Table of Vulnerabilities#Periodic Table of Vulnerabilities|Working View/Summary]] - Working view summarizes solutions in respective columns for quick reference but doesn't provide details. May link to detailed sections.
* Solution Detail (see linked issues on summary view) - Detailed view combines references, detailed solution designs, discussion/controversy detail, and other relevant information for each solution recommendation. The detail view does NOT explain what each vulnerability/weakness is - it only references existing vulnerability descriptions from other projects (e.g. OWASP Top 10, WASC TCv2, CWE, etc.). A short summary of root cause(s) is included, but only to the level of depth required to suggest all of the solution design elements that need to be addressed.
* Solution Checklist - Summary of solutions grouped by target (e.g. perimeter or framework) so that maintainers of standards, frameworks, and perimeter technologies can view the solutions required for their areas ONLY. May require templating to generate list automatically, or short summaries in place of detailed descriptions.
* Periodic Table View - Vulns/Weaknesses laid out like the table of chemical elements, with solution target along the top and some measure of severity progressing down through the "periods". Top 10 could be highlighted in some way. Issues may show up in multiple periods. Poster-size so we can get all the relevant information in each "element".

= Project About =
{{:Projects/OWASP_Periodic_Table_of_Vulnerabilities}}

__NOTOC__ <headertabs /> 

{{OWASP Builders}}
[[Category:OWASP Project]]

OWASP Periodic Table of Vulnerabilities

2013-06-02T11:50:21Z

Bil Corry: adjusted formatting of periodic table

= Main =

== Introduction ==

After 25 years of software engineering since the first Internet worm was written to exploit a buffer overflow vulnerability, web developers are still building insecure software. It is time for a new approach. The vast majority of software bug classes can be eliminated by building protections into perimeter technologies, platform infrastructures, and application frameworks before a developer even writes a single line of custom code. By allowing developers to focus on just a small subset of bug classes, training and standards programs can be more targeted and effective so developers can write secure code much more efficiently.

Vulnerabilities and weaknesses from industry-recognized indexes including OWASP Top 10, WASC TCv2, and CWE-25 are analyzed to determine which of the protection options are ideal for solving the software security problem. Where changes to internet standards and protocols are required, alternatives in perimeter, framework, or custom code solutions are also provided until the internet-scale solutions are in place. If a solution can be completely implemented in perimeter or infrastructure technologies, only that solution is provided. Similarly, if any part of the solution can be provided in standard or custom frameworks, that solution is not recommended to be implemented in custom code. The guiding principle is essentially: "implement security controls as far from custom code as possible." Only if there is no other way to solve a particular security problem is a custom code solution recommended.

== Browsers, Standards, and Protocols ==

The most scalable and effective approach to addressing vulnerability classes is to fix the browsers, standards, and protocols that enable web applications. This approach can sometimes increase security for every application on the internet without changing a single custom application. The amount of industry collaboration required to implement a protocol/standard change can be enormous, but some classes of vulnerabilities simply cannot be addressed without this kind of change (e.g. Clickjacking). A solution at this level is also incredibly powerful: a CSP-based solution to Cross-Site Scripting might allow most application owners to write a simple policy file instead of implementing a costly framework or custom code solution to protect their existing application assets.

== Perimeter Technologies ==

Less scalable, but almost as effective, is to address vulnerabilities in perimeter technologies such as application firewalls, load balancers, geocaching services (e.g. Akamai), and proxies. These technologies can shield vulnerable applications without requiring changes to the applications themselves. While most classes of vulnerability depend heavily on the application code and aren't easily solved by a generic perimeter solution, some are generalizable to the point where a perimeter solution could protect any application behind it before an attack even has a chance to do damage. Anti-automation and protocol validation are especially good solutions for perimeter technologies to address.

== Generic Application Frameworks ==

The next most scalable approach requires upgrading popular application frameworks so they are robust against common attack classes. Common web application platforms such as Java Struts/J2EE, Ruby on Rails, and PHP can theoretically prevent developers from introducing most classes of vulnerability in the first place. However, the current state of the framework industry is more driven by features than by security; any conflict between the two is usually decided in favor of adding features and ease of use, as opposed to difficult-to-use security enhancements. Some frameworks even have built-in vulnerabilities out of the box!

Improvements to application frameworks won't immediately help protect existing applications (though they would make any new applications built on the platform much safer). Many applications currently rely on insecure features of their frameworks that would be eliminated or refactored when the framework is secured. Existing applications would need to follow an upgrade path provided by a "secure" branch of existing frameworks before these solutions could take effect. Many applications don't even use popular frameworks at all, and so could never be helped by improvements to common development platforms.

Generic Framework solution guidelines would, however, help application owners prioritize refactoring efforts for their existing applications in order to make their application code more robust against future development mistakes. This is true whether their applications use popular frameworks or not. Implementing a robust solution to a vulnerability class is much more cost-effective in the long run than training every developer to understand every vulnerability and continuously patching new instances of the vulnerability each time they appear. Cross-Site Scripting is a classic example of the "whac-a-mole vulnerability" that recurrently wastes developer time and attention and could be solved more holistically with a framework wrapper.

== Custom Application Frameworks ==

Some solutions are unique to a specific application and can't be defended by a generic framework solution. For example, a generic framework might ship with a Social Security Number (SSN) validator, but a custom framework solution would be needed for a CustomWidgetItem validator. The SSN data type is well-defined and not unique to a specific application or business, but the CustomWidgetItem is unique to that application and has its own validation rules.

Organizations should still customize application frameworks to support their own application-specific APIs and security controls. Developers can leverage these controls during development instead of having to build the controls in during their daily coding efforts. If developers use a CustomWidgetItem object that has already been validated by framework code, it is much more likely that they will use it safely than if they have to remember to do their own validation each time they use the object.

== Custom Code ==
If none of the other solution options are possible for a given vulnerability class, developers will be required to protect against that class in every line of code that they write, which does not scale effectively at all. Some classes of attacks, such as Abuse of Functionality, depend completely on the custom code and cannot be abstracted at all into other solution models.

The set of vulnerabilities which must be eliminated in custom code is only a small fraction of the total vulnerability space. By focusing training and testing efforts on just this set of issues, after addressing all other problems in a more scalable manner, developers have a much better chance of building secure applications in the future.

= Periodic Table of Vulnerabilities =
{|class="wikitable"
! rowspan="2" colspan="2" align="center" style="background:#D8D8D8; border-width:3px 1px 3px 3px;"| '''VULNERABILITY'''
! colspan="5" align="center" style="background:#D8D8D8; border-width:3px 3px 1px 1px;"|'''LOCATION OF SECURITY CONTROL (most to least ideal)'''
|-
! align="center" style="background:#D8D8D8; border-width:1px 1px 3px 1px;"|'''Standards'''
! align="center" style="background:#D8D8D8; border-width:1px 1px 3px 1px;"|'''Infrastructure/Perimeter'''
! align="center" style="background:#D8D8D8; border-width:1px 1px 3px 1px;"|'''Generic Framework'''
! align="center" style="background:#D8D8D8; border-width:1px 1px 3px 1px;"|'''Custom Framework'''
! align="center" style="background:#D8D8D8; border-width:1px 3px 3px 1px;"|'''Custom Code'''
|-
| width="11%" style="background:#f0f0f0; border-width:2px 1px 2px 3px;" | '''[[OWASP Periodic Table of Vulnerabilities - Abuse of Functionality|Abuse of Functionality]]'''|| width="4%" align="center" style="background:#f0f0f0; border-width:3px 1px 2px 1px;" | AF || width="17%" style="border-width:3px 1px 2px 1px;" | || width="17%" style="border-width:3px 1px 2px 1px;" | || width="17%" style="border-width:3px 1px 2px 1px;" | || width="17%" style="border-width:3px 1px 2px 1px;" | || width="17%" style="border-width:3px 3px 2px 1px;" | All features should have defined abuse cases and implemented protections against these abuses.
|-
| style="background:#f0f0f0; border-width:2px 1px 2px 3px;" | '''[[OWASP Periodic Table of Vulnerabilities - Application Misconfiguration|Application Misconfiguration]]''' || align="center" style="background:#f0f0f0; border-width:2px 1px 2px 1px;" | AM || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | Ensure proper application settings are deployed in configuration file/s. Varies by platform and technology stack.|| style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | ||style="border-width:2px 3px 2px 1px;" |
|-
| style="background:#f0f0f0; border-width:2px 1px 2px 3px;" | '''[[OWASP Periodic Table of Vulnerabilities - Brute Force (Generic) / Insufficient Anti-automation|Brute Force (Generic) / Insufficient Anti-automation]]''' || align="center" style="background:#f0f0f0; border-width:2px 1px 2px 1px;" | BF || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | Perimeter technologies including geocaching/proxy services must support automatic and/or manual "panic button" anti-automation, enforcing progressive CAPTCHA for unvalidated requests, triggering on excessive 5XX responses, or direct signal from application.|| style="border-width:2px 1px 2px 1px;" | Provide configurable per-user/session request rate limits.|| style="border-width:2px 1px 2px 1px;" | Provide a common configurable anti-automation framework available to any feature.|| style="border-width:2px 3px 2px 1px;" | Any feature sensitive to high transaction rates should expose configurable rate limits per user or globally per feature.
|-
| style="background:#f0f0f0; border-width:2px 1px 2px 3px;" | '''[[OWASP Periodic Table of Vulnerabilities - Brute Force Login|Brute Force Login]]''' || align="center" style="background:#f0f0f0; border-width:2px 1px 2px 1px;" | BL || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | Provide capabilities to detect brute force attacks and help enforce lockout or CAPTCHA based on signals from the application.|| style="border-width:2px 1px 2px 1px;" | Provide configurable progressive lockout/delay for failed authentication requests to a single account and detection/alerting for fixed-password variable-username attacks. Provide configurable CAPTCHA enforcement.|| style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 3px 2px 1px;" |
|-
| style="background:#f0f0f0; border-width:2px 1px 2px 3px;" | '''[[OWASP Periodic Table of Vulnerabilities - Brute Force Session Identifier|Brute Force Session Identifier]]''' || align="center" style="background:#f0f0f0; border-width:2px 1px 2px 1px;" | BI || style="border-width:2px 1px 2px 1px;" | Define a new standard for transmitting session information.|| style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | Detect and alert on a configurable rate of session ID cache misses. Provide configurable session lockout if source IP for a session changes during an event. Ensure that token generation is secure, random, and from a sufficiently large key space.|| style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 3px 2px 1px;" |
|-
| style="background:#f0f0f0; border-width:2px 1px 2px 3px;" | '''[[OWASP Periodic Table of Vulnerabilities - Brute Force Predictable Resource Location/Insecure Indexing|Brute Force Predictable Resource Location/Insecure Indexing]]''' || align="center" style="background:#f0f0f0; border-width:2px 1px 2px 1px;" | BP || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | Generic anti-automation response should trigger during spikes in 4XX responses.|| style="border-width:2px 1px 2px 1px;" | Provide a configurable GUID-based obfuscator for sensitive parameter values. Do not expose administrative interfaces on the same path as user interfaces.|| style="border-width:2px 1px 2px 1px;" | Require authentication wherever possible. Create independent interfaces for administrative access and enforce stricter authentication rules.|| style="border-width:2px 3px 2px 1px;" |
|-
| style="background:#f0f0f0; border-width:2px 1px 2px 3px;" | '''[[OWASP Periodic Table of Vulnerabilities - Buffer Overflow|Buffer Overflow]]'''|| align="center" style="background:#f0f0f0; border-width:2px 1px 2px 1px;" | BO || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | Defend infrastructure from known exploit signatures (e.g. CodeRed) and alert/block parameter anomalies.|| style="border-width:2px 1px 2px 1px;" | Build on a memory-managed code platform or otherwise prohibit direct memory management.|| style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 3px 2px 1px;" |
|-
| style="background:#f0f0f0; border-width:2px 1px 2px 3px;" | '''[[OWASP Periodic Table of Vulnerabilities - Clickjacking|Clickjacking]]''' || align="center" style="background:#f0f0f0; border-width:2px 1px 2px 1px;" | CJ || style="border-width:2px 1px 2px 1px;" | Browser vendors should standardize on CSP directives to support safe framing options for framed sites.|| style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | Support configurable options for setting X-Frame-Options header and automatically embedding framebusting code in HTML/Script/CSS for older user agents that do not support XFO.|| style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 3px 2px 1px;" |
|-
| style="background:#f0f0f0; border-width:2px 1px 2px 3px;" | '''[[OWASP Periodic Table of Vulnerabilities - Content Spoofing|Content Spoofing]]''' || align="center" style="background:#f0f0f0; border-width:2px 1px 2px 1px;" | CS || style="border-width:2px 1px 2px 1px;" | Provide a new response status code for "File not found, but show custom 404 content body AND replace the URL displayed in the title bar because the current requested URL will confuse users".|| style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | If the framework supports user-supplied content, such content must be clearly marked as such in the display context.|| style="border-width:2px 3px 2px 1px;" |
|-
| style="background:#f0f0f0; border-width:2px 1px 2px 3px;" | '''[[OWASP Periodic Table of Vulnerabilities - Cookie Theft/Session Hijacking|Cookie Theft/Session Hijacking]]''' || align="center" style="background:#f0f0f0; border-width:2px 1px 2px 1px;" | CT || style="border-width:2px 1px 2px 1px;" | Define a new standard for transmitting session information to replace cookies.|| style="border-width:2px 1px 2px 1px;" | Terminate/regenerate session if the session token is transmitted insecurely. Help enforce cookie/session management rules.|| style="border-width:2px 1px 2px 1px;" | Enforce Secure and HttpOnly flags for all cookies. Alert user and deauthorize oldest session when multiple simultaneous login is detected. Terminate session if User-Agent string or other client fingerprinting changes. Terminate session if user acceses login page.|| style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 3px 2px 1px;" |
|-
| style="background:#f0f0f0; border-width:2px 1px 2px 3px;" | '''[[OWASP Periodic Table of Vulnerabilities - Cross-Site Scripting (XSS)|Cross-Site Scripting (XSS)]]''' || align="center" style="background:#f0f0f0; border-width:2px 1px 2px 1px;" | XS || style="border-width:2px 1px 2px 1px;" | Browser vendors and standards bodies should agree on markup for elements to contain dynamic content (e.g. Flash, JavaScript, HTML, etc.) inline without allowing the dynamic content to perform malicious actions such as navigating the parent window, reading or writing data across trust boundaries, or other undesirable behaviors as determined by the owner of the containing page.|| style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | Automatically sanitize any dynamic content before writing it into HTML, XML, or other documents that might be rendered by user agents that execute active content. If dynamic content must include dangerous elements, provide APIs which filter and sanitize potentially dangerous attributes of these elements. Exceptions and attribute configurations should be described by a policy file instead of hard-coded into the framework itself or into function calls. || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 3px 2px 1px;" |
|-
| style="background:#f0f0f0; border-width:2px 1px 2px 3px;" | '''[[OWASP Periodic Table of Vulnerabilities - Cross-Site Scripting (XSS) - DOM-Based|Cross-Site Scripting (XSS) - DOM-Based]]''' || align="center" style="background:#f0f0f0; border-width:2px 1px 2px 1px;" | XD || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | "Web 2.0" frameworks must expose an API for page creation/modification that does not use document.write/ln or allow dynamic data to be injected into innerHTML or similar DOM element attributes.|| style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 3px 2px 1px;" |
|-
| style="background:#f0f0f0; border-width:2px 1px 2px 3px;" | '''[[OWASP Periodic Table of Vulnerabilities - Cross-Site Request Forgery|Cross-Site Request Forgery]]''' || align="center" style="background:#f0f0f0; border-width:2px 1px 2px 1px;" | XF || style="border-width:2px 1px 2px 1px;" | Change default browser behavior to look for policy file for cross-domain writes instead of "default allow", transitioning through CSP framework.|| style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | Automatically generate and check tokens for all POST requests by default, with configuration-based exclusion list. Disallow state changes via GET requests, enforcing RFC.|| style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 3px 2px 1px;" |
|-
| style="background:#f0f0f0; border-width:2px 1px 2px 3px;" | '''[[OWASP Periodic Table of Vulnerabilities - Denial of Service (Application Based)|Denial of Service (Application Based)]]''' || align="center" style="background:#f0f0f0; border-width:2px 1px 2px 1px;" | DA || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | See Brute Force (Generic)|| style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 3px 2px 1px;" | Profile resource-dependent transactions and build transaction queues and alerting when queues reach thresholds. Enforce transaction-based rate limits.
|-
| style="background:#f0f0f0; border-width:2px 1px 2px 3px;" | '''[[OWASP Periodic Table of Vulnerabilities - Denial of Service (Connection Based)|Denial of Service (Connection Based)]]''' || align="center" style="background:#f0f0f0; border-width:2px 1px 2px 1px;" | DS || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | Recognize and dynamically adapt to deliberately slowed connection attempts by dropping slower connections during a detected event. The perimeter should protect itself and the Web server from saturation by slow connections.|| style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 3px 2px 1px;" |
|-
| style="background:#f0f0f0; border-width:2px 1px 2px 3px;" | '''[[OWASP Periodic Table of Vulnerabilities - Directory Indexing|Directory Indexing]]''' || align="center" style="background:#f0f0f0; border-width:2px 1px 2px 1px;" | DI || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | Disable directory listings in the web- or application-server configuration by default.|| style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 3px 2px 1px;" |
|-
| style="background:#f0f0f0; border-width:2px 1px 2px 3px;" | '''[[OWASP Periodic Table of Vulnerabilities - Fingerprinting|Fingerprinting]]''' || align="center" style="background:#f0f0f0; border-width:2px 1px 2px 1px;" | FP || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | Infrastructure should not leak any information which can be used to identify the platform or infrastructure technology. Perimeter technologies should strip all such information from outgoing responses.|| style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | URL structure should not reveal the underlying technology. Default content should be removed when possible. Tools that assist development or debugging should not be hosted or accessible.|| style="border-width:2px 3px 2px 1px;" |
|-
| style="background:#f0f0f0; border-width:2px 1px 2px 3px;" | '''[[OWASP Periodic Table of Vulnerabilities - Format String|Format String]]''' || align="center" style="background:#f0f0f0; border-width:2px 1px 2px 1px;" | FS || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | Alert and/or block on known format string signatures.|| style="border-width:2px 1px 2px 1px;" | Prohibit access to vulnerable APIs and provide safe wrappers of those APIs instead.|| style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 3px 2px 1px;" |
|-
| style="background:#f0f0f0; border-width:2px 1px 2px 3px;" | '''[[OWASP Periodic Table of Vulnerabilities - HTTP Request/Response Smuggling|HTTP Request/Response Smuggling]]''' || align="center" style="background:#f0f0f0; border-width:2px 1px 2px 1px;" | HS || style="border-width:2px 1px 2px 1px;" | Tighten RFC standards to describe precise behavior for malformed request/response data. Shame non-conforming implementations into compliance. Increase SSL adoption to prevent proxy tampering.|| style="border-width:2px 1px 2px 1px;" | Enforce strict parity match between requests and responses, discarding extraneous Content-Length headers and canonicalizing requests/responses.|| style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 3px 2px 1px;" |
|-
| style="background:#f0f0f0; border-width:2px 1px 2px 3px;" | '''[[OWASP Periodic Table of Vulnerabilities - HTTP Response Splitting|HTTP Response Splitting]]''' || align="center" style="background:#f0f0f0; border-width:2px 1px 2px 1px;" | HR || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | Automatically URL-encode CRLF characters in dynamic data before writing to HTTP response headers.|| style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 3px 2px 1px;" |
|-
| style="background:#f0f0f0; border-width:2px 1px 2px 3px;" | '''[[OWASP Periodic Table of Vulnerabilities - HTTP Request Splitting|HTTP Request Splitting]]''' || align="center" style="background:#f0f0f0; border-width:2px 1px 2px 1px;" | HQ || style="border-width:2px 1px 2px 1px;" | Tighten RFC standards to describe precise behavior for malformed requests. Shame non-conforming implementations into compliance. Increase SSL adoption to prevent proxy poisoning.|| style="border-width:2px 1px 2px 1px;" | Enforce strict canonicalization on all incoming HTTP requests.|| style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 3px 2px 1px;" |
|-
| style="background:#f0f0f0; border-width:2px 1px 2px 3px;" | '''[[OWASP Periodic Table of Vulnerabilities - Implicit Logout|Implicit Logout]]''' || align="center" style="background:#f0f0f0; border-width:2px 1px 2px 1px;" | IG || style="border-width:2px 1px 2px 1px;" | Define a new standard for handling sessions. Define CSP or other standard for triggering a logout flow when user browses away from a site. At least destroy session cookies.|| style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | Detect when a user browses away from the site and automatically log the user out of the application.|| style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 3px 2px 1px;" |
|-
| style="background:#f0f0f0; border-width:2px 1px 2px 3px;" | '''[[OWASP Periodic Table of Vulnerabilities - Improper Filesystem Permissions|Improper Filesystem Permissions]]''' || align="center" style="background:#f0f0f0; border-width:2px 1px 2px 1px;" | IF || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | Ensure that proper file and directory permissions are applied. Enforce stricter default permissions.|| style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 3px 2px 1px;" |
|-
| style="background:#f0f0f0; border-width:2px 1px 2px 3px;" | '''[[OWASP Periodic Table of Vulnerabilities - Improper Input Handling|Improper Input Handling]]''' || align="center" style="background:#f0f0f0; border-width:2px 1px 2px 1px;" | II || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | Provide canonicalization and positive validation APIs for common data types, with configurable rules to reject or sanitize bad data.|| style="border-width:2px 1px 2px 1px;" | Provide canonicalization and positive validation APIs for custom data types, strictly enforcing business rules, with configurable rules to reject or sanitize bad data.|| style="border-width:2px 3px 2px 1px;" | Never use primitives in custom code.
|-
| style="background:#f0f0f0; border-width:2px 1px 2px 3px;" | '''[[OWASP Periodic Table of Vulnerabilities - Improper Output Handling|Improper Output Handling]]''' || align="center" style="background:#f0f0f0; border-width:2px 1px 2px 1px;" | IH || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | Provide context-sensitive encoders for all common data types in all output contexts, ensuring no custom code can write directly to output.|| style="border-width:2px 1px 2px 1px;" | Provide context-sensitive encoders for all custom data types in all output contexts, ensuring no custom code can write directly to output.|| style="border-width:2px 3px 2px 1px;" |
|-
| style="background:#f0f0f0; border-width:2px 1px 2px 3px;" | '''[[OWASP Periodic Table of Vulnerabilities - Information Leakage|Information Leakage]]''' || align="center" style="background:#f0f0f0; border-width:2px 1px 2px 1px;" | IL || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | Alert, block, or sanitize classified data in responses. Automatically scrub HTML, JavaScript, CSS, and other data formats of comment data and stack traces. Configure platform to return generic error codes by default and log locally. || style="border-width:2px 1px 2px 1px;" | Provide common error-handling framework and APIs which take two error messages as parameters: one to be displayed to the user and one to be written to logs. Provide configurable content expiration/caching interface; default to no-cache, no-store.|| style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 3px 2px 1px;" | Don't leak information via error parity mismatches.
|-
| style="background:#f0f0f0; border-width:2px 1px 2px 3px;" | '''[[OWASP Periodic Table of Vulnerabilities - Insufficient Authentication/Authorization|Insufficient Authentication/Authorization]]''' || align="center" style="background:#f0f0f0; border-width:2px 1px 2px 1px;" | IA || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | Provide configuration-based authentication and authorization platform.|| style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 3px 2px 1px;" | Apply least-privilege principle to all transactions, requiring authentication and authorization where applicable.
|-
| style="background:#f0f0f0; border-width:2px 1px 2px 3px;" | '''[[OWASP Periodic Table of Vulnerabilities - Insufficient Data Protection|Insufficient Data Protection]]''' || align="center" style="background:#f0f0f0; border-width:2px 1px 2px 1px;" | ID || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | Provide a configuration-based suite of encryption utilities for all data security needs including HMAC, symmetric, password hash, and asymmetric encryption requirements.|| style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 3px 2px 1px;" |
|-
| style="background:#f0f0f0; border-width:2px 1px 2px 3px;" | '''[[OWASP Periodic Table of Vulnerabilities - Insufficient Password Recovery|Insufficient Password Recovery]]''' || align="center" style="background:#f0f0f0; border-width:2px 1px 2px 1px;" | IR || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | Provide generic credential recovery with configurable "secret question" and multi-factor side-channel authentication functionality (e.g. SMS, email, etc.).|| style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 3px 2px 1px;" |
|-
| style="background:#f0f0f0; border-width:2px 1px 2px 3px;" | '''[[OWASP Periodic Table of Vulnerabilities - Insufficient Process Validation|Insufficient Process Validation]]''' || align="center" style="background:#f0f0f0; border-width:2px 1px 2px 1px;" | IP || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | Require state validation rules to be specified for multi-step flows.|| style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 3px 2px 1px;" | Enforce state validation for asynchronous transactions.
|-
| style="background:#f0f0f0; border-width:2px 1px 2px 3px;" | '''[[OWASP Periodic Table of Vulnerabilities - Insufficient Session Expiration|Insufficient Session Expiration]]''' || align="center" style="background:#f0f0f0; border-width:2px 1px 2px 1px;" | IS || style="border-width:2px 1px 2px 1px;" | Define a new standard for instructing the browser about session timeouts and how to handle them.|| style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | Provide and enforce configurable absolute and inactivity-based session timeouts.|| style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 3px 2px 1px;" |
|-
| style="background:#f0f0f0; border-width:2px 1px 2px 3px;" | '''[[OWASP Periodic Table of Vulnerabilities - Insufficient Transport Layer Protection|Insufficient Transport Layer Protection]]''' || align="center" style="background:#f0f0f0; border-width:2px 1px 2px 1px;" | IT || style="border-width:2px 1px 2px 1px;" | Fix DNS and browser technologies so that the intent of domain owners can be more strictly followed.|| style="border-width:2px 1px 2px 1px;" | Enforce Strict Transport Security and redirect any HTTP request to HTTPS.|| style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 3px 1px;" |
|-
| style="background:#f0f0f0; border-width:2px 1px 2px 3px;" | '''[[OWASP Periodic Table of Vulnerabilities - Integer Overflow/Underflow|Integer Overflow/Underflow]]''' || align="center" style="background:#f0f0f0; border-width:2px 1px 2px 1px;" | IO || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | Provide safe wrappers for primitive numeric types.|| style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 3px 2px 1px;" | Never use primitives without strict checking for underflow/overflow conditions.
|-
| style="background:#f0f0f0; border-width:2px 1px 2px 3px;" | '''[[OWASP Periodic Table of Vulnerabilities - LDAP Injection|LDAP Injection]]''' || align="center" style="background:#f0f0f0; border-width:2px 1px 2px 1px;" | LI || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | Provide safe libraries for LDAP communication which properly encode dynamic data.|| style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 3px 2px 1px;" |
|-
| style="background:#f0f0f0; border-width:2px 1px 2px 3px;" | '''[[OWASP Periodic Table of Vulnerabilities - Mail Command Injection|Mail Command Injection]]''' || align="center" style="background:#f0f0f0; border-width:2px 1px 2px 1px;" | MI || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | Provide safe libraries for SMTP and IMAP interaction that properly encode dynamic data.|| style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 3px 2px 1px;" |
|-
| style="background:#f0f0f0; border-width:2px 1px 2px 3px;" | '''[[OWASP Periodic Table of Vulnerabilities - Null Byte Injection|Null Byte Injection]]''' || align="center" style="background:#f0f0f0; border-width:2px 1px 2px 1px;" | NB || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | Alert and/or block on known null byte attacks.|| style="border-width:2px 1px 2px 1px;" | Provide safe libraries that automatically encode dynamic data in any context which uses null bytes as control characters.|| style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 3px 2px 1px;" |
|-
| style="background:#f0f0f0; border-width:2px 1px 2px 3px;" | '''[[OWASP Periodic Table of Vulnerabilities - OS Commanding|OS Commanding]]''' || align="center" style="background:#f0f0f0; border-width:2px 1px 2px 1px;" | OC || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | Build safe wrappers for system calls which prevent dynamic data from changing the intended meaning of the call.|| style="border-width:2px 3px 2px 1px;" |
|-
| style="background:#f0f0f0; border-width:2px 1px 2px 3px;" | '''[[OWASP Periodic Table of Vulnerabilities - Path Traversal|Path Traversal]]''' || align="center" style="background:#f0f0f0; border-width:2px 1px 2px 1px;" | PT || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | Canonicalize URLs and prevent directory access outside the web root.|| style="border-width:2px 1px 2px 1px;" | Provide safe libraries for accessing the file system which canonicalize path references and enforce proper access control.|| style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 3px 2px 1px;" |
|-
| style="background:#f0f0f0; border-width:2px 1px 2px 3px;" | '''[[OWASP Periodic Table of Vulnerabilities - Race Conditions|Race Conditions]]''' || align="center" style="background:#f0f0f0; border-width:2px 1px 2px 1px;" | RC || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | Prevent singletons from instantiating class-scope objects. Provide transaction integrity for task queues.|| style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 3px 2px 1px;" |
|-
| style="background:#f0f0f0; border-width:2px 1px 2px 3px;" | '''[[OWASP Periodic Table of Vulnerabilities - Remote File Inclusion|Remote File Inclusion]]''' || align="center" style="background:#f0f0f0; border-width:2px 1px 2px 1px;" | RF || style="border-width:2px 1px 2px 1px;" | Define a standard for safe inclusion of 3rd-party code and content which enforces namespace separation and mediates namespace/DOM access.|| style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | Provide proxy library to sanitize/sandbox third-party code and content for safe inclusion (e.g. Caja).|| style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 3px 2px 1px;" |
|-
| style="background:#f0f0f0; border-width:2px 1px 2px 3px;" | '''[[OWASP Periodic Table of Vulnerabilities - Routing Detour|Routing Detour]]''' || align="center" style="background:#f0f0f0; border-width:2px 1px 2px 1px;" | RD || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | Provide configuration-based whitelist for WS Routing destinations.|| style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 3px 2px 1px;" |
|-
| style="background:#f0f0f0; border-width:2px 1px 2px 3px;" | '''[[OWASP Periodic Table of Vulnerabilities - Server Misconfiguration|Server Misconfiguration]]''' || align="center" style="background:#f0f0f0; border-width:2px 1px 2px 1px;" | SM || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | Ensure proper application settings are deployed in configuration file/s. Provide secure default settings.|| style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 3px 2px 1px;" |
|-
| style="background:#f0f0f0; border-width:2px 1px 2px 3px;" | '''[[OWASP Periodic Table of Vulnerabilities - Session Fixation|Session Fixation]]''' || align="center" style="background:#f0f0f0; border-width:2px 1px 2px 1px;" | SF || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | Do not start sessions with user-provided tokens and rotate session IDs periodically during longer sessions. Reissue new tokens automatically whenever the privilege level of the user changes.|| style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 3px 2px 1px;" |
|-
| style="background:#f0f0f0; border-width:2px 1px 2px 3px;" | '''[[OWASP Periodic Table of Vulnerabilities - SOAP Array Abuse, XML Attribute Blowup, XML Entity Expansion|SOAP Array Abuse, XML Attribute Blowup, XML Entity Expansion]]''' || align="center" style="background:#f0f0f0; border-width:2px 1px 2px 1px;" | SA || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | Perform schema validation of XML structure on incoming requests.|| style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 3px 2px 1px;" |
|-
| style="background:#f0f0f0; border-width:2px 1px 2px 3px;" | '''[[OWASP Periodic Table of Vulnerabilities - SSI Injection|SSI Injection]]''' || align="center" style="background:#f0f0f0; border-width:2px 1px 2px 1px;" | SS || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | Do not support SSI with dynamic file names.|| style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 3px 2px 1px;" |
|-
| style="background:#f0f0f0; border-width:2px 1px 2px 3px;" | '''[[OWASP Periodic Table of Vulnerabilities - SQL Injection|SQL Injection]]''' || align="center" style="background:#f0f0f0; border-width:2px 1px 2px 1px;" | SI || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | Provide safe libraries for communicating with SQL servers which enforce parameterized query patterns.|| style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 3px 2px 1px;" | Do not create queries with dynamic data in stored procedures.
|-
| style="background:#f0f0f0; border-width:2px 1px 2px 3px;" | '''[[OWASP Periodic Table of Vulnerabilities - URL Redirector Abuse|URL Redirector Abuse]]''' || align="center" style="background:#f0f0f0; border-width:2px 1px 2px 1px;" | UR || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | Provide configurable white list for redirection URLs in 3XX responses, Refresh headers, and JavaScript redirects.|| style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 3px 2px 1px;" |
|-
| style="background:#f0f0f0; border-width:2px 1px 2px 3px;" | '''[[OWASP Periodic Table of Vulnerabilities - Weak Authentication Methods|Weak HTTP Authentication Methods]]''' || align="center" style="background:#f0f0f0; border-width:2px 1px 2px 1px;" | WA || style="border-width:2px 1px 2px 1px;" | Define a new, safe standard for HTTP-based authentication. || style="border-width:2px 1px 2px 1px;" | Reject HTTP Basic Auth, NTLM, and Digest Authentication requests. Block or proxy inline 3rd-party content.|| style="border-width:2px 1px 2px 1px;" | Block or proxy inline 3rd-party content.|| style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 3px 2px 1px;" |
|-
| style="background:#f0f0f0; border-width:2px 1px 2px 3px;" | '''[[OWASP Periodic Table of Vulnerabilities - XML External Entities|XML External Entities]]''' || align="center" style="background:#f0f0f0; border-width:2px 1px 2px 1px;" | XE || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | Disable External Entities within the XML parser. Enforce strict, static, internal DTDs.|| style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 3px 2px 1px;" |
|-
| style="background:#f0f0f0; border-width:2px 1px 2px 3px;" | '''[[OWASP Periodic Table of Vulnerabilities - XML Injection|XML Injection]]''' || align="center" style="background:#f0f0f0; border-width:2px 1px 2px 1px;" | XI || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 1px 2px 1px;" | Provide safe libraries for constructing XML documents which automatically encode dynamic data.|| style="border-width:2px 1px 2px 1px;" | || style="border-width:2px 3px 2px 1px;" |
|-
| style="background:#f0f0f0; border-width:2px 1px 3px 3px;" | '''[[OWASP Periodic Table of Vulnerabilities - XPath/XQuery Injection|XPath/XQuery Injection]]''' || align="center" style="background:#f0f0f0; border-width:2px 1px 3px 1px;" | XP || style="border-width:2px 1px 3px 1px;" | || style="border-width:2px 1px 3px 1px;" | || style="border-width:2px 1px 3px 1px;" | Provide safe libraries for constructing XPath queries with dynamic data. Provide safe libraries for XQuery construction which parameterize query values.|| style="border-width:2px 1px 3px 1px;" | || style="border-width:2px 3px 3px 1px;" |
|}

= Release Formats =

* [[Media:Periodic Table Infographic.pdf|Compressed view]] - One-pager that highlights the vulnerability classes that developers will still have to worry about at the top, with "solved" vulnerabilities ordered toward the bottom.
* Infographic - Cartoony, visually-appealing storyboard introduction of the project, its goals, and high-level approach.
* [[OWASP Periodic Table of Vulnerabilities#Periodic Table of Vulnerabilities|Working View/Summary]] - Working view summarizes solutions in respective columns for quick reference but doesn't provide details. May link to detailed sections.
* Solution Detail (see linked issues on summary view) - Detailed view combines references, detailed solution designs, discussion/controversy detail, and other relevant information for each solution recommendation. The detail view does NOT explain what each vulnerability/weakness is - it only references existing vulnerability descriptions from other projects (e.g. OWASP Top 10, WASC TCv2, CWE, etc.). A short summary of root cause(s) is included, but only to the level of depth required to suggest all of the solution design elements that need to be addressed.
* Solution Checklist - Summary of solutions grouped by target (e.g. perimeter or framework) so that maintainers of standards, frameworks, and perimeter technologies can view the solutions required for their areas ONLY. May require templating to generate list automatically, or short summaries in place of detailed descriptions.
* Periodic Table View - Vulns/Weaknesses laid out like the table of chemical elements, with solution target along the top and some measure of severity progressing down through the "periods". Top 10 could be highlighted in some way. Issues may show up in multiple periods. Poster-size so we can get all the relevant information in each "element".

= Project About =
{{:Projects/OWASP_Periodic_Table_of_Vulnerabilities}}

__NOTOC__ <headertabs /> 

{{OWASP Builders}}
[[Category:OWASP Project]]