'''This page contains project Applications to the [[OWASP_Summer_of_Code_2008|OWASP Summer Of Code 2008]]'''

= A few notes =
*'''If you want to apply for a SoC 2008 sponsorship you HAVE TO USE THIS PAGE for your application.'''
** See [[OWASP Summer of Code 2008#How To Participate (To Developers)|How To Participate]] for what to do once you completed your Application.
** Please remember that projects will be selected and funded based on how well they meet the [[OWASP Summer of Code 2008#Jury and Selection Criteria| Selection Criteria]].
** Please see [[OWASP Autumn of Code 2006 - Applications|AoC 06]] and [[OWASP Spring Of Code 2007 Applications|SpoC 07]] for examples of Applications.
* '''You can propose your project in any form you wish, but the best proposals will be well thought out, clear and concise, and reflective of your passion for the topic. We strongly suggest that you include [[OWASP Summer of Code 2008 Applications - Proposal Type|this information in your proposal]].
'''
= Applications - {Fill in below} =

== The Application Security Desk Reference - ASDR ==
* Leonardo Cavallari Militelli
* Proposal: Make [[OWASP ASDR Project|OWASP ASDR Project]] a release quality document.

The ASDR is a reference volume that contains basic information about all the foundational topics in application security. It intends to replace and refresh [[OWASP Honeycomb Project|Honeycomb Project]] with a new structure for articles and relationship between categories, thus making it a release quality doc.

This idea raised when finished the [[Attack|Attack Reference Guide]] for [[OWASP Spring Of Code 2007|OWASP Spring Of Code 2007]], where it was identified that OWASP reference articles need some special attention. Jeff Williams is totally supporting this project.

We already have defined which type of article we should include on Desk Reference, as follows:
* [[:Category:Principle|Principles]]
* [[:Category:Threat_Agent|Threat Agents]]
* [[:Category:Attack|Attacks]]
* [[:Category:Vulnerability|Vulnerabilities]]
* [[:Category:Countermeasure|Countermeasures]]
* [[:Category:Technical Impact|Technical Impacts]]
* [[:Category:Business Impact|Business Impacts]]

*Road Map: A complete project roadmap can be found on '''[[ASDR Table of Contents|ASDR Table of Contents]]'''. Basically, the following activities should be performed, some of them already started:
** Define articles templates for each reference type
** Define subcategories for articles classification
** Compile first DRAFT version of ASDR Book
** Articles development & Call for Volunteers
** Articles revision
** First version of OWASP ASDR book

== OWASP Code review guide, V1.1 ==
* Eoin Keary,
'''Code Review Guide Proposal''':

'''Introduction:'''The code review guide is currently at version RC 2.0 and the second best selling OWASP book.
I have received many positive comments regarding this initial version and believe it’s a key enabler for the OWASP fight against software insecurity.

It has even inspired individuals to build tools based on its information and I have convinced such people (Alessio Marziali) to open source their tool and make it an OWASP project.

The combination of a book on secure code review and a tool to support such an activity is very powerful as it gives the developer community a place to start regarding secure application development.

'''Proposal:'''
I am proposing that I improve the code review guide from a number of aspects. This should place the guide as a de facto secure code review guide in the application security industry.

'''Additional and expanded Chapters:''' 

'''Transactional analysis''' 
Expand chapter. 
Examples via diagrams. 

'''Threat Modeling and Analysis''' 
The approach to examining an application to be reviewed. 
Focusing on areas of interest. 

'''Example reports and how to write one''' 
How to determine the risk level of a finding. 

'''Automated code review''' 
Code crawler documentation and usage. 

'''Rich Internet Applications''' 
Expanded chapters on Flash, Ajax. 

'''The OWASP ESAPI (Enterprise Security API)''' 
What it is, Why use it. What to review. 

'''Code review Metrics:''' 
How to compile, use and analyse metrics. 
Rolling out metrics in the Enterprise. 

'''Integrating Code review with an existing SDLC'''
Integration of Secure Code review with an existing SDLC. 
Secure Code review roadmap definition. 
Documentation requirements. 
Scope definition. 
SDLC steering comittee establishment. 
Performace criteria, benchmarks and metrics. 
Integration of SDLC results into key IT governance areas. 
Critical success factors. 

== The OWASP Testing Guide v3 ==
* Matteo Meucci
* The OWASP Testing Guide v2 was a great success, with thousand downloads and many many Companies that have adopted it as standard for a Web Application Penetration Testing.
Now it's time to begin a new project that is based on v2 but improve it and complete it.

In the OWASP Testing Guide v2 we have split the set of tests in 8 sub-categories:

* Information Gathering
* Business logic testing
* Authentication Testing
* Session Management Testing
* Data Validation Testing
* Denial of Service Testing
* Web Services Testing
* AJAX Testing

The following are my thoughts about the new OWASP Testing Guide v3:

1) Authorization testing missing. As Jeff and Dave said many time before it's important to create a new category.
2) Information gathering is not a set of vulnerabilities --> not in report --> new category: Passive mode analysis
3) Infrastructural test --> new category
4) Web Services section needs improvement
5) AJAX Testing section needs improvement
6) New category: Client side Testing. AJAX and Flash Testing

* This [http://www.owasp.org/index.php/Image:Planning_OTGv3.doc document] analyze the OWASP Testing Guide v2 vulnerabilities and a plan for create the new v3.

== Code Crawler ==
* Alessio Marziali (aka nTze) 

'''Description''' 
This tool is aimed at assisting code review practitioners. It is a static code review tool which searches for key topics within .NET and J2EE/JAVA code.
The aim of the tool is to accompany the OWASP Code review Guide and to implement a total code review solution for "everyone"; Where "everyone" means "more" companies performing secure software activities. 
Key areas of improvement: 
'''Reporting''' 
- PDF
- Microsoft Office Compatible Word Document
- HTML

'''Scanning''' 
- Multiple File scanned at the same time 
-- Open Microsoft Visual Studio's Solutions 

'''Bigger Database''' 
Which will provide more information about the threats such vulnerability type (XSS,SQL Injection, Remote File Inclusion etc). 
'''Security Software Life Cycle''' 
A feature that will let you save the threats for each project/document, so the reviewer can check how the development is going from a “security prospective” during the entire software lifecycle. 

Improvement of the code scan system. 

== The Owasp Orizon Project ==
* Paolo Perego (aka thesp0nge),
* The Owasp Orizon Project,

'''Introduction'''

The [http://www.owasp.org/index.php/Category:OWASP_Orizon_Project Owasp Orizon Project] born in 2006 in order to provide a framework to all Owasp projects developing code review services.

The project is in a quite stable stage and it is usable for Java static code review and some dynamic tests against XSS.
Owasp Orizon includes also APIs for code crawling, usable for code crawling tools.

[http://milk.sf.net Milk] project is a java code review tool I'm writing using Orizon as background engine. Its goal is to show engine capabilities.

'''Objectives and deliverables'''

* plugin architecture for static code review library: this planned feature will be announced (hopefully, if my CFP will be accepted) to next Owasp European App conf.
* starting C# support
* upgrade from Alpha quality project to Beta quality project in accord to [http://www.owasp.org/index.php/Category:OWASP_Project_Assessment Owasp Project Assessment criteria]

'''Why I should be sponsored for the project'''

Owasp Orizon is the first Owasp project I'm involved in. I'm also contributor of Owasp Italian chapter managed by Matteo Meucci and I'm talking at various speeches about application security and safe coding best practices.

I'm a security consultant working in ethical hacking and we're approaching code review and safe topics right now. I'm a developer too so I understand also the "dark side" of the problem developing code with security in mind.

I work using the "release early release often" paradigm so to be concrete and let other people having something usable to work with.

In the last year Owasp Orizon evolved a lot with a good static code review engine and a lot of code was written to give Owasp guys the best framework as possible to be used for writing code review tools. I hope to pursuit my goals again with SoC 2008.

== Skavenger ==
* Matthias Rohr

'''Introduction'''

Skavenger is a web application security assessment toolkit which arised from many years of professional experience in the web application assessment field and is the result of nearly one your of work.

It passively analyzes traffic logged by various MITM proxies (such as WebScarab and Burp) as well as other sources (like Firefox's LiveHTTPHeader plugin) and helps to identify various kinds of possible vulnerabilities (such as XSS, CRLF injection, an insecure session management and several kinds of information disclosure). Skavenger's modular design allows the integration of custom scanning modules without any knowledge about the tool at all.

Skavenger is completely written in Perl and can be downloaded from:
https://sourceforge.net/projects/skavenger/

'''Objectives and deliverables'''

Here are some ideas:
* A GUI to monitor and analyze scanning results
* More sophisticated scanner modules (e.g. for better backend identification and more platform specific tests)
* Database integration
* API's to integrate modules in other languages (such as Python or Java).
* Better source integration with custom Firefox, Burp or (of course) WebScarab plugins

== OWASP .NET Project Leader ==
* Mark Roxberry

'''Project Proposal'''

Assume the lead of the OWASP .NET Project. Ensure that information, materials and software are relevant to building secure .NET web applications and services. Provide deep content for all roles related to .NET web applications and services including:

* Architectural guidance
* Developer tools, information and checklists
* IT professional content (for those that deploy and maintain .NET websites)
* Penetration testing resources
* Incident response resources

The OWASP .NET Project Leader will actively recruit .NET contributors, including personnel from Microsoft, but others throughout the .NET ecosystem. Including experts from communities from large companies to ISVs, from enterprise architects to ALT.NET developers will be important for the overall reach of the OWASP .NET project. Other communities to consider include developers who use Mono (.NET for Linux), including Moonlight (Silverlight for Linux).

The OWASP .NET Project Leader will actively contribute to the OWASP projects that require .NET resources, by recruiting resources or contributing to the project.

I propose to have the project active in 1-3 months, with continuous recruitment efforts for contributors for the life of the project. Metrics for success can include number of contributors, number of articles, search engine ranks for pages and site visit counts. For the application however, I will submit that within 3 months I can provide a baseline to set site goals for each metric.

'''Why I should be sponsored for the project'''

I have previously contributed to the OWASP Test Guide v2 project, providing content and reviewed content. I care about the OWASP mission. In fact, I have used the OWASP Top 10 to teach developers about vulnerabilities in web applications.

I have 15 years of technical leadership experience using Microsoft technologies. I have lead small and large teams as a technical lead, lead developer and architect on small and large projects. I am a Certified Information Systems Security Professional (CISSP) and a Certified Ethical Hacker. I am on top of current trends and required to be informed regarding .NET web development and security, including, for example ASP.NET MVC, Silverlight, Unity, Entity Framework. I am personally interested in providing security resources to .NET developers globally, specific and applicable to their projects.

== OWASP Backend Security Project ==
* Full name: Carlo Pelliccioni
* Project: OWASP Backend Security Project
* Project description:
:OWASP Backend Security Project is a new project created to improve and to collect the existant information about the backend security.
:The project is composed by three sections (security development, security hardening and security testing).
:The aim is to define the guidelines for the companies and IT professionals working in the security field into processes development and back-end components management/testing in the enterprise architecture.

* Objectives:

'''Overview'''
Create a section with an introduction about the project (high-level description) explaining the main
goals.

'''Development'''
Include the writings already existant in OWASP wiki concerning PHP,
JAVA and ASP.NET and extend the projects' sections with new contents.

'''Hardening'''
Create new guidelines about the dbms hardening

'''Testing'''
Include the writings already existant in OWASP wiki about security testing.
Create new articles about security testing.

== OWASP Classic ASP Security Project ==
* Juan Carlos Calderon
'''Executive Summary''' 
I am interested in making P018 - OWASP Classic ASP Security Project happen, Classic ASP 2.0 and 3.0 applications are still largely used as this technology is more than 10 years old and was largely used. there are thousands of sites on the wild that need guidance on the security arena. This is where OWASP can come up and provide help for “making the Web a better place” and continue spreading the word on security. I have always be a passionate of the technology (regardless of its inconveniences such as being old and DLL-hell prone) and I am really exited on the idea of sharing my knowledge of this area to the world and what best that though OWASP.

'''Objectives and Deliverables''' 
Create a secure framework for Classic ASP application by complementing existing OWASP projects with documentation for this particular technology and the creation of security libraries. More specifically:
* Creation of a Common Object Repository for ASP applications based on OWASP ESAPI Project including objects and/or references to libraries for security applications all this aligned with OWASP Top10 and OWASP Guide .
* Create Documentation aligned to OWASP Code Review Project Checklist providing additional technology-specific checks.
* Addition of expression for Code Review Tool to support Classic ASP applications.
* Implementation of Version 1 of Stinger for ASP either by using an installable COM library or ISAPI.
* This same module will compliment the OWASP Validation Documentation Project.

'''Why should I be sponsored for the project?''' 
I have 10 years of experience on Web technologies. During 8 years I have performed and leaded hundreds of Security Source Code Reviews and Black box testing on Web Applications. On my current job I lead 30 people in diverse locations all of them working on the Application Security arena, so I am accustomed to execute and deliver.

Also I’ve had close contact with OWASP since 2005
[https://lists.owasp.org/pipermail/owasp-spanish/2005-March/000069.html] by making possible the translation of OWASP Top 10 2004 [http://www.owasp.org/index.php/Top_10_2004] and OWASP Testing Guide V1.17 [http://www.owasp.org/docroot/owasp/misc/testing_spanish.pdf] to Spanish.

== Internationalization Guidelines and OWASP-Spanish Project ==
* Juan Carlos Calderon
'''Executive Summary''' 
The main goal of OWASP is to spread the word about security (“Our mission is to make application security "visible," so that people and organizations can make informed decisions about application security risks.”) and OWASP has done great work so far :). And now it’s time for a next big step.

The number of native and secondary speakers in the world for Chinese, Spanish, French, Russian, Arabic and Indi languages are estimated in similar number to English speaking or even more (Some References at [http://en.wikipedia.org/wiki/Ethnologue_list_of_most_spoken_languages Ethnologue], [http://encarta.msn.com/media_701500404/Languages_Spoken_by_More_Than_10_Million_People.html Encarta], [http://en.wikipedia.org/wiki/List_of_languages_by_number_of_native_speakers Wikipedia]). I think is a good time for OWASP to reach those that do not speak English to have full access to all the OWASP materials, not just a couple of documents.

OWASP, while open to translations, do not have clear guidelines on how to translate OWASP contents and (AFAIK) there is no multi-language support in OWASP.org site. This is understandable as there is no formal project for internationalization so far.

'''Oportunity and Effort''' 
This is great opportunity to make Spanish the first language on which the OWASP site and documentation is fully translated and at the same time share the experience with other people interested in the same objective, Bring OWASP to the world. And this is something I’ve being pushing for some time ago and that could be possible “at once” via SoC 2008.

I understand this is significant effort so to have it done I will count with the help of 6 people (friend of mine, all of them Security auditors with excellent English level) plus a few well known contributors from OWASP-Spanish effort, so the founding will be divided among the people involved in the same proportion of the work they do for the completion of this effort. This, to encourage delivery.

'''Objectives and Deliverables''' 
* Team up with Larry Casey to implement Multilanguage support in OWASP.org Mediawiki.
* General Guidelines on minimum/recommended requirements to start a new language translation for OWASP Document and Site Pages
* General Guidelines on minimum/recommended requirements to implement internationalization and localization ([http://www.w3.org/International/ i18n]) on OWASP Software
* Full translation to Spanish of all the release-level document projects. Those are:
** Top 10 2007
** Guide 2 (Already translated)
** Testing Guide (Already Translated)
** Legal
** FAQ
* Full Translation of major sections of OWASP Site
** Project Main Pages (Release, Beta and Alpha levels for both documents and tools projects)
** Principles
** References Section
** Conferences
** News (Those currently displayed in OWASP site)
** About OWASP
* Evaluation of Spanish translation approach for WebGoat and WebScarab and delivery of this document to Bruce and Rogan for possible implementation in near future.
* Leverage for deploy of es.owasp.org, the domain already exists but is not redirecting correctly.
* Create a Communication strategy to help and keep track on new pages or changes in significant pages so all the translations are in sync.

'''Out of Scope''' 
Translation of the following sections are NOT in Scope
* Local Chapters Pages
* Presentations
* Conferences
* Videos
* Blogs
* All the projects deliverables in Alpha and Beta Stages
* All the documentation “on development” like Guide Version 3.0
* Translation of Pages, documentation or tools to other language other than Spanish according to the stated in above section.

'''Why should I be sponsored for the project?''' 
I’ve being part of contributions to OWASP documents on the translation arena since 2005 [https://lists.owasp.org/pipermail/owasp-spanish/2005-March/000069.html], a few of them by making possible the translation of OWASP Top 10 2004 [http://www.owasp.org/index.php/Top_10_2004] and OWASP Testing Guide V1.17 [http://www.owasp.org/docroot/owasp/misc/testing_spanish.pdf] to Spanish. It is time to make the full job done :).

I have 10 years of experience on Web technologies. During 8 years I have performed and leaded hundreds of Security Source Code Reviews and Black box testing on Web Applications. On my current job I lead 30 people in diverse locations all of them working on the Application Security arena, so I am accustomed to execute and deliver.

== The Ruby on Rails Security Guide v2 ==
Heiko Webers

The last security guide for Rails [http://www.owasp.org/index.php/Category:OWASP_Web_Application_Security_Put_Into_Practice] was a great success, with a lot of more secure web applications and continued awareness in the community of security issues. The Ruby on Rails Security Project [http://www.rorsecurity.info/] is the one and only source of information about Rails security topics, and I keep the community up-to-date with blog posts and conference talks in Europe. The Guide and the Project has been mentioned in several Rails books and web-sites.

Version 1 of the Ruby on Rails Security Guide was sponsored by the SpoC 07, set the standard for OWASP programming language specific guides in terms of the topic outline and has been published as a book [http://www.lulu.com/content/1412042]. Nevertheless I'm convinced that a more compact design and a "question-and-answer" style of writing will reach an even larger audience. Of course the new Guide will still include answers to the OWASP Top Ten security vulnerabilities.

A lot has changed since the publishing of the first Guide. Some new security holes have been found, there are new advises and most importantly Rails version 2.0 has been released. The new Ruby on Rails Security Guide aims at providing an up-to-date coding and configuration guide for the Rails community.

In the new Rails Security Guide I'd like to
* update the entire book to match Rails 2.0
* cover new topics, including, but not limited to:
** Intranet and administration interface security,
** phishing,
** real-world attack situations,
** short excursus on server monitoring,
** the new CookieStore session management,
** vulnerabilities in popular plug-ins,
** denial-of-service attacks
* cover all OWASP Top Ten security vulnerabilities
* a more compact writing style, more examples and "questions-and-answers"
* introduce the OWASP and Rails security to a greater audience

== OWASP Application Security Verification Standard ==

*Mike

'''OWASP Application Security Verification Standard Proposal'''

'''Educational and professional background'''

The applicant is a hands-on senior professional services manager with a trademark of
developing creative solutions to complex application security-related technical problems.

'''Application security experience and accomplishments'''

The applicant has a background in trusted product evaluation:

*CC evaluation
*CC evidence development, including operating system test code development
*CC project management
*TCSEC evaluation
*TCSEC project management
*TEF management
*CCTL management

The applicant also has a background in security-related software development and integration:

*PKI toolkit development
*PK-E application integration
*Secure web portal application development
*Secure web portal integration
*Secure instant messaging application development, including three patents

The applicant also has a background in cryptomodule testing:

*FIPS 140 evaluation
*FIPS 140 evidence development

'''Participation and leadership in open communities'''

The applicant does not have experience in contributing to open communities.

'''The opportunity, challenges, issues or need your proposal addresses'''

OWASP is looking for a commercially-workable open standard for performing application security verification efforts. The problem is that there is a huge range in the coverage and level of rigor available in the market, and consumers have no way to tell the difference between someone just running a grep tool, and someone doing painstaking code review and manual testing. So, a standard is needed.

'''Objectives or ways in which you will meet the goal(s)'''

The applicant’s proposal will address the above challenges as follows:

*The applicant will define an evaluation framework that may be used to conduct OWASP Application Security Verification Standard certifications.
*The applicant will define an OWASP Application Security Verification Standard which defines levels that applications may be certified against.

'''Specific activities and who will carry out these activities'''

The applicant will carry out these activities. Please see below for a proposed list of specific deliverables.

'''Specific deliverables and a rough project schedule so we can track progress'''

The applicant proposes the following deliverables:

*'''Scheme Overview document.''' This will define the overall framework with roles, responsibilities, and processes.
*'''Evaluation and Certification document.''' This will describe the evaluation and certification process.
*'''Conditions for the Use of Trademarks.''' This will describe OWASP’s name, logo, and certificate may be used and referenced.
*'''Evaluation Report Content Requirements.''' This will describe the content requirements of evaluation reports.
*'''OWASP Application Security Verification Standard.''' This will define the levels that applications may be certified against.
*'''OWASP Application Security Verification Standard Appendix A.''' This will define the required content of the OWASP Application Security Verification Standard Security Policy.
*'''Policy Letter #1. Acceptance of Security Policies into OWASP Evaluation''' This will define the requirements to be listed as in evaluation on the OWASP web site.

The applicant proposes the following rough project schedule:

*2nd April. Project kickoff.
*15th June. Alpha Quality drafts of Scheme Overview document and of OWASP Application Security Verification Standard document completed.
*31st August. Project completion. Beta Quality drafts of all documents completed.

'''Long-term vision for the project'''

The long-term vision for the project is to normalize the range in the coverage and level of rigor available in the market when it comes to performing application security verification.

'''Any other reasons why you and your project should be selected.'''

The applicant has a uniquely-qualified perspective given his experience with TCSEC, TTAP, CC, FIPS 140-1, and FIPS 140-2 evaluation programs, and his real-world perspective as a developer and integrator of security-related applications.

== GTK+ GUI for w3af project ==

''Facundo Batista''

'''Your educational and professional background'''

I'm Electronic Engineer with a Master in Engineer Innovation in
Bologna University, Italy. I live in Buenos Aires, Argentina, and love
reading books, playing tennis, and programming Python.

I worked in a mobile company for six years, in the Network Management
department, then I was Chief Developer of a Mobile Content Provider,
and now I'm Solution Architect in Multimedia & Systems Integration in
Ericsson. Also I was professor in several universities, high schools
and other institutions.

'''Application security experience and accomplishments'''

None, more than working in w3af. However, my proposal here is not
related to the security part of the product, but to its graphical
interface and usability.

'''Participation and leadership in open communities'''

I'm very involved in the free software and open source community. I'm
a Python Core Developer and member of the Python Software Foundation
by merit. I have a long history of talks given in several
international (PyCon, EuroPython) and national (a lot!) conferences. I
also teach Python in educational institutions, enterprises and as a
private instructor. I founded Python Argentina, the national users
groups, and I'm a very active member of it.

I also lead other open source projects (SMPPy, SiGeFi, etc.) and
particpate in others (Docutils, w3af itself, etc.).

'''The opportunity, challenges, issues or need your proposal addresses'''

My main objective is to minimize the effort and learning curve of
using w3af, providing a very usable graphical interface.

Note that as the interface is cross platform, being usable also in the
win32 environment, it will help to popularize the w3af project.

This will allow users without information security knowledge to verify
that their web applications are correctly programmed and configured.

'''Specific activities and who will carry out these activities'''

I will carry the following activities, detailed later in smaller steps:

- Design and code new windows and interfaces to increase the functionality of the project.

- Tuning of the process workflow, allowing a more intuitive way of working.

- Visual polishing for a more pleasant and intuitive tool.

- Usability tests and improvements.

'''Specific deliverables and a rough project schedule so we can track progress'''

''New features implemented in the pyGTK user interface:''

- Local proxy to trap and modify requests and responses sent from a browser.

- Manually send a request and analyze the response.

- Manually create a fuzzed requests based on tokens, so user can construct easily differents HTTP request with a regex-like semantics.

- Wizard to perform a vulnerability assessment.

- Graphical display of site map and vulnerabilities.

- Reload a plugin after its edited from within the pyGTK user interface.

- Embebed tool to encode/decode URL/Base64 and to hash sha1/md5.

- HTTP response side by side content compare.

''Usability improvements in the pyGTK user interface:''

- Meetings with a usability expert that the w3af team leader has already contacted and worked with.

- Kill all pending bugs and make a stable release.

''Documentation:''

- Users guide for the pyGTK user interface.

- Help system for the GUI itself

'''Long-term vision for the project'''

To provide the web application security community with a stable and fully
featured framework to perform all the tasks included in a penetration test
from within the project.

'''Any other reasons why you and your project should be selected'''

w3af is one of the most active web application security projects;
the community that supports it is growing and we need the support of
already established organizations like OWASP to keep working at the
rate that we want to.

== P006 OWASP Corporate Application Security Rating Guide and P025 OWASP Positive Security Project ==

by Eduardo Vianna de Camargo Neves

'''Executive Summary'''

A common approach on most companies is to increase the protection of their assets after the occurrence of a considerable impact. However some companies learned that a positive approach on IT Security is most effective and can reduce the financial costs on responses to security incidents. Benchmarking the application security practices on the corporate world will allow us to understand what steps are required to keep the IT environment protected, using this knowledge to create a public Security Rating Guide that can be used to support the establishment of a security baseline within the community.

Moreover the information from this analysis can be used to support the development of a campaign to spread a positive security posture in the market. The liaison with companies that maintain good security practices will help to start this initiative from a higher degree and involve several actors on the security stage for the same direction to a market were security is understood as a business value.

'''Approach'''

Assessing public materials from the Top 50 Companies and Top 50 Software Companies, a rating guide will be produced showing tangible metrics that are achieved by those companies and allow them to be considered secure enough on a comparison to a baseline of good practices. As a result the Corporate Application Security Rating Guide will be produced and published for the community and the deliverables used to support the development of the Positive Security Project with facts from a real analysis.

'''Benefits'''

The whole community will be benefited from these initiatives. With the adequate support from OWASP to maintain the projects active and liaise with big players on the market, we can expect the following:

• The community will receive a Security Rating Guide that will allow them to compare their own security practices within the market. As this will be a public document, suppliers and buyers worldwide will share the same information allowing them to adequate the expectations on the usage of security services and tools.

• The Security Rating Guide can be used as a marketing tool by the companies, allowing them to sell security as a business value and avoiding the old-fashion and inadequate FUD approach.

• The knowledge and relationship developed during the production of the Security Rating Guide will allow us to produce the deliverables on Positive Security Project with real information, increasing the credibility of the initiative for the market.

• The Security Rating Guide and the Positive Security Project can be walk in parallel, merging their information to support a concise and continuous marketing campaign to encourage a positive approach on the market.

• As an open community free from commercial pressures, OWASP can use both projects to support the evaluation of security products for the market, allowing the organization to receive profits from these services and support current and future projects.

'''Summarized Work Breakdown Structure (WBS)'''

All the activities will be leaded by Eduardo V. C. Neves, which will be responsible as a single point of contact with the sponsors and to manage a team of compromised volunteers from OWASP community and participants from security communities and associations (i.e. ISSA, SANS and ISC2).

The activities will be carried on WBS summarized bellow. Dates presented should be considered as deadlines for the activities:

• Criteria establishment and definition of the Top 50 Companies and Top 50 Software Companies (April 11)

• Assessment of public materials to support the ranking establishment (April 18)

• Establishment of the Corporate Application Security Rating Guide (April 25)

• Publishing of the Corporate Application Security Rating Guide on OWASP web site and promotion over adequate channels (i.e. publications, blogs and associations) (May 09) (1)

• Criteria establishment and approval of marketing templates for Positive Security Project (May 16) (2)

• Development of the Positive Security Project material (i.e. blog and marketing sheets) (May 30)

• Liaison with the OWASP Members, Top 50 Companies and Top 50 Software Companies to present the project and negotiate their participation as supporters, sponsors or contributors. (June 27)

• Update on Corporate Application Security Rating Guide, including their score on Positive Security approach (July 4)

• Presentation of the Positive Security Project approach and Corporate Application Security Rating Guide on the market (July 31) (3)

• Conference calls with team members to evaluate the results of the initiatives in all countries and produce project´s documents (i.e. lessons learned, update on marketing material and evaluation of alternative approaches for the future steps). (August 15)

• Prepare project documentation and present to the OWASP community on the web site (August 31)

''(1) Support from OWASP Foundation is required to liaise with companies and associations worldwide

''(2) Support from OWASP Foundation and community are required to evaluate adequate marketing templates and translate original documents for their own languages''

''(3) Support from OWASP community is required to spread the word on all countries were OWASP members are located.''
'''''

'''Project Control'''

The project will be managed following PRINCE2 Process Model and all control documents published for the OWASP community. The following mandatory project control documents are planned:

• Project Initiation Document: To document project´s background, definition, objectives, approach, etc.

• Communication Plan: To assure that OWASP Community are being continuous communicated about project status and deliverables achievement.

• Highlight Report: To provide the OWASP Community with a summary of the project status, progress and potential problems or areas where help may be required.

• End Project Report: To present project achievements. Should be considered the final project report.

More documents may be included during project development to support the control and assure a high quality level (i.e. issue log, project approach).

'''Long Range Plan'''

Both projects should walk in parallel and be used as tools to support efforts to encourage and make the positive approach a reality on the IT Security field. These initiatives shall be supported by OWASP as long term plans and grow to a continuous world-wide campaign in this direction that must achieve big players on the market and be recognized by the community as a tool that must be used to evaluate security enabled companies and products.

'''Why me?'''

Can be me, you or anyone that carries these projects in a professional fashion and assure that all deliverables are being achieved. The most important parts is to make it happen, talk and get the support from reputable associations and large companies (OWASP Members are a good start) and lead it as a long range responsibility.

I am running to win this project because I believe in all of this. I see both as very valuable initiatives that can help companies to make more business; people to get more jobs and the whole community to win in a scenario where our contributions on the security market are recognized as business tools.

'''About me'''

Information Security professional and enthusiastic with 15 years dedicated to achieve expressive results in the areas of IT, Information Security, Compliance and Project Management. A CISSP in good stand and Officer at the ISSA Brazilian Chapter, my professional career gave me extensive knowledge in several fields of Information Security with accumulated experience at consulting firms, as CSO at a world player company on consumer goods market and now as an entrepreneur at Latin American market.

''Application security experience and accomplishments''

My work experience is on Security Management, Risk Assessment, Business Continuity and Disaster Recovery, Security Awareness and other managed-related fields on our industry. I don’t have hands-on experience on application security and this is the main reason why I am running to be qualified on the project described bellow, where I believe that my skills can be used to achieve an excellent result for the community.

''Participation and leadership in open communities''

• Member of OWASP Brazil where I made some small contributions in a recent past.

• Member of ABNT/CB-21/SC02 committee, Brazilian ISO representative for 27001 and 17799 standards

• Officer of ISSA Brazil Chapter where I am responsible for the South Region and as the editor of Antebellum, the ISSA Brazil Journal

• Founder and member of GISI-PR, an open community focused on discuss and promote Information Security initiatives within Paraná State, Brazil

== P017 - OWASP AppSensor - Detect and Respond to Attacks from Within the Application ==
'''Name'''

Michael Coates

'''Project'''

P017 - OWASP AppSensor - Detect and Respond to Attacks from Within the Application

'''The opportunity, challenges, issues or need your proposal addresses, '''

As critical applications continue to become more accessible and inter-connected, it is paramount that the information be protected. We must also realize that our defenses may not be perfect. Given enough time, attackers can identify security flaws in the design or implementation of an application. In addition to implementing layers of defense within an application, it is critical that we identify malicious individuals before they are able to identify any gaps in our defenses. The best place to identify malicious activity against the application is within the application itself.
Network based intrusion detection systems are not appropriate to handle the custom and intricate workings of an enterprise application and are ill-suited to detect attacks focusing on application logic such as authentication, access control, etc. The application itself is the best place to identify and respond to malicious activity.
This project will create the framework which can be used to build a robust system of attack detection, analysis, and response within an enterprise application

'''Objectives or ways in which you will meet the goal(s), '''

I plan to use a methodical approach throughout the creation of this resource. I will reference my own professional experience, OWASP resources, ESAPI, and academic materials to identify a robust set of potential attacks and identification methods. Thresholds will be recommended for each of the detected attacks. Each recommended threshold value and response recommendation will be accompanied with additional information to describe the purpose of the threshold and recommendation. This additional information will allow the reader to determine if the threshold is appropriate for their implementation.

'''Specific activities and who will carry out these activities, '''

I will complete the following activities:
1. Identify and define attack patterns against applications
2. Document points of detection within the application for the attack patterns & identify key information to log
3. Create thresholds for generating security alerts
4. Define recommended response actions for the security alerts

'''Specific deliverables and a rough project schedule so we can track progress, '''

April 2, 2008 - Project Begins

April 2, 2008-April 12, 2008 - High level planning & design

April 12, 2008-May 1, 2008 - Identify and define attack patterns against applications

May 1, 2008-June 1, 2008 - Document points of detection within the application for the attack patterns & identify key information to log

June 1, 2008-June 13, 2008 - Pier Review & Revisions

June 15, 2008 - Status Report

June 16, 2008-Aug 15, 2008 - Create thresholds for generating security alerts

June 16, 2008-Aug 15, 2008 - Define recommended response actions for the security alerts

Aug 16, 2008-Aug 30, 2008 - Pier Review & Revisions

Aug 31, 2008 - Project Complete

'''Long-term vision for the project, '''

1. I’d like to include a tiered type approach of thresholds and responses. This is would be similar to the approach used by FISMA of defining different controls for High, Medium, and Low systems.

2. Building on item #1, I want to eventually include a system which lets the user provide information about their system. This information could include rating or prioritizing different security concerns. a customized set of monitoring points, thresholds and response actions can be recommended for the application based on the provided data.

'''About Me'''

'''Education & Professional Background'''

Masters of Science in Computer, Information and Network Security – DePaul University
(Expected Graduation 2009)
Bachelor of Science in Computer Science – University of Illinois
Extensive experience in conducting black and white box security reviews of complex applications and networks for major financial organizations and international telecoms. I also have experience working as the primary investigator of attacks against a multi-national organization with IDS sensors in networks throughout the world. In addition, I have experience working with several regulatory controls and security standards (FISMA, NIST, GLBA etc). My experience as an ethical hacker and incident responder puts me in an excellent position to tackle this project.

'''Application security experience and accomplishments'''

I am a Senior Computer Security Engineer with Aspect Security where I perform security code reviews and application security testing against a variety of platforms. Prior to working with Aspect Security, I was heavily involved in the discovery and exploitation of application vulnerabilities during black box ethical hacking assessments for numerous clients.

'''Participation and leadership in open communities'''

I am a member of OWASP and attend Chicago OWASP chapter meetings. I also attend ChiSec, an informal meet-up of security professionals in the Chicago area. In addition, I interact with the community through my security blog. http://michaelcoates.wordpress.com.

'''Any other reasons why you and your project should be selected. '''

I created a similar framework while working within a Security Operation Center. I created attack scenarios, identified relevant IDS events, defined thresholds and appropriate response action for the Security analysts.

'''Requested Reviewer - Eric Sheridan, Application Security Consultant at Aspect Security, Inc.'''

Eric Sheridan is an Application Security Consultant at Aspect Security, a consulting services company specializing in application security. At Aspect Security, Eric specializes in execution of security verification assessments and the establishment of security activities throughout the development lifecycle. In addition, Eric is an instructor in Aspect’s portfolio of Application Security Courses. Eric is also an active participant in OWASP whose contributions include work with projects such as WebGoat, Stinger, CSRFGuard, CSRFTester, and the SASAP project from OWASP SPoC 2007. Eric was also a featured speaker at the 2007 OWASP/WASC San Jose conference.

Contact Information: eric dot sheridan 'at' owasp dot org

== OWASP Interceptor Project - 2008 Update ==

by Justin Derry

http://www.owasp.org/index.php/Category:OWASP_Interceptor_Project

'''Executive Summary'''

The OWASP Interceptor project was originally written by myself and donated to the OWASP project. Since it has been online numerous people have downloaded the tools and used the code/toolkit. Currently the industry has very limited “XML” or SOAP client testing tools that are designed specifically to perform XML interception and manipulation. The Objective of the Interceptor project is to provide a strong tool for performing XML penetration tests against Web Service (or XML/SOAP) endpoints. The tool should not replace other proxy interception tools such as Charles, Web Scarab and so on, but be purely focused on handling and reading XML structures from clients.

The Interceptor tool includes a “swiss-army” knife of features that will help with decoding/hash generation and interpretation of XML code. The key objective is to make a tool that can assist with the collection, inspection and attack replay of XML requests against service endpoints. This year it’s time for an update. The tool doesn’t run on Vista and needs a number of back-end features addressed as well as some help files etc. (Help to get the tool out of BETA status).

'''Objectives this year'''

This year I see the following objectives in the application code base.
• Get the Interface to run on all Window Platforms (.NET) Win2000, XP and Vista;

• Update the TCP handle libraries to be faster

• Update the XML Parser engine to support the latest structures

• Provide a “default” attack database of known XML attack methods (this is a big one)

• Write a number of help files on how to use the tool

• Update the toolkit BASE64 Decoder, XML Generators etc with further tools

• Write a better “reporting” engine to show the result of simulated attack responses

• Better HTTP support for Manipulation, Authentication and Header Injection etc

• Better support for interception and handling AJAX XML requests

These are the core features I would like to introduce, with also further to probably come as a part of the project.

'''Why should I be sponsored for the project?'''

The current development cycle stopped due to limited time and the need to purchase the IDE tools to develop the interface in .NET. As a Summer of Code 2008 sponsored project we can get the IDE interface tools to implement “Vista” features that will see the tool run on all .NET platforms (Win2000, XP and Vista). Recent changes in my job will allow me to spend more time on developing the toolkit.

Over a number of years I have been involved with OWASP, whilst most recently getting involved with running the OWASP Australia Security Conference for 2008, as well as the Brisbane Chapter. I am also working in the Asia Pacific RIM to further increase the awareness of OWASP and Application Security. My Conference duties for the year have finished up (till planning starts again in a couple of months) so my time can be invested in updating the toolkit.

I believe during the previous years, i have shown OWASP that i am willing and able to produce a quality outcome and i am prepared to put the effort into OWASP to acheive the goals set out for this project.

Some of the Sponsorship money for the project would go to purchasing a specific toolkit for the UI. (The UI is important simply because we want the application to be user friendly). Xceed Components provide a Smart UI as well as some of the decoding and compression features the tool needs. This would require us to approach them upfront for a “free” licence or use some of the Sponsorship money to buy the toolkit. But we can tackle that problem when we come to it.

== SQL Injector Benchmarking Project (SQLiBENCH) ==

by Mesut Timur & Bedirhan Urgun

'''Prelude'''

There're a lot of and great open source tools (takeover/dumpers/hybrid) for taking advantage of an sql injection vulnerability both used by web application security specialists and attackers.
Techniques used, databases supported, algorithms employed and abilities implemented by these "sql injectors" greatly varies. Standardization is one of the abstract goals of OWASP and we think it's important to standardize general vulnerability techniques exists in web applications and one of the biggest one is sql manipulation.
In our effort, we aim to produce a standardization of techniques used in exploiting sql injection by automatic tools.

'''Proposal'''

The goal of the project is to create a detailed set of benchmarking criterias for automatic sql injection tools and applying these to a set of open source sql injectors, producing analysis/benchmarking reports.
Additionaly, in a semi-academic manner, algorithms used by several sql injectors will be analyzed both implementation and complexity vise.

'''Deliverables And Project Schedule Milestones'''

Two set of documents will be produced. One of them will include the benchmarking criterias and the other will comprise of analysis of selected sql injectors against the benchmarking criterias.
Moreover, an interactive visual data flow diagram, giving hints to testers about which tool should be used under which circumstances, will be implemented with web-based technologies such as jquery library.

April 03 Project Kickoff

April 03-30 Determination of the benchmarking criterias

May 01-15 Producing a test environment image with 5-6 rdbms (MSSQL Express, Oracle Express, DB2 Express, MySQL, PgSQL, etc.) and a vulnerable application (which will support different sql injection types, databases and include logging capabilities)

May 15-31 Selecting and installing automatic sql injectors onto the test system and starting to use them on vulnerable application

June 01-30 Analysing tools and applying benchmarking criterias, contacting the authors as we proceed

July 01-31 Producing reports for benchmarking criterias and tool analysis

'''About Us'''

We're part of OWASP-Turkey. [http://www.h-labs.org Mesut Timur] is a junior in the Computer Engineering Dept. of [http://www.gyte.edu.tr University of GYTE] and [http://www.webguvenligi.org Bedirhan Urgun] is a web/application security specialist in [http://www.uekae.tubitak.gov.tr TUBITAK-UEKAE].

== OWASP-WeBekci Project ==

==== Executive Summary: ====

Web application firewalls (WAF) are gaining importance among the information security technologies designed to protect web sites from attack. WAF solutions prevent attacks that network firewalls and intrusion detection systems can't and they require no modification of application source code. ModSecurity [http://www.modsecurity.org/] is an open source web application firewall that runs as an Apache module. It is an embeddable web application firewall and it provides protection from a range of attacks against web applications. It is an open source project available to everyone; it however does not come with an admin panel.

I decided to provide this essential tool with a control panel which I believe will ease and thus encourage its usage.

ModSecurity allows for HTTP traffic monitoring and real-time analysis with no changes to existing infrastructure. My main goal is to analyze attacks and generate rules to change the configuration of the ModSecurity accordingly.

ModSecurity has a feature called “flexible rule engine” as its heart of Attack Prevention capability . It uses ModSecurity’s “Rule Language,” (a programming language designed to work with HTTP transaction data). It is easy to use and flexible; yet the system administrators need to learn its own rules to create what is called “Certified ModSecurity Rules” to be implemented. My control panel will automate the major code-generation in Rule Language.

==== Objectives and Deliverables: ====

* '''Configuration''' : Most of the configuration parameters will be managed through the web interface
* '''Rule Generator''' : Basic rules will be generated using the web interface
* '''Core Rule Integration''': Core rules will be added to the database for use
* '''Logging and Reporting''': Apache error log and modsec_audit log will be parsed and presented to the user thru the web interface
* '''DB Support''' : MySQL

==== Why I should be sponsored for the project: ====
Being a SpoC2007 project, it couldn't be implemented mainly due to a job change and therefore lack of time. With the help of Bedirhan Urgun we'll be able to produce a quality web admin panel GUI for a same host modsec installation infrastructure. We are both part of OWASP Turkey [http://www.owasp.org/index.php/Turkey] and tried to produce a great deal of awareness both about web security and OWASP with both documents/chapter meetings/email list and mini-conferences.

OWASP Summer of Code 2008 Applications

2008-03-23T14:08:24Z

Bunyamin:

'''This page contains project Applications to the [[OWASP_Summer_of_Code_2008|OWASP Summer Of Code 2008]]'''

= A few notes =
*'''If you want to apply for a SoC 2008 sponsorship you HAVE TO USE THIS PAGE for your application.'''
** See [[OWASP Summer of Code 2008#How To Participate (To Developers)|How To Participate]] for what to do once you completed your Application.
** Please remember that projects will be selected and funded based on how well they meet the [[OWASP Summer of Code 2008#Jury and Selection Criteria| Selection Criteria]].
** Please see [[OWASP Autumn of Code 2006 - Applications|AoC 06]] and [[OWASP Spring Of Code 2007 Applications|SpoC 07]] for examples of Applications.
* '''You can propose your project in any form you wish, but the best proposals will be well thought out, clear and concise, and reflective of your passion for the topic. We strongly suggest that you include [[OWASP Summer of Code 2008 Applications - Proposal Type|this information in your proposal]].
'''
= Applications - {Fill in below} =

== The Application Security Desk Reference - ASDR ==
* Leonardo Cavallari Militelli
* Proposal: Make [[OWASP ASDR Project|OWASP ASDR Project]] a release quality document.

The ASDR is a reference volume that contains basic information about all the foundational topics in application security. It intends to replace and refresh [[OWASP Honeycomb Project|Honeycomb Project]] with a new structure for articles and relationship between categories, thus making it a release quality doc.

This idea raised when finished the [[Attack|Attack Reference Guide]] for [[OWASP Spring Of Code 2007|OWASP Spring Of Code 2007]], where it was identified that OWASP reference articles need some special attention. Jeff Williams is totally supporting this project.

We already have defined which type of article we should include on Desk Reference, as follows:
* [[:Category:Principle|Principles]]
* [[:Category:Threat_Agent|Threat Agents]]
* [[:Category:Attack|Attacks]]
* [[:Category:Vulnerability|Vulnerabilities]]
* [[:Category:Countermeasure|Countermeasures]]
* [[:Category:Technical Impact|Technical Impacts]]
* [[:Category:Business Impact|Business Impacts]]

*Road Map: A complete project roadmap can be found on '''[[ASDR Table of Contents|ASDR Table of Contents]]'''. Basically, the following activities should be performed, some of them already started:
** Define articles templates for each reference type
** Define subcategories for articles classification
** Compile first DRAFT version of ASDR Book
** Articles development & Call for Volunteers
** Articles revision
** First version of OWASP ASDR book

== OWASP Code review guide, V1.1 ==
* Eoin Keary,
'''Code Review Guide Proposal''':

'''Introduction:'''The code review guide is currently at version RC 2.0 and the second best selling OWASP book.
I have received many positive comments regarding this initial version and believe it’s a key enabler for the OWASP fight against software insecurity.

It has even inspired individuals to build tools based on its information and I have convinced such people (Alessio Marziali) to open source their tool and make it an OWASP project.

The combination of a book on secure code review and a tool to support such an activity is very powerful as it gives the developer community a place to start regarding secure application development.

'''Proposal:'''
I am proposing that I improve the code review guide from a number of aspects. This should place the guide as a de facto secure code review guide in the application security industry.

'''Additional and expanded Chapters:''' 

'''Transactional analysis''' 
Expand chapter. 
Examples via diagrams. 

'''Threat Modeling and Analysis''' 
The approach to examining an application to be reviewed. 
Focusing on areas of interest. 

'''Example reports and how to write one''' 
How to determine the risk level of a finding. 

'''Automated code review''' 
Code crawler documentation and usage. 

'''Rich Internet Applications''' 
Expanded chapters on Flash, Ajax. 

'''The OWASP ESAPI (Enterprise Security API)''' 
What it is, Why use it. What to review. 

'''Code review Metrics:''' 
How to compile, use and analyse metrics. 
Rolling out metrics in the Enterprise. 

'''Integrating Code review with an existing SDLC'''
Integration of Secure Code review with an existing SDLC. 
Secure Code review roadmap definition. 
Documentation requirements. 
Scope definition. 
SDLC steering comittee establishment. 
Performace criteria, benchmarks and metrics. 
Integration of SDLC results into key IT governance areas. 
Critical success factors. 

== The OWASP Testing Guide v3 ==
* Matteo Meucci
* The OWASP Testing Guide v2 was a great success, with thousand downloads and many many Companies that have adopted it as standard for a Web Application Penetration Testing.
Now it's time to begin a new project that is based on v2 but improve it and complete it.

In the OWASP Testing Guide v2 we have split the set of tests in 8 sub-categories:

* Information Gathering
* Business logic testing
* Authentication Testing
* Session Management Testing
* Data Validation Testing
* Denial of Service Testing
* Web Services Testing
* AJAX Testing

The following are my thoughts about the new OWASP Testing Guide v3:

1) Authorization testing missing. As Jeff and Dave said many time before it's important to create a new category.
2) Information gathering is not a set of vulnerabilities --> not in report --> new category: Passive mode analysis
3) Infrastructural test --> new category
4) Web Services section needs improvement
5) AJAX Testing section needs improvement
6) New category: Client side Testing. AJAX and Flash Testing

* This [http://www.owasp.org/index.php/Image:Planning_OTGv3.doc document] analyze the OWASP Testing Guide v2 vulnerabilities and a plan for create the new v3.

== Code Crawler ==
* Alessio Marziali (aka nTze) 

'''Description''' 
This tool is aimed at assisting code review practitioners. It is a static code review tool which searches for key topics within .NET and J2EE/JAVA code.
The aim of the tool is to accompany the OWASP Code review Guide and to implement a total code review solution for "everyone"; Where "everyone" means "more" companies performing secure software activities. 
Key areas of improvement: 
'''Reporting''' 
- PDF
- Microsoft Office Compatible Word Document
- HTML

'''Scanning''' 
- Multiple File scanned at the same time 
-- Open Microsoft Visual Studio's Solutions 

'''Bigger Database''' 
Which will provide more information about the threats such vulnerability type (XSS,SQL Injection, Remote File Inclusion etc). 
'''Security Software Life Cycle''' 
A feature that will let you save the threats for each project/document, so the reviewer can check how the development is going from a “security prospective” during the entire software lifecycle. 

Improvement of the code scan system. 

== The Owasp Orizon Project ==
* Paolo Perego (aka thesp0nge),
* The Owasp Orizon Project,

'''Introduction'''

The [http://www.owasp.org/index.php/Category:OWASP_Orizon_Project Owasp Orizon Project] born in 2006 in order to provide a framework to all Owasp projects developing code review services.

The project is in a quite stable stage and it is usable for Java static code review and some dynamic tests against XSS.
Owasp Orizon includes also APIs for code crawling, usable for code crawling tools.

[http://milk.sf.net Milk] project is a java code review tool I'm writing using Orizon as background engine. Its goal is to show engine capabilities.

'''Objectives and deliverables'''

* plugin architecture for static code review library: this planned feature will be announced (hopefully, if my CFP will be accepted) to next Owasp European App conf.
* starting C# support
* upgrade from Alpha quality project to Beta quality project in accord to [http://www.owasp.org/index.php/Category:OWASP_Project_Assessment Owasp Project Assessment criteria]

'''Why I should be sponsored for the project'''

Owasp Orizon is the first Owasp project I'm involved in. I'm also contributor of Owasp Italian chapter managed by Matteo Meucci and I'm talking at various speeches about application security and safe coding best practices.

I'm a security consultant working in ethical hacking and we're approaching code review and safe topics right now. I'm a developer too so I understand also the "dark side" of the problem developing code with security in mind.

I work using the "release early release often" paradigm so to be concrete and let other people having something usable to work with.

In the last year Owasp Orizon evolved a lot with a good static code review engine and a lot of code was written to give Owasp guys the best framework as possible to be used for writing code review tools. I hope to pursuit my goals again with SoC 2008.

== Skavenger ==
* Matthias Rohr

'''Introduction'''

Skavenger is a web application security assessment toolkit which arised from many years of professional experience in the web application assessment field and is the result of nearly one your of work.

It passively analyzes traffic logged by various MITM proxies (such as WebScarab and Burp) as well as other sources (like Firefox's LiveHTTPHeader plugin) and helps to identify various kinds of possible vulnerabilities (such as XSS, CRLF injection, an insecure session management and several kinds of information disclosure). Skavenger's modular design allows the integration of custom scanning modules without any knowledge about the tool at all.

Skavenger is completely written in Perl and can be downloaded from:
https://sourceforge.net/projects/skavenger/

'''Objectives and deliverables'''

Here are some ideas:
* A GUI to monitor and analyze scanning results
* More sophisticated scanner modules (e.g. for better backend identification and more platform specific tests)
* Database integration
* API's to integrate modules in other languages (such as Python or Java).
* Better source integration with custom Firefox, Burp or (of course) WebScarab plugins

== OWASP .NET Project Leader ==
* Mark Roxberry

'''Project Proposal'''

Assume the lead of the OWASP .NET Project. Ensure that information, materials and software are relevant to building secure .NET web applications and services. Provide deep content for all roles related to .NET web applications and services including:

* Architectural guidance
* Developer tools, information and checklists
* IT professional content (for those that deploy and maintain .NET websites)
* Penetration testing resources
* Incident response resources

The OWASP .NET Project Leader will actively recruit .NET contributors, including personnel from Microsoft, but others throughout the .NET ecosystem. Including experts from communities from large companies to ISVs, from enterprise architects to ALT.NET developers will be important for the overall reach of the OWASP .NET project. Other communities to consider include developers who use Mono (.NET for Linux), including Moonlight (Silverlight for Linux).

The OWASP .NET Project Leader will actively contribute to the OWASP projects that require .NET resources, by recruiting resources or contributing to the project.

I propose to have the project active in 1-3 months, with continuous recruitment efforts for contributors for the life of the project. Metrics for success can include number of contributors, number of articles, search engine ranks for pages and site visit counts. For the application however, I will submit that within 3 months I can provide a baseline to set site goals for each metric.

'''Why I should be sponsored for the project'''

I have previously contributed to the OWASP Test Guide v2 project, providing content and reviewed content. I care about the OWASP mission. In fact, I have used the OWASP Top 10 to teach developers about vulnerabilities in web applications.

I have 15 years of technical leadership experience using Microsoft technologies. I have lead small and large teams as a technical lead, lead developer and architect on small and large projects. I am a Certified Information Systems Security Professional (CISSP) and a Certified Ethical Hacker. I am on top of current trends and required to be informed regarding .NET web development and security, including, for example ASP.NET MVC, Silverlight, Unity, Entity Framework. I am personally interested in providing security resources to .NET developers globally, specific and applicable to their projects.

== OWASP Backend Security Project ==
* Full name: Carlo Pelliccioni
* Project: OWASP Backend Security Project
* Project description:
:OWASP Backend Security Project is a new project created to improve and to collect the existant information about the backend security.
:The project is composed by three sections (security development, security hardening and security testing).
:The aim is to define the guidelines for the companies and IT professionals working in the security field into processes development and back-end components management/testing in the enterprise architecture.

* Objectives:

'''Overview'''
Create a section with an introduction about the project (high-level description) explaining the main
goals.

'''Development'''
Include the writings already existant in OWASP wiki concerning PHP,
JAVA and ASP.NET and extend the projects' sections with new contents.

'''Hardening'''
Create new guidelines about the dbms hardening

'''Testing'''
Include the writings already existant in OWASP wiki about security testing.
Create new articles about security testing.

== OWASP Classic ASP Security Project ==
* Juan Carlos Calderon
'''Executive Summary''' 
I am interested in making P018 - OWASP Classic ASP Security Project happen, Classic ASP 2.0 and 3.0 applications are still largely used as this technology is more than 10 years old and was largely used. there are thousands of sites on the wild that need guidance on the security arena. This is where OWASP can come up and provide help for “making the Web a better place” and continue spreading the word on security. I have always be a passionate of the technology (regardless of its inconveniences such as being old and DLL-hell prone) and I am really exited on the idea of sharing my knowledge of this area to the world and what best that though OWASP.

'''Objectives and Deliverables''' 
Create a secure framework for Classic ASP application by complementing existing OWASP projects with documentation for this particular technology and the creation of security libraries. More specifically:
* Creation of a Common Object Repository for ASP applications based on OWASP ESAPI Project including objects and/or references to libraries for security applications all this aligned with OWASP Top10 and OWASP Guide .
* Create Documentation aligned to OWASP Code Review Project Checklist providing additional technology-specific checks.
* Addition of expression for Code Review Tool to support Classic ASP applications.
* Implementation of Version 1 of Stinger for ASP either by using an installable COM library or ISAPI.
* This same module will compliment the OWASP Validation Documentation Project.

'''Why should I be sponsored for the project?''' 
I have 10 years of experience on Web technologies. During 8 years I have performed and leaded hundreds of Security Source Code Reviews and Black box testing on Web Applications. On my current job I lead 30 people in diverse locations all of them working on the Application Security arena, so I am accustomed to execute and deliver.

Also I’ve had close contact with OWASP since 2005
[https://lists.owasp.org/pipermail/owasp-spanish/2005-March/000069.html] by making possible the translation of OWASP Top 10 2004 [http://www.owasp.org/index.php/Top_10_2004] and OWASP Testing Guide V1.17 [http://www.owasp.org/docroot/owasp/misc/testing_spanish.pdf] to Spanish.

== Internationalization Guidelines and OWASP-Spanish Project ==
* Juan Carlos Calderon
'''Executive Summary''' 
The main goal of OWASP is to spread the word about security (“Our mission is to make application security "visible," so that people and organizations can make informed decisions about application security risks.”) and OWASP has done great work so far :). And now it’s time for a next big step.

The number of native and secondary speakers in the world for Chinese, Spanish, French, Russian, Arabic and Indi languages are estimated in similar number to English speaking or even more (Some References at [http://en.wikipedia.org/wiki/Ethnologue_list_of_most_spoken_languages Ethnologue], [http://encarta.msn.com/media_701500404/Languages_Spoken_by_More_Than_10_Million_People.html Encarta], [http://en.wikipedia.org/wiki/List_of_languages_by_number_of_native_speakers Wikipedia]). I think is a good time for OWASP to reach those that do not speak English to have full access to all the OWASP materials, not just a couple of documents.

OWASP, while open to translations, do not have clear guidelines on how to translate OWASP contents and (AFAIK) there is no multi-language support in OWASP.org site. This is understandable as there is no formal project for internationalization so far.

'''Oportunity and Effort''' 
This is great opportunity to make Spanish the first language on which the OWASP site and documentation is fully translated and at the same time share the experience with other people interested in the same objective, Bring OWASP to the world. And this is something I’ve being pushing for some time ago and that could be possible “at once” via SoC 2008.

I understand this is significant effort so to have it done I will count with the help of 6 people (friend of mine, all of them Security auditors with excellent English level) plus a few well known contributors from OWASP-Spanish effort, so the founding will be divided among the people involved in the same proportion of the work they do for the completion of this effort. This, to encourage delivery.

'''Objectives and Deliverables''' 
* Team up with Larry Casey to implement Multilanguage support in OWASP.org Mediawiki.
* General Guidelines on minimum/recommended requirements to start a new language translation for OWASP Document and Site Pages
* General Guidelines on minimum/recommended requirements to implement internationalization and localization ([http://www.w3.org/International/ i18n]) on OWASP Software
* Full translation to Spanish of all the release-level document projects. Those are:
** Top 10 2007
** Guide 2 (Already translated)
** Testing Guide (Already Translated)
** Legal
** FAQ
* Full Translation of major sections of OWASP Site
** Project Main Pages (Release, Beta and Alpha levels for both documents and tools projects)
** Principles
** References Section
** Conferences
** News (Those currently displayed in OWASP site)
** About OWASP
* Evaluation of Spanish translation approach for WebGoat and WebScarab and delivery of this document to Bruce and Rogan for possible implementation in near future.
* Leverage for deploy of es.owasp.org, the domain already exists but is not redirecting correctly.
* Create a Communication strategy to help and keep track on new pages or changes in significant pages so all the translations are in sync.

'''Out of Scope''' 
Translation of the following sections are NOT in Scope
* Local Chapters Pages
* Presentations
* Conferences
* Videos
* Blogs
* All the projects deliverables in Alpha and Beta Stages
* All the documentation “on development” like Guide Version 3.0
* Translation of Pages, documentation or tools to other language other than Spanish according to the stated in above section.

'''Why should I be sponsored for the project?''' 
I’ve being part of contributions to OWASP documents on the translation arena since 2005 [https://lists.owasp.org/pipermail/owasp-spanish/2005-March/000069.html], a few of them by making possible the translation of OWASP Top 10 2004 [http://www.owasp.org/index.php/Top_10_2004] and OWASP Testing Guide V1.17 [http://www.owasp.org/docroot/owasp/misc/testing_spanish.pdf] to Spanish. It is time to make the full job done :).

I have 10 years of experience on Web technologies. During 8 years I have performed and leaded hundreds of Security Source Code Reviews and Black box testing on Web Applications. On my current job I lead 30 people in diverse locations all of them working on the Application Security arena, so I am accustomed to execute and deliver.

== The Ruby on Rails Security Guide v2 ==
Heiko Webers

The last security guide for Rails [http://www.owasp.org/index.php/Category:OWASP_Web_Application_Security_Put_Into_Practice] was a great success, with a lot of more secure web applications and continued awareness in the community of security issues. The Ruby on Rails Security Project [http://www.rorsecurity.info/] is the one and only source of information about Rails security topics, and I keep the community up-to-date with blog posts and conference talks in Europe. The Guide and the Project has been mentioned in several Rails books and web-sites.

Version 1 of the Ruby on Rails Security Guide was sponsored by the SpoC 07, set the standard for OWASP programming language specific guides in terms of the topic outline and has been published as a book [http://www.lulu.com/content/1412042]. Nevertheless I'm convinced that a more compact design and a "question-and-answer" style of writing will reach an even larger audience. Of course the new Guide will still include answers to the OWASP Top Ten security vulnerabilities.

A lot has changed since the publishing of the first Guide. Some new security holes have been found, there are new advises and most importantly Rails version 2.0 has been released. The new Ruby on Rails Security Guide aims at providing an up-to-date coding and configuration guide for the Rails community.

In the new Rails Security Guide I'd like to
* update the entire book to match Rails 2.0
* cover new topics, including, but not limited to:
** Intranet and administration interface security,
** phishing,
** real-world attack situations,
** short excursus on server monitoring,
** the new CookieStore session management,
** vulnerabilities in popular plug-ins,
** denial-of-service attacks
* cover all OWASP Top Ten security vulnerabilities
* a more compact writing style, more examples and "questions-and-answers"
* introduce the OWASP and Rails security to a greater audience

== OWASP Application Security Verification Standard ==

*Mike

'''OWASP Application Security Verification Standard Proposal'''

'''Educational and professional background'''

The applicant is a hands-on senior professional services manager with a trademark of
developing creative solutions to complex application security-related technical problems.

'''Application security experience and accomplishments'''

The applicant has a background in trusted product evaluation:

*CC evaluation
*CC evidence development, including operating system test code development
*CC project management
*TCSEC evaluation
*TCSEC project management
*TEF management
*CCTL management

The applicant also has a background in security-related software development and integration:

*PKI toolkit development
*PK-E application integration
*Secure web portal application development
*Secure web portal integration
*Secure instant messaging application development, including three patents

The applicant also has a background in cryptomodule testing:

*FIPS 140 evaluation
*FIPS 140 evidence development

'''Participation and leadership in open communities'''

The applicant does not have experience in contributing to open communities.

'''The opportunity, challenges, issues or need your proposal addresses'''

OWASP is looking for a commercially-workable open standard for performing application security verification efforts. The problem is that there is a huge range in the coverage and level of rigor available in the market, and consumers have no way to tell the difference between someone just running a grep tool, and someone doing painstaking code review and manual testing. So, a standard is needed.

'''Objectives or ways in which you will meet the goal(s)'''

The applicant’s proposal will address the above challenges as follows:

*The applicant will define an evaluation framework that may be used to conduct OWASP Application Security Verification Standard certifications.
*The applicant will define an OWASP Application Security Verification Standard which defines levels that applications may be certified against.

'''Specific activities and who will carry out these activities'''

The applicant will carry out these activities. Please see below for a proposed list of specific deliverables.

'''Specific deliverables and a rough project schedule so we can track progress'''

The applicant proposes the following deliverables:

*'''Scheme Overview document.''' This will define the overall framework with roles, responsibilities, and processes.
*'''Evaluation and Certification document.''' This will describe the evaluation and certification process.
*'''Conditions for the Use of Trademarks.''' This will describe OWASP’s name, logo, and certificate may be used and referenced.
*'''Evaluation Report Content Requirements.''' This will describe the content requirements of evaluation reports.
*'''OWASP Application Security Verification Standard.''' This will define the levels that applications may be certified against.
*'''OWASP Application Security Verification Standard Appendix A.''' This will define the required content of the OWASP Application Security Verification Standard Security Policy.
*'''Policy Letter #1. Acceptance of Security Policies into OWASP Evaluation''' This will define the requirements to be listed as in evaluation on the OWASP web site.

The applicant proposes the following rough project schedule:

*2nd April. Project kickoff.
*15th June. Alpha Quality drafts of Scheme Overview document and of OWASP Application Security Verification Standard document completed.
*31st August. Project completion. Beta Quality drafts of all documents completed.

'''Long-term vision for the project'''

The long-term vision for the project is to normalize the range in the coverage and level of rigor available in the market when it comes to performing application security verification.

'''Any other reasons why you and your project should be selected.'''

The applicant has a uniquely-qualified perspective given his experience with TCSEC, TTAP, CC, FIPS 140-1, and FIPS 140-2 evaluation programs, and his real-world perspective as a developer and integrator of security-related applications.

== GTK+ GUI for w3af project ==

''Facundo Batista''

'''Your educational and professional background'''

I'm Electronic Engineer with a Master in Engineer Innovation in
Bologna University, Italy. I live in Buenos Aires, Argentina, and love
reading books, playing tennis, and programming Python.

I worked in a mobile company for six years, in the Network Management
department, then I was Chief Developer of a Mobile Content Provider,
and now I'm Solution Architect in Multimedia & Systems Integration in
Ericsson. Also I was professor in several universities, high schools
and other institutions.

'''Application security experience and accomplishments'''

None, more than working in w3af. However, my proposal here is not
related to the security part of the product, but to its graphical
interface and usability.

'''Participation and leadership in open communities'''

I'm very involved in the free software and open source community. I'm
a Python Core Developer and member of the Python Software Foundation
by merit. I have a long history of talks given in several
international (PyCon, EuroPython) and national (a lot!) conferences. I
also teach Python in educational institutions, enterprises and as a
private instructor. I founded Python Argentina, the national users
groups, and I'm a very active member of it.

I also lead other open source projects (SMPPy, SiGeFi, etc.) and
particpate in others (Docutils, w3af itself, etc.).

'''The opportunity, challenges, issues or need your proposal addresses'''

My main objective is to minimize the effort and learning curve of
using w3af, providing a very usable graphical interface.

Note that as the interface is cross platform, being usable also in the
win32 environment, it will help to popularize the w3af project.

This will allow users without information security knowledge to verify
that their web applications are correctly programmed and configured.

'''Specific activities and who will carry out these activities'''

I will carry the following activities, detailed later in smaller steps:

- Design and code new windows and interfaces to increase the functionality of the project.

- Tuning of the process workflow, allowing a more intuitive way of working.

- Visual polishing for a more pleasant and intuitive tool.

- Usability tests and improvements.

'''Specific deliverables and a rough project schedule so we can track progress'''

''New features implemented in the pyGTK user interface:''

- Local proxy to trap and modify requests and responses sent from a browser.

- Manually send a request and analyze the response.

- Manually create a fuzzed requests based on tokens, so user can construct easily differents HTTP request with a regex-like semantics.

- Wizard to perform a vulnerability assessment.

- Graphical display of site map and vulnerabilities.

- Reload a plugin after its edited from within the pyGTK user interface.

- Embebed tool to encode/decode URL/Base64 and to hash sha1/md5.

- HTTP response side by side content compare.

''Usability improvements in the pyGTK user interface:''

- Meetings with a usability expert that the w3af team leader has already contacted and worked with.

- Kill all pending bugs and make a stable release.

''Documentation:''

- Users guide for the pyGTK user interface.

- Help system for the GUI itself

'''Long-term vision for the project'''

To provide the web application security community with a stable and fully
featured framework to perform all the tasks included in a penetration test
from within the project.

'''Any other reasons why you and your project should be selected'''

w3af is one of the most active web application security projects;
the community that supports it is growing and we need the support of
already established organizations like OWASP to keep working at the
rate that we want to.

== P006 OWASP Corporate Application Security Rating Guide and P025 OWASP Positive Security Project ==

by Eduardo Vianna de Camargo Neves

'''Executive Summary'''

A common approach on most companies is to increase the protection of their assets after the occurrence of a considerable impact. However some companies learned that a positive approach on IT Security is most effective and can reduce the financial costs on responses to security incidents. Benchmarking the application security practices on the corporate world will allow us to understand what steps are required to keep the IT environment protected, using this knowledge to create a public Security Rating Guide that can be used to support the establishment of a security baseline within the community.

Moreover the information from this analysis can be used to support the development of a campaign to spread a positive security posture in the market. The liaison with companies that maintain good security practices will help to start this initiative from a higher degree and involve several actors on the security stage for the same direction to a market were security is understood as a business value.

'''Approach'''

Assessing public materials from the Top 50 Companies and Top 50 Software Companies, a rating guide will be produced showing tangible metrics that are achieved by those companies and allow them to be considered secure enough on a comparison to a baseline of good practices. As a result the Corporate Application Security Rating Guide will be produced and published for the community and the deliverables used to support the development of the Positive Security Project with facts from a real analysis.

'''Benefits'''

The whole community will be benefited from these initiatives. With the adequate support from OWASP to maintain the projects active and liaise with big players on the market, we can expect the following:

• The community will receive a Security Rating Guide that will allow them to compare their own security practices within the market. As this will be a public document, suppliers and buyers worldwide will share the same information allowing them to adequate the expectations on the usage of security services and tools.

• The Security Rating Guide can be used as a marketing tool by the companies, allowing them to sell security as a business value and avoiding the old-fashion and inadequate FUD approach.

• The knowledge and relationship developed during the production of the Security Rating Guide will allow us to produce the deliverables on Positive Security Project with real information, increasing the credibility of the initiative for the market.

• The Security Rating Guide and the Positive Security Project can be walk in parallel, merging their information to support a concise and continuous marketing campaign to encourage a positive approach on the market.

• As an open community free from commercial pressures, OWASP can use both projects to support the evaluation of security products for the market, allowing the organization to receive profits from these services and support current and future projects.

'''Summarized Work Breakdown Structure (WBS)'''

All the activities will be leaded by Eduardo V. C. Neves, which will be responsible as a single point of contact with the sponsors and to manage a team of compromised volunteers from OWASP community and participants from security communities and associations (i.e. ISSA, SANS and ISC2).

The activities will be carried on WBS summarized bellow. Dates presented should be considered as deadlines for the activities:

• Criteria establishment and definition of the Top 50 Companies and Top 50 Software Companies (April 11)

• Assessment of public materials to support the ranking establishment (April 18)

• Establishment of the Corporate Application Security Rating Guide (April 25)

• Publishing of the Corporate Application Security Rating Guide on OWASP web site and promotion over adequate channels (i.e. publications, blogs and associations) (May 09) (1)

• Criteria establishment and approval of marketing templates for Positive Security Project (May 16) (2)

• Development of the Positive Security Project material (i.e. blog and marketing sheets) (May 30)

• Liaison with the OWASP Members, Top 50 Companies and Top 50 Software Companies to present the project and negotiate their participation as supporters, sponsors or contributors. (June 27)

• Update on Corporate Application Security Rating Guide, including their score on Positive Security approach (July 4)

• Presentation of the Positive Security Project approach and Corporate Application Security Rating Guide on the market (July 31) (3)

• Conference calls with team members to evaluate the results of the initiatives in all countries and produce project´s documents (i.e. lessons learned, update on marketing material and evaluation of alternative approaches for the future steps). (August 15)

• Prepare project documentation and present to the OWASP community on the web site (August 31)

''(1) Support from OWASP Foundation is required to liaise with companies and associations worldwide

''(2) Support from OWASP Foundation and community are required to evaluate adequate marketing templates and translate original documents for their own languages''

''(3) Support from OWASP community is required to spread the word on all countries were OWASP members are located.''
'''''

'''Project Control'''

The project will be managed following PRINCE2 Process Model and all control documents published for the OWASP community. The following mandatory project control documents are planned:

• Project Initiation Document: To document project´s background, definition, objectives, approach, etc.

• Communication Plan: To assure that OWASP Community are being continuous communicated about project status and deliverables achievement.

• Highlight Report: To provide the OWASP Community with a summary of the project status, progress and potential problems or areas where help may be required.

• End Project Report: To present project achievements. Should be considered the final project report.

More documents may be included during project development to support the control and assure a high quality level (i.e. issue log, project approach).

'''Long Range Plan'''

Both projects should walk in parallel and be used as tools to support efforts to encourage and make the positive approach a reality on the IT Security field. These initiatives shall be supported by OWASP as long term plans and grow to a continuous world-wide campaign in this direction that must achieve big players on the market and be recognized by the community as a tool that must be used to evaluate security enabled companies and products.

'''Why me?'''

Can be me, you or anyone that carries these projects in a professional fashion and assure that all deliverables are being achieved. The most important parts is to make it happen, talk and get the support from reputable associations and large companies (OWASP Members are a good start) and lead it as a long range responsibility.

I am running to win this project because I believe in all of this. I see both as very valuable initiatives that can help companies to make more business; people to get more jobs and the whole community to win in a scenario where our contributions on the security market are recognized as business tools.

'''About me'''

Information Security professional and enthusiastic with 15 years dedicated to achieve expressive results in the areas of IT, Information Security, Compliance and Project Management. A CISSP in good stand and Officer at the ISSA Brazilian Chapter, my professional career gave me extensive knowledge in several fields of Information Security with accumulated experience at consulting firms, as CSO at a world player company on consumer goods market and now as an entrepreneur at Latin American market.

''Application security experience and accomplishments''

My work experience is on Security Management, Risk Assessment, Business Continuity and Disaster Recovery, Security Awareness and other managed-related fields on our industry. I don’t have hands-on experience on application security and this is the main reason why I am running to be qualified on the project described bellow, where I believe that my skills can be used to achieve an excellent result for the community.

''Participation and leadership in open communities''

• Member of OWASP Brazil where I made some small contributions in a recent past.

• Member of ABNT/CB-21/SC02 committee, Brazilian ISO representative for 27001 and 17799 standards

• Officer of ISSA Brazil Chapter where I am responsible for the South Region and as the editor of Antebellum, the ISSA Brazil Journal

• Founder and member of GISI-PR, an open community focused on discuss and promote Information Security initiatives within Paraná State, Brazil

== P017 - OWASP AppSensor - Detect and Respond to Attacks from Within the Application ==
'''Name'''

Michael Coates

'''Project'''

P017 - OWASP AppSensor - Detect and Respond to Attacks from Within the Application

'''The opportunity, challenges, issues or need your proposal addresses, '''

As critical applications continue to become more accessible and inter-connected, it is paramount that the information be protected. We must also realize that our defenses may not be perfect. Given enough time, attackers can identify security flaws in the design or implementation of an application. In addition to implementing layers of defense within an application, it is critical that we identify malicious individuals before they are able to identify any gaps in our defenses. The best place to identify malicious activity against the application is within the application itself.
Network based intrusion detection systems are not appropriate to handle the custom and intricate workings of an enterprise application and are ill-suited to detect attacks focusing on application logic such as authentication, access control, etc. The application itself is the best place to identify and respond to malicious activity.
This project will create the framework which can be used to build a robust system of attack detection, analysis, and response within an enterprise application

'''Objectives or ways in which you will meet the goal(s), '''

I plan to use a methodical approach throughout the creation of this resource. I will reference my own professional experience, OWASP resources, ESAPI, and academic materials to identify a robust set of potential attacks and identification methods. Thresholds will be recommended for each of the detected attacks. Each recommended threshold value and response recommendation will be accompanied with additional information to describe the purpose of the threshold and recommendation. This additional information will allow the reader to determine if the threshold is appropriate for their implementation.

'''Specific activities and who will carry out these activities, '''

I will complete the following activities:
1. Identify and define attack patterns against applications
2. Document points of detection within the application for the attack patterns & identify key information to log
3. Create thresholds for generating security alerts
4. Define recommended response actions for the security alerts

'''Specific deliverables and a rough project schedule so we can track progress, '''

April 2, 2008 - Project Begins

April 2, 2008-April 12, 2008 - High level planning & design

April 12, 2008-May 1, 2008 - Identify and define attack patterns against applications

May 1, 2008-June 1, 2008 - Document points of detection within the application for the attack patterns & identify key information to log

June 1, 2008-June 13, 2008 - Pier Review & Revisions

June 15, 2008 - Status Report

June 16, 2008-Aug 15, 2008 - Create thresholds for generating security alerts

June 16, 2008-Aug 15, 2008 - Define recommended response actions for the security alerts

Aug 16, 2008-Aug 30, 2008 - Pier Review & Revisions

Aug 31, 2008 - Project Complete

'''Long-term vision for the project, '''

1. I’d like to include a tiered type approach of thresholds and responses. This is would be similar to the approach used by FISMA of defining different controls for High, Medium, and Low systems.

2. Building on item #1, I want to eventually include a system which lets the user provide information about their system. This information could include rating or prioritizing different security concerns. a customized set of monitoring points, thresholds and response actions can be recommended for the application based on the provided data.

'''About Me'''

'''Education & Professional Background'''

Masters of Science in Computer, Information and Network Security – DePaul University
(Expected Graduation 2009)
Bachelor of Science in Computer Science – University of Illinois
Extensive experience in conducting black and white box security reviews of complex applications and networks for major financial organizations and international telecoms. I also have experience working as the primary investigator of attacks against a multi-national organization with IDS sensors in networks throughout the world. In addition, I have experience working with several regulatory controls and security standards (FISMA, NIST, GLBA etc). My experience as an ethical hacker and incident responder puts me in an excellent position to tackle this project.

'''Application security experience and accomplishments'''

I am a Senior Computer Security Engineer with Aspect Security where I perform security code reviews and application security testing against a variety of platforms. Prior to working with Aspect Security, I was heavily involved in the discovery and exploitation of application vulnerabilities during black box ethical hacking assessments for numerous clients.

'''Participation and leadership in open communities'''

I am a member of OWASP and attend Chicago OWASP chapter meetings. I also attend ChiSec, an informal meet-up of security professionals in the Chicago area. In addition, I interact with the community through my security blog. http://michaelcoates.wordpress.com.

'''Any other reasons why you and your project should be selected. '''

I created a similar framework while working within a Security Operation Center. I created attack scenarios, identified relevant IDS events, defined thresholds and appropriate response action for the Security analysts.

'''Requested Reviewer - Eric Sheridan, Application Security Consultant at Aspect Security, Inc.'''

Eric Sheridan is an Application Security Consultant at Aspect Security, a consulting services company specializing in application security. At Aspect Security, Eric specializes in execution of security verification assessments and the establishment of security activities throughout the development lifecycle. In addition, Eric is an instructor in Aspect’s portfolio of Application Security Courses. Eric is also an active participant in OWASP whose contributions include work with projects such as WebGoat, Stinger, CSRFGuard, CSRFTester, and the SASAP project from OWASP SPoC 2007. Eric was also a featured speaker at the 2007 OWASP/WASC San Jose conference.

Contact Information: eric dot sheridan 'at' owasp dot org

== OWASP Interceptor Project - 2008 Update ==

by Justin Derry

http://www.owasp.org/index.php/Category:OWASP_Interceptor_Project

'''Executive Summary'''

The OWASP Interceptor project was originally written by myself and donated to the OWASP project. Since it has been online numerous people have downloaded the tools and used the code/toolkit. Currently the industry has very limited “XML” or SOAP client testing tools that are designed specifically to perform XML interception and manipulation. The Objective of the Interceptor project is to provide a strong tool for performing XML penetration tests against Web Service (or XML/SOAP) endpoints. The tool should not replace other proxy interception tools such as Charles, Web Scarab and so on, but be purely focused on handling and reading XML structures from clients.

The Interceptor tool includes a “swiss-army” knife of features that will help with decoding/hash generation and interpretation of XML code. The key objective is to make a tool that can assist with the collection, inspection and attack replay of XML requests against service endpoints. This year it’s time for an update. The tool doesn’t run on Vista and needs a number of back-end features addressed as well as some help files etc. (Help to get the tool out of BETA status).

'''Objectives this year'''

This year I see the following objectives in the application code base.
• Get the Interface to run on all Window Platforms (.NET) Win2000, XP and Vista;

• Update the TCP handle libraries to be faster

• Update the XML Parser engine to support the latest structures

• Provide a “default” attack database of known XML attack methods (this is a big one)

• Write a number of help files on how to use the tool

• Update the toolkit BASE64 Decoder, XML Generators etc with further tools

• Write a better “reporting” engine to show the result of simulated attack responses

• Better HTTP support for Manipulation, Authentication and Header Injection etc

• Better support for interception and handling AJAX XML requests

These are the core features I would like to introduce, with also further to probably come as a part of the project.

'''Why should I be sponsored for the project?'''

The current development cycle stopped due to limited time and the need to purchase the IDE tools to develop the interface in .NET. As a Summer of Code 2008 sponsored project we can get the IDE interface tools to implement “Vista” features that will see the tool run on all .NET platforms (Win2000, XP and Vista). Recent changes in my job will allow me to spend more time on developing the toolkit.

Over a number of years I have been involved with OWASP, whilst most recently getting involved with running the OWASP Australia Security Conference for 2008, as well as the Brisbane Chapter. I am also working in the Asia Pacific RIM to further increase the awareness of OWASP and Application Security. My Conference duties for the year have finished up (till planning starts again in a couple of months) so my time can be invested in updating the toolkit.

I believe during the previous years, i have shown OWASP that i am willing and able to produce a quality outcome and i am prepared to put the effort into OWASP to acheive the goals set out for this project.

Some of the Sponsorship money for the project would go to purchasing a specific toolkit for the UI. (The UI is important simply because we want the application to be user friendly). Xceed Components provide a Smart UI as well as some of the decoding and compression features the tool needs. This would require us to approach them upfront for a “free” licence or use some of the Sponsorship money to buy the toolkit. But we can tackle that problem when we come to it.

== SQL Injector Benchmarking Project (SQLiBENCH) ==

by Mesut Timur & Bedirhan Urgun

'''Prelude'''

There're a lot of and great open source tools (takeover/dumpers/hybrid) for taking advantage of an sql injection vulnerability both used by web application security specialists and attackers.
Techniques used, databases supported, algorithms employed and abilities implemented by these "sql injectors" greatly varies. Standardization is one of the abstract goals of OWASP and we think it's important to standardize general vulnerability techniques exists in web applications and one of the biggest one is sql manipulation.
In our effort, we aim to produce a standardization of techniques used in exploiting sql injection by automatic tools.

'''Proposal'''

The goal of the project is to create a detailed set of benchmarking criterias for automatic sql injection tools and applying these to a set of open source sql injectors, producing analysis/benchmarking reports.
Additionaly, in a semi-academic manner, algorithms used by several sql injectors will be analyzed both implementation and complexity vise.

'''Deliverables And Project Schedule Milestones'''

Two set of documents will be produced. One of them will include the benchmarking criterias and the other will comprise of analysis of selected sql injectors against the benchmarking criterias.
Moreover, an interactive visual data flow diagram, giving hints to testers about which tool should be used under which circumstances, will be implemented with web-based technologies such as jquery library.

April 03 Project Kickoff

April 03-30 Determination of the benchmarking criterias

May 01-15 Producing a test environment image with 5-6 rdbms (MSSQL Express, Oracle Express, DB2 Express, MySQL, PgSQL, etc.) and a vulnerable application (which will support different sql injection types, databases and include logging capabilities)

May 15-31 Selecting and installing automatic sql injectors onto the test system and starting to use them on vulnerable application

June 01-30 Analysing tools and applying benchmarking criterias, contacting the authors as we proceed

July 01-31 Producing reports for benchmarking criterias and tool analysis

'''About Us'''

We're part of OWASP-Turkey. [http://www.h-labs.org Mesut Timur] is a junior in the Computer Engineering Dept. of [http://www.gyte.edu.tr University of GYTE] and [http://www.webguvenligi.org Bedirhan Urgun] is a web/application security specialist in [http://www.uekae.tubitak.gov.tr TUBITAK-UEKAE].

== Bunyamin Demir – OWASP WeBekci Project ==

==== Executive Summary: ====

Web application firewalls (WAF) are gaining importance among the information security technologies designed to protect web sites from attack. WAF solutions prevent attacks that network firewalls and intrusion detection systems can't and they require no modification of application source code. ModSecurity [http://www.modsecurity.org/] is an open source web application firewall that runs as an Apache module. It is an embeddable web application firewall and it provides protection from a range of attacks against web applications. It is an open source project available to everyone; it however does not come with an admin panel.

I decided to provide this essential tool with a control panel which I believe will ease and thus encourage its usage.

ModSecurity allows for HTTP traffic monitoring and real-time analysis with no changes to existing infrastructure. My main goal is to analyze attacks and generate rules to change the configuration of the ModSecurity accordingly.

ModSecurity has a feature called “flexible rule engine” as its heart of Attack Prevention capability . It uses ModSecurity’s “Rule Language,” (a programming language designed to work with HTTP transaction data). It is easy to use and flexible; yet the system administrators need to learn its own rules to create what is called “Certified ModSecurity Rules” to be implemented. My control panel will automate the major code-generation in Rule Language.

==== Objectives and Deliverables: ====

* '''Configuration''' : Most of the configuration parameters will be managed through the web interface
* '''Rule Generator''' : Basic rules will be generated using the web interface
* '''Core Rule Integration''': Core rules will be added to the database for use
* '''Logging and Reporting''': Apache error log and modsec_audit log will be parsed and presented to the user thru the web interface
* '''DB Support''' : MySQL

==== Why I should be sponsored for the project: ====
Being a SpoC2007 project, it couldn't be implemented mainly due to a job change and therefore lack of time. With the help of Bedirhan Urgun we'll be able to produce a quality web admin panel GUI for a same host modsec installation infrastructure. We are both part of OWASP Turkey [http://www.owasp.org/index.php/Turkey] and tried to produce a great deal of awareness both about web security and OWASP with both documents/chapter meetings/email list and mini-conferences.

Turkey

2007-10-22T20:03:57Z

Bunyamin:

Turkey

2007-09-03T21:03:34Z

Bunyamin: /* Next Event - OWASP DAY: on the topic of "Privacy in the 21st Century" - September 8 (Turkey 2007) */

{{Chapter Template|chaptername=Turkey|extra=The chapter leader is [mailto:bunyamindemir@gmail.com Bunyamin Demir], [mailto:ferruh@mavituna.com Ferruh Mavituna]
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-turkey|emailarchives=http://lists.owasp.org/pipermail/owasp-turkey}}

== Local News ==

Ceviri projesine yardim etmek isteyen arkadaslar lutfen [mailto:bunyamindemir@gmail.com iletisime] geciniz.

== Sponsors ==

[http://www.pro-g.com.tr http://www.owasp.org/images/a/a9/Turkey_Chapter_Sponsor1_Pro-G.gif]

== Next Event - OWASP DAY: on the topic of "Privacy in the 21st Century" - September 8 (Turkey 2007) ==

As a part of the Global Security Week, OWASP Turkey chapter will be holding a humble meeting on Saturday, 8 September 2007. Less technical and time taking compared to last event ([http://www.owasp.org/index.php/1st_Web_Security_Days_OWASP_Turkey Web Security Days]) we will be focusing on the current snapshot of the privacy related issues in the govermental/quasi-governmental and private institutions of Turkey.

Here's the "still in process" agenda:

* 14:00 - 14:10 Prelude. Introduction of OWASP DAY and OWASP Turkey projects

A small introduction to OWASP Day meeting and its goals, plus explanation of some of the lightweight projects of OWASP Turkey.

Bedirhan URGUN, Bunyamin Demir

* 14:20 - 14:50 Privacy in Governmental Insitutions - A Current State Analysis

Presentation will discuss the understanding of the privacy concept settled in governmental institutions and deliberate on general information security problems related with privacy issues.

Getting off with general privacy problems, in specific, information about the privacy issues related to web applications will be given. Moreover, concrete suggestions on providing a solid privacy in these institutions will be presented.

Hayrettin BAHŞİ
Chief Researcher CC Lab-UEKAE TUBITAK

* 15:00 - 15:50 Secure Web Application Development

Korhan Gurler
Researcher PRO-G

* 15:00 - 16:00 A Panel on Privacy in Turkey

OWASP-Turkey Members

== Last Event - 1st Web Security Days - July 14 (Turkey 2007) ==

First of the [http://www.owasp.org/index.php/1st_Web_Security_Days_OWASP_Turkey Web Security Days] has been realized by Owasp-Turkey chapter on 14th of July 2007 in İstanbul. With a ~70 registered attendees, it was great to have a pack of web security oriented people for a five hours of mostly technical presentations.

[http://www.owasp.org/index.php/1st_Web_Security_Days_OWASP_Turkey For details...]

== Last Meetings ==

'''Sunday 6 May 2007''' 
'''Time:''' 11:15-12:30 

'''Address''' to the meeting are:

[http://www.metu.edu.tr Middle East Technical University] 
Ankara-Turkey 
 

'''Presentation''' 

Web Application Security with ModSecurity and OWASP

OWASP Day

2007-09-03T21:01:50Z

Bunyamin: /* Global Agenda (19 Chapters participating) */

== OWASP Day : Worldwide OWASP chapter meetings on the topic "Privacy in the 21st Century" (5th till 12th September 2007) ==

'''OWASP Day''' is the title given to the 17 chapter meetings (hosted by 19 OWASP Chapters) staged during the [http://www.globalsecurityweek.com/ Global Security Week].

== Global Agenda (19 Chapters participating) ==

* '''Wed 5th'''
** [[Israel]] (16:45 / 19:30)
*** "Straight from Blackhat: Dangling Pointers" , Jonathan Afek , Watchfire
*** "Evasive Crimeware attacks, Business drivers, and Proposed Defense" , Iftach Amit , Finjan
*** "Content Injection as a solution for client side browser vulnerabilities" , Ofer Shezaf , Breach Security (Israel chapter Leader)
** [[London]] (18:30 / 21:30)
*** "For my next trick... hacking Web2.0", Petko D. Petkov (pdp), GNUCITIZEN
*** Panel: "Privacy in the 21st Century?", moderator: Ivan Ristic
*** Panel: "Future of the OWASP London Chapter"

* '''Thu 6th'''
** [[NYNJMetro]] (17:30 / 21:00)
*** "Financial Real-Time Threats: Impacting Trading Floor Operations"
*** "JBroFuzz: Effective Fuzzing for Network and Web Applications" , Dr. Yiannis Pavlosoglou , Information Risk Management
*** "Stock fluctuation from an unrecognized influence" , Justine Bone-Aitel , Immunity Security
*** "Hackers...BotNets oh My! Obtain a briefing on the current BotNet investigations etc.", NYC FBI Cyber Crime Unit
*** "Why today's vulnerability assessments are failing and a case for industry standardization"
*** "Blackhat/Defcon", Tom Brennan (President OWASP NY/NJ Metro)
*** Panel: "Global Security Week What is the current state of Privacy on Web Application Security? What should we be focusing on?"
** [[Belgium]] (12:30 / 19:30)
*** pre-event: "Getting started with WebGoat & WebScarab" ,Erwin Geirnaert , ZION Security
*** "OWASP Evaluation and Certification Criteria Draft" , Mark Curphey (OWASP founder)
*** "Automated Web FOO or FUD?" , David Kierznowski, GNUCITIZEN
*** "OWASP Pantera Unleashed" , Simon Roses Femerling , Microsoft
*** "CLASP, SDL and Touchpoints Compared" , Bart De Win, DistriNet research group
*** "Threats of e-insecurity in Belgium and the Belgian response" , Luc Beirens, FCCU
*** "For my next trick... hacking Web2.0 (pdp)" , Petko D. Petkov (pdp), GNUCITIZEN
*** "Panel Discussion: “Privacy in the 21st Century?", moderator: André Marien , Verizon Business - Cybertrust
** [[Washington DC]] + Northern VA (13:00 / 18:15)
*** "Honeyclients and Malicious Web Servers" , Kathy Wang , Mitre
*** "A malcode perspective on web application privacy" Blake Hartstein , iDefense
*** "Practical Web Privacy with Firefox" , Chuck Willis , Mandiant
*** "A sneak peak at Jeff's new "Enterprise Security API" , Jeff Williams , Aspect Security (OWASP board member & Chairman)
*** "Digital Rights Management" , James Stibbards , Cloakware
** [[San Antonio]] (11:30 / 13:00)
*** "Developing an Application Security Strategy for Large Enterprise Systems" , Bruce Jenkins, Fortify Software
** [[Seattle]] (18:00 / 21:00)
*** "Online Banking" , Rob Rachwald , Fortify
*** "Web Hacking 101", Damon Cortesi , IOActive
** [[San Jose]] + San Francisco (17:00 / 20:30)
*** Workshop: "Malicious Code Injection Workshop" , Siva Ram , AppSec Consulting ; Arian Evans ,WhiteHat Security
*** Panel: "Privacy, Security and Breaches, Oh My!", moderator: Alex Stamos, iSEC Partners ; Panelists: Doran Rotman, KPMG ; David Pollino, Washington Mutual Bank ; Robert Fly, Salesforce.com ; Larry Pingree, Safeway ; Kurt Opsahl, EFF
** [[Mumbai]] (14:30 / 18:00)
*** "Black Vector of Web Exploitation" , Aditya Sood , Sec Niche
*** "End User Privacy Breaches" , Rishi Narang , Third Brigade
*** "Privacy on the Web - The road ahead in the 21st century" , Yogesh Badwe , GTL
** [[Ottawa]] (18:00 / 20:00)
*** Security Development Lifecycle for IT , Christian Beauclai , Microsoft
** [[Phoenix]]
*** TBA
** [[Poland]] (18:00 / 21:00)
*** "OWASP" , Robert 'shadow' Pajak
*** "OWASP SPoC" , Przemyslaw 'rezos' Skowron
*** "Pentration test - OWASP in practice" , Jarek Sajko
** [[Boston]]
*** TBA

* '''Sat 8th'''
** [[Turkey]]
*** "Prelude. OWASP DAY and OWASP Turkey projects", Bedirhan Urgun, Bunyamin Demir
*** "Privacy in Governmental Insitutions - A Current State Analysis", Hayrettin Bahsi, Chief Researcher UEKAE TUBITAK
*** "Secure Web Application Development - Korhan Gurler ,Researcher PRO-G
*** "A Panel on Privacy in Turkey - OWASP-Turkey Members

* '''Mon 10th'''
** [[Italy]] (9:00 / 13:30)
*** "Privacy in the digital era" , Mauro Bregolin , KIMA Projects & Services
*** "OWASP Top 10 2007 - Are our information 'really' safe?" , Carlo Pelliccioni , MediaService
*** "Anti-Anti-XSS: bypass browser protections" , Alberto Revelli , Portcullis
*** "Growing Application Security Awareness" , Laurent Petroque , F5
*** "Buzzwords Security" , Luca Carettoni , SecureNetwork
*** "Hacker Attacks on the Horizon: Understanding the Top Web 2.0 Attack Vectors" , Danny Allan , Watchfire
** [[Rochester]]
*** "The new OWASP Top Ten."

* '''Mon 12th'''
** [[Houston]] (17:30 / 19:30)
*** "Enhancing Application Security with Bytecode Instrumentation" , Patrick White , Fortify Software
** [[Cleveland]]
*** "The new OWASP Top Ten."

'''Note:''' If you are interested in doing a presentation, the following chapters have speaker slots available: Rochester, Boston, Phoenix, Poland and Turkey

== Organizers ==

In addition to the local chapter leaders, Dinis Cruz and Mike de Libero are the main points of contact (but of course much more help is needed :) )

== Global Security Week (GWS) ==

For more details on the (GWS) see:
* http://www.globalsecurityweek.com/
* http://www.globalsecurityweek.com/html/national_activities.html
* http://www.globalsecurityweek.com/html/gsw_06.html (Resources)

And here is a description from one the organizers:

''The aim of Global Security Week is to raise security awareness amongst the public and organizations about issues relating to security, primarily information security. This year's theme is on the subject of privacy and we hope that a number of events will be held worldwide to promote people's awareness as to how to protect their privacy when online and also educate companies on their responsibilities, both legal and morally, when it comes to protecting the privacy of their customers.
''
''Global Security Week is a totally voluntary initiative and we have no commercial funding or agenda. The initiative is funded entirely from the committee's own funds and time. We have people involved in Global Security Week throughout the world and during the week we have events planned in different regions. For example here in Ireland I plan to run a free seminar on the above topic open to anyone who wished to attend''

''We ask that those who wish to become involved, help promote Global Security Week in their region either by running specific events dedicated to Global Security Week, taking part in events already planned or simply making people aware that the week is on and the topic is "Privacy in the 21st Century". Even simply making people aware of Global Security Week and directing them to the website is a great help. Not having commercial funding we depend on word of mouth and like minded individuals to make people aware of the week.''

== ... for future reference ... ==
==== (original) Proposed Event layout ====

Each chapter is free to organize its mini conference and to define how long it should last.

But within the spirit of the event the following ideas are proposed:

* The topic of the event should be on "Privacy in the 21st Century", so all talks should be related to it (we should be addressing the Web Application side of Privacy (for example what happens to Privacy with SQL Injection, XSS and issues like pdp's [http://www.gnucitizen.org/blog/snoop-onto-them-as-they-snoop-onto-us Snoop onto Them as they Snoop onto us])
* The event should have 4 to 5 speaking slots (can be 30m if required)
* If possible, invite a presenter from the local government to talk about their views on the subject
* Presentation from a local OWASP Project leader about his/hers project (i.e. for the cases where a leader of an [https://www.owasp.org/index.php/Category:OWASP_Project OWASP Project] lives locally (or will be in that city during the event)
* All events are recommended to have the same panel discussion on the subject "'''What is the current state of Privacy on Web Application Security? and what should we be focusing on?'''"). After the panel discussion, each local chapters is invited to create a summary of its conclusions for publishing on the OWASP website
* "Talk 'Lets get rid of 3 major sources of vulnerabilities:
*# CROSS-SITE SCRIPTING: 70-90% of web applications have Cross-Site Scripting (XSS) holes. You must *both* carefully validate input and use HTML entity encoding on all data output.
*# SQL INJECTION: If your queries are a bunch of strings and user input concatenated together, your database could be attacked with SQL Injection. Stamp out this attack by using "parameterized" queries, such as Java's PreparedStatement instead.
*# SESSION EXPOSURE: Your SESSIONIDs are *just* as valuable as usernames and passwords, so make sure you never expose them. Don't ever allow authenticated SESSIONIDs to be sent without SSL or exposed in the URL."

==== Other Ideas ====
* Create a Security Manifest that will be 'signed' by all attendees
* Distributed capture the flag (where each local chapter plays has a team (against the other chapters))
* Short intro/welcome movie at the beginning of each mini-conference by OWASP board

OWASP Day

2007-09-03T10:18:09Z

Bunyamin: /* Global Agenda (19 Chapters participating) */

== OWASP Day : Worldwide OWASP chapter meetings on the topic "Privacy in the 21st Century" (5th till 12th September 2007) ==

'''OWASP Day''' is the title given to the 17 chapter meetings (hosted by 19 OWASP Chapters) staged during the [http://www.globalsecurityweek.com/ Global Security Week].

== Global Agenda (19 Chapters participating) ==

* '''Wed 5th'''
** [[Israel]] (16:45 / 19:30)
*** "Straight from Blackhat: Dangling Pointers" , Jonathan Afek , Watchfire
*** "Evasive Crimeware attacks, Business drivers, and Proposed Defense" , Iftach Amit , Finjan
*** "Content Injection as a solution for client side browser vulnerabilities" , Ofer Shezaf , Breach Security (Israel chapter Leader)
** [[London]] (18:30 / 21:30)
*** "For my next trick... hacking Web2.0", Petko D. Petkov (pdp), GNUCITIZEN
*** Panel: "Privacy in the 21st Century?", moderator: Ivan Ristic
*** Panel: "Future of the OWASP London Chapter"

* '''Thu 6th'''
** [[NYNJMetro]] (17:30 / 21:00)
*** "Financial Real-Time Threats: Impacting Trading Floor Operations"
*** "JBroFuzz: Effective Fuzzing for Network and Web Applications" , Dr. Yiannis Pavlosoglou , Information Risk Management
*** "Stock fluctuation from an unrecognized influence" , Justine Bone-Aitel , Immunity Security
*** "Hackers...BotNets oh My! Obtain a briefing on the current BotNet investigations etc.", NYC FBI Cyber Crime Unit
*** "Why today's vulnerability assessments are failing and a case for industry standardization"
*** "Blackhat/Defcon", Tom Brennan (President OWASP NY/NJ Metro)
*** Panel: "Global Security Week What is the current state of Privacy on Web Application Security? What should we be focusing on?"
** [[Belgium]] (12:30 / 19:30)
*** pre-event: "Getting started with WebGoat & WebScarab" ,Erwin Geirnaert , ZION Security
*** "OWASP Evaluation and Certification Criteria Draft" , Mark Curphey (OWASP founder)
*** "Automated Web FOO or FUD?" , David Kierznowski, GNUCITIZEN
*** "OWASP Pantera Unleashed" , Simon Roses Femerling , Microsoft
*** "CLASP, SDL and Touchpoints Compared" , Bart De Win, DistriNet research group
*** "Threats of e-insecurity in Belgium and the Belgian response" , Luc Beirens, FCCU
*** "For my next trick... hacking Web2.0 (pdp)" , Petko D. Petkov (pdp), GNUCITIZEN
*** "Panel Discussion: “Privacy in the 21st Century?", moderator: André Marien , Verizon Business - Cybertrust
** [[Washington DC]] + Northern VA (13:00 / 18:15)
*** "Honeyclients and Malicious Web Servers" , Kathy Wang , Mitre
*** "A malcode perspective on web application privacy" Blake Hartstein , iDefense
*** "Practical Web Privacy with Firefox" , Chuck Willis , Mandiant
*** "A sneak peak at Jeff's new "Enterprise Security API" , Jeff Williams , Aspect Security (OWASP board member & Chairman)
*** "Digital Rights Management" , James Stibbards , Cloakware
** [[San Antonio]] (11:30 / 13:00)
*** "Developing an Application Security Strategy for Large Enterprise Systems" , Bruce Jenkins, Fortify Software
** [[Seattle]] (18:00 / 21:00)
*** "Online Banking" , Rob Rachwald , Fortify
*** "Web Hacking 101", Damon Cortesi , IOActive
** [[San Jose]] + San Francisco (17:00 / 20:30)
*** Workshop: "Malicious Code Injection Workshop" , Siva Ram , AppSec Consulting ; Arian Evans ,WhiteHat Security
*** Panel: "Privacy, Security and Breaches, Oh My!", moderator: Alex Stamos, iSEC Partners ; Panelists: Doran Rotman, KPMG ; David Pollino, Washington Mutual Bank ; Robert Fly, Salesforce.com ; Larry Pingree, Safeway ; Kurt Opsahl, EFF
** [[Mumbai]] (14:30 / 18:00)
*** "Black Vector of Web Exploitation" , Aditya Sood , Sec Niche
*** "End User Privacy Breaches" , Rishi Narang , Third Brigade
*** "Privacy on the Web - The road ahead in the 21st century" , Yogesh Badwe , GTL
** [[Ottawa]] (18:00 / 20:00)
*** Security Development Lifecycle for IT , Christian Beauclai , Microsoft
** [[Phoenix]]
*** TBA
** [[Poland]]
*** TBA
** [[Boston]]
*** TBA

* '''Sat 8th'''
** [[Turkey]]
*** "Prelude. OWASP DAY and OWASP Turkey projects", Bedirhan Urgun
*** "Privacy in Governmental Insitutions - A Current State Analysis", Hayrettin Bahsi, Chief Researcher UEKAE TUBITAK
*** "A Panel on Privacy in Turkey

* '''Mon 10th'''
** [[Italy]] (9:00 / 13:30)
*** "Privacy in the digital era" , Mauro Bregolin , KIMA Projects & Services
*** "OWASP Top 10 2007 - Are our information 'really' safe?" , Carlo Pelliccioni , MediaService
*** "Anti-Anti-XSS: bypass browser protections" , Alberto Revelli , Portcullis
*** "Growing Application Security Awareness" , Laurent Petroque , F5
*** "Buzzwords Security" , Luca Carettoni , SecureNetwork
*** "Hacker Attacks on the Horizon: Understanding the Top Web 2.0 Attack Vectors" , Danny Allan , Watchfire
** [[Rochester]]
*** "The new OWASP Top Ten."

* '''Mon 12th'''
** [[Houston]] (17:30 / 19:30)
*** "Enhancing Application Security with Bytecode Instrumentation" , Patrick White , Fortify Software
** [[Cleveland]]
*** "The new OWASP Top Ten."

'''Note:''' If you are interested in doing a presentation, the following chapters have speaker slots available: Rochester, Boston, Phoenix, Poland and Turkey

== Organizers ==

In addition to the local chapter leaders, Dinis Cruz and Mike de Libero are the main points of contact (but of course much more help is needed :) )

== Global Security Week (GWS) ==

For more details on the (GWS) see:
* http://www.globalsecurityweek.com/
* http://www.globalsecurityweek.com/html/national_activities.html
* http://www.globalsecurityweek.com/html/gsw_06.html (Resources)

And here is a description from one the organizers:

''The aim of Global Security Week is to raise security awareness amongst the public and organizations about issues relating to security, primarily information security. This year's theme is on the subject of privacy and we hope that a number of events will be held worldwide to promote people's awareness as to how to protect their privacy when online and also educate companies on their responsibilities, both legal and morally, when it comes to protecting the privacy of their customers.
''
''Global Security Week is a totally voluntary initiative and we have no commercial funding or agenda. The initiative is funded entirely from the committee's own funds and time. We have people involved in Global Security Week throughout the world and during the week we have events planned in different regions. For example here in Ireland I plan to run a free seminar on the above topic open to anyone who wished to attend''

''We ask that those who wish to become involved, help promote Global Security Week in their region either by running specific events dedicated to Global Security Week, taking part in events already planned or simply making people aware that the week is on and the topic is "Privacy in the 21st Century". Even simply making people aware of Global Security Week and directing them to the website is a great help. Not having commercial funding we depend on word of mouth and like minded individuals to make people aware of the week.''

== ... for future reference ... ==
==== (original) Proposed Event layout ====

Each chapter is free to organize its mini conference and to define how long it should last.

But within the spirit of the event the following ideas are proposed:

* The topic of the event should be on "Privacy in the 21st Century", so all talks should be related to it (we should be addressing the Web Application side of Privacy (for example what happens to Privacy with SQL Injection, XSS and issues like pdp's [http://www.gnucitizen.org/blog/snoop-onto-them-as-they-snoop-onto-us Snoop onto Them as they Snoop onto us])
* The event should have 4 to 5 speaking slots (can be 30m if required)
* If possible, invite a presenter from the local government to talk about their views on the subject
* Presentation from a local OWASP Project leader about his/hers project (i.e. for the cases where a leader of an [https://www.owasp.org/index.php/Category:OWASP_Project OWASP Project] lives locally (or will be in that city during the event)
* All events are recommended to have the same panel discussion on the subject "'''What is the current state of Privacy on Web Application Security? and what should we be focusing on?'''"). After the panel discussion, each local chapters is invited to create a summary of its conclusions for publishing on the OWASP website
* "Talk 'Lets get rid of 3 major sources of vulnerabilities:
*# CROSS-SITE SCRIPTING: 70-90% of web applications have Cross-Site Scripting (XSS) holes. You must *both* carefully validate input and use HTML entity encoding on all data output.
*# SQL INJECTION: If your queries are a bunch of strings and user input concatenated together, your database could be attacked with SQL Injection. Stamp out this attack by using "parameterized" queries, such as Java's PreparedStatement instead.
*# SESSION EXPOSURE: Your SESSIONIDs are *just* as valuable as usernames and passwords, so make sure you never expose them. Don't ever allow authenticated SESSIONIDs to be sent without SSL or exposed in the URL."

==== Other Ideas ====
* Create a Security Manifest that will be 'signed' by all attendees
* Distributed capture the flag (where each local chapter plays has a team (against the other chapters))
* Short intro/welcome movie at the beginning of each mini-conference by OWASP board

Turkey

2007-07-30T13:59:48Z

Bunyamin:

File:Turkey Chapter Sponsor1 Pro-G.gif

2007-07-30T13:53:51Z

Bunyamin: OWASP Turkey Chapter Sponsor

OWASP Turkey Chapter Sponsor

OWASP Spring Of Code 2007 - Projects

2007-07-29T19:19:35Z

Bunyamin:

== All SpoC Projects ==

{| class="wikitable" WIDTH=100%
|-
! SpoC Project Name
! Author
! Confirmed
! Status
! Coordinated by
|-

|-
! [[SpoC 007 - The OWASP Web Security Certification Framework|The OWASP Web Security Certification Framework]]
| Mark Curphey
| Yes
| 45%
| OWASP Board

|-
! [[SpoC 007 - SqlMap|SqlMap]]
| Bernardo Damele
| Yes
| 60% (to review)
| Dinis Cruz

|-
! [[SpoC 007 - OWASP Site Generator|OWASP Site Generator]]
| Boris
| Yes
| 0%
| Dinis Cruz

|-
! [[SpoC 007 - Attacks Reference Guide|Attacks Reference Guide]]
| NSRAV Security Research Group
| Yes
| 0%
| TBA

|-
! [[SpoC 007 - The Scholastic Application Security Assessment Project|The Scholastic Application Security Assessment Project]]
| Eric Sheridan and
Dr. Goran Trajkovski
| Yes
| 0%
| TBA

|-
! [[SpoC 007 - Inspekt|Inspekt: Input filtering and validation library for PHP]]
| Ed Finkler
| Yes
| 50% (to review)
| Andrew v d Stock

|-
! [[SpoC 007 - Code review Project|Code review Project]]
| Eoin Keary
| Yes
| 25%
| Dinis Cruz

|-
! [[SpoC 007 - OWASP Certification Project|OWASP Certification Project]]
| Matteo Meucci
| Yes
| 0%
| Dinis Cruz

|-
! [[SpoC 007 - OWASP Education Project|OWASP Education Project]]
| Sebastien Deleersnyder
| Yes
| 37,5%
| Dinis Cruz

|-
! [[SpoC 007 - OWASP The Anti-Samy Project|OWASP The Anti-Samy Project]]
| Arshan Dabirsiaghi
| Yes
| 0%
| TBA

|-
! [[SpoC 007 - Security throughout the SDLC|Security throughout the SDLC]]
| Keith Casey
| Yes
| 0%
| TBA

|-
! [[SpoC 007 - OWASP WebGoat Solutions Guide|OWASP WebGoat Solutions Guide]]
| Erwin Geirnaert
| Yes
| 90%
| Jeff Williams

|-
! [[SpoC 007 - OWASP WeBekci Project|OWASP WeBekci Project]]
| Bunyamin Demir
| Yes
| 40%
| Ivan Ristic

|-
! [[SpoC 007 - Python Tainted Mode|Python Tainted Mode]]
| Denis
| Yes
| 0%
| TBA

|-
! [[SpoC 007 - WebScarab NG Security Test Automation|WebScarab NG Security Test Automation]]
| Darren Edmonds
| Yes
| 0%
| Jeff Williams

|-
! [[SpoC 007 - Refresh Attacks list|Refresh Attacks list]]
| Przemyslaw 'rezos' Skowron
| Yes
| 0%
| TBA

|-
! [[SpoC 007 - Best Practices & Countermeasures|Best Practices & Countermeasures]]
| Jim
| Yes
| 0%
| TBA

|-
! [[SpoC 007 - OWASP Brand|OWASP brand]]
| Paulo Coimbra
| Yes
| 0%
| Dinis Cruz

|-
! [[SpoC 007 - Web Application Security put into practice|Web Application Security put into practice]]
| Heiko Webers
| Yes
| 60%
| TBA

|-
! [[SpoC 007 - OWASP JBroFuzz Project|OWASP JBroFuzz Project]]
| Subere
| Yes
| 40%
| TBA

|-
! [[SpoC 007 - Owasp Orizon Project|Owasp Orizon Project]]
| Paolo Perego
| Yes
| 45%
| Dinis Cruz

|-
! [[SpoC 007 - Enigform: Firefox Addon for OpenPGP signing of HTTP requests|Enigform: Firefox Addon for OpenPGP signing of HTTP requests]]
| Arturo (Buanzo) Busleiman
| Yes
| half term review: done
| Dinis Cruz

|-
! [[SpoC 007 - OWASP LiveCD Education Project|OWASP LiveCD Education Project]]
| Josh Sweeney
| Yes
| 50% (to review)
| Eoin Keary

|-
! [[SpoC 007 - OWASP Java Project|OWASP Java Project]]
| Erwin Geirnaert
| Yes
| 0%
| Jeff Williams

|-
! [[SpoC 007 - OWASP LiveCD Project|OWASP LiveCD Project]]
| Joshua Perrymon
| Yes
| 0%
| Eoin Keary

|-
! [[SpoC 007 - Interim @ Aspect Offices|Interim @ Aspect Offices]]
| Andy Gocke
| Yes
| 0%
| Jeff Williams

|-
! [[SpoC 007 - 10x 1000USD to FOSS projects we all use |10x 1000USD to FOSS projects we all use ]]
| (tbd)
| No
| 0%
| Dinis Cruz

|-
! [[SpoC 007 - Help with SpoC project management|Help with SpoC project management]]
| Paulo Coimbra
| Yes
| 0%
| Dinis Cruz

|}

SpoC 007 - OWASP WeBekci Project

2007-07-29T19:18:44Z

Bunyamin:

'''[http://www.owasp.org/index.php/OWASP_Spring_Of_Code_2007_Selection Back to SpoC 007 Selection page]'''

'''AoC Candidate''': Bunyamin Demir

'''Project coordinator''': Ivan Ristic

'''Project Progress''': 40% Complete, [[SpoC 007 - OWASP WeBekci Project - Progress Page|Progress Page]]

== Bunyamin Demir – OWASP WeBekci Project ==

=== Executive Summary ===

Web application firewalls (WAF) are gaining importance among the information security technologies designed to protect web sites from attack. WAF solutions prevent attacks that network firewalls and intrusion detection systems can't and they require no modification of application source code. ModSecurity [17] is an open source web application firewall that runs as an Apache module. It is an embeddable web application firewall and it provides protection from a range of attacks against web applications. It is an open source project available to everyone; it however does not come with an admin panel.

I decided to provide this essential tool with a control panel which I believe will ease and thus encourage its usage.

ModSecurity allows for HTTP traffic monitoring and real-time analysis with no changes to existing infrastructure. My main goal is to analyze attacks and generate rules to change the configuration of the ModSecurity accordingly.

ModSecurity has a feature called “flexible rule engine” as its heart of Attack Prevention capability . It uses ModSecurity’s “Rule Language,” (a programming language designed to work with HTTP transaction data). It is easy to use and flexible; yet the system administrators need to learn its own rules to create what is called “Certified ModSecurity Rules” to be implemented. My control panel will automate the major code-generation in Rule Language.

=== Objectives and Deliverables ===

* '''Configuration''' : Will add all configuration parameter (80%)
* '''RuleLoggin Generator''': Will write all the Rules in Rule Language(50%)
* '''Logging''' : Errorlog, GuardianLog, Auditlog and Debuglog will be added.(30%)
* '''Multiple-DB''' : Will add PostgreSql and Sqlite support.(0%)

=== Why I should be sponsored for the project ===

I am involved with OWASP Turkey and interested very much in WAF. Even though this is my first project for OWASP, I am very much interested in every aspect of ModSecurity. With SpoC007’s support I will finalize my work on OWASP WeBekci.

'''[http://www.owasp.org/index.php/OWASP_Spring_Of_Code_2007_Selection Back to SpoC 007 Selection page]'''

Turkey

2007-07-17T09:24:50Z

Bunyamin: /* Last Event - 1st Web Security Days - July 14 (Turkey 2007) */

Turkey

2007-07-17T09:24:32Z

Bunyamin: /* Last Event - 1st Web Security Days - July 14 (Turkey 2007) */

Turkey

2007-07-17T09:23:53Z

Bunyamin: /* Next Event - 1st Web Security Days - July 14 (Turkey 2007) */

1st Web Security Days OWASP Turkey

2007-07-17T09:21:54Z

Bunyamin: /* Sponsored */

== 1st Web Security Days - July 14 (Turkey 2007) ==

First of the Web Security Days has been realized by Owasp-Turkey chapter on 14th of July 2007 in İstanbul. With a ~70 registered attendees, it was great to have a pack of web security oriented people for a five hours of mostly technical presentations.

Dinis Cruz (Chief OWASP Evangelist) actively participating with his two presentations, attendees had the chance of capturing a first hand understanding of OWASP’s general structure, projects, the current state, in short, the spirit. Moreover, Dinis also presented a general view of an application audit by combining the best of two worlds; black box testing and source code review. Both of the presentations are humbly translated into Turkish onsite.

Ferruh Mavituna has launched his fresh new testing/attacking tool on what he dubbed as “XSS Tunnelling” vowing the audience. Bunyamin Demir has provided a general overview of modsecurity WAF module of Apache with practical attack and prevention steps. Bedirhan Urgun has demoed an attack vector (cache poisoning) by using HRS, backed up with a master/zombie scenerio implemented on Attack API. Finally, Omur Camci has demonstrated fundamental Java security functionalities such as creating partial trust policies and signing jar files.

We’d like to thank our sponsors; [http://www.gelisimplatformu.org/ Gelisim Platformu] and [http://www.pro-g.com.tr/ Pro-G Security].

Encouraged with this one, we hope next meeting (could it be 6th September with Owasp Live…) will be more fluent, beneficial and definitely crowded.

Thanks again to all participated.

Last but not the least, presentation materials will be available soon and links to those materials (ppt, videos and papers) will be published here.

OWASP-Turkey chapter

== Agenda ==

'''Saturday 14 July 2007''' 
'''Time:''' 11:00-18:00 

'''Address''' to the meeting are:

[http://www.gelisimplatformu.org Gelisim Platformu] - Gayrettepe 80310 Istanbul - Turkey 
 

{| style="width:80%" border="0" align="center"
! colspan="3" align="center" style="background:#4058A0; color:white" | Agenda
|-
|-
| style="width:10%; background:#7B8ABD" | 11:00-11:05 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | Registration and Opening - ''OWASP-Turkey''
|-
| style="width:10%; background:#7B8ABD" | 11:05-12:00 || colspan="2" style="width:40%; background:#F2F2F2" align="left" | OWASP World (tools, documents, projects,etc..) - ''Dinis Cruz (Chief Evangelist)''
|-
| style="width:10%; background:#7B8ABD" | 12:10-12:30 || colspan="2" style="width:40%; background:#F2F2F2" align="left" | HTTP Response Splitting, Demo (Web Cache Poisoning and a little more) - ''Bedirhan Urgun''
|-
| style="width:10%; background:#7B8ABD" | 12:30-13:45 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | Lunch
|-
| style="width:10%; background:#7B8ABD" | 13:45-14:25 || colspan="2" style="width:40%; background:#F2F2F2" align="left" | XSS Tunnelling - ''Ferruh Mavituna''
|-
| style="width:10%; background:#7B8ABD" | 14:35-15:00 || colspan="2" style="width:40%; background:#F2F2F2" align="left" | Web Application Security With ModSecurity - ''Bunyamin Demir''
|-
| style="width:10%; background:#7B8ABD" | 15:10-16:50 || colspan="2" style="width:40%; background:#F2F2F2" align="left" | Security Practices In Java - ''GP Bilisim Kulubu''
|-
| style="width:10%; background:#7B8ABD" | 16:50-16:10 || colspan="2" style="width:40%; background:#C2C2C2" align="left" | Break
|-
| style="width:10%; background:#7B8ABD" | 16:10-16:50 || colspan="2" style="width:40%; background:#F2F2F2" align="left" | Live Demo Of An Web Application Security Review (And Source Code Analysis) - ''Dinis Cruz''
|-
| style="width:10%; background:#7B8ABD" | 17:00-17:45 || colspan="2" style="width:40%; background:#F2F2F2" align="left" | Q&A and What can we do for OWASP?
|-
| style="width:10%; background:#7B8ABD" | 17:45-18:00 || colspan="2" style="width:40%; background:#C2C2C2" align="left" | Closing - ''OWASP-Turkey''
|}

== Sponsored ==

The event was sponsored by [http://www.gelisimplatformu.org/ Gelisim Platformu] and [http://www.pro-g.com.tr/ Pro-G Security]

<center>[[Image:Gelisim_platformu_logo.gif]]    [[Image:Pro-g_web_security_days_logo.gif|Pro-g_web_security_days_logo.gif]]</center>

1st Web Security Days OWASP Turkey

2007-07-17T09:21:01Z

Bunyamin: /* 1st Web Security Days - July 14 (Turkey 2007) */

== 1st Web Security Days - July 14 (Turkey 2007) ==

First of the Web Security Days has been realized by Owasp-Turkey chapter on 14th of July 2007 in İstanbul. With a ~70 registered attendees, it was great to have a pack of web security oriented people for a five hours of mostly technical presentations.

Dinis Cruz (Chief OWASP Evangelist) actively participating with his two presentations, attendees had the chance of capturing a first hand understanding of OWASP’s general structure, projects, the current state, in short, the spirit. Moreover, Dinis also presented a general view of an application audit by combining the best of two worlds; black box testing and source code review. Both of the presentations are humbly translated into Turkish onsite.

Ferruh Mavituna has launched his fresh new testing/attacking tool on what he dubbed as “XSS Tunnelling” vowing the audience. Bunyamin Demir has provided a general overview of modsecurity WAF module of Apache with practical attack and prevention steps. Bedirhan Urgun has demoed an attack vector (cache poisoning) by using HRS, backed up with a master/zombie scenerio implemented on Attack API. Finally, Omur Camci has demonstrated fundamental Java security functionalities such as creating partial trust policies and signing jar files.

We’d like to thank our sponsors; [http://www.gelisimplatformu.org/ Gelisim Platformu] and [http://www.pro-g.com.tr/ Pro-G Security].

Encouraged with this one, we hope next meeting (could it be 6th September with Owasp Live…) will be more fluent, beneficial and definitely crowded.

Thanks again to all participated.

Last but not the least, presentation materials will be available soon and links to those materials (ppt, videos and papers) will be published here.

OWASP-Turkey chapter

== Agenda ==

'''Saturday 14 July 2007''' 
'''Time:''' 11:00-18:00 

'''Address''' to the meeting are:

[http://www.gelisimplatformu.org Gelisim Platformu] - Gayrettepe 80310 Istanbul - Turkey 
 

{| style="width:80%" border="0" align="center"
! colspan="3" align="center" style="background:#4058A0; color:white" | Agenda
|-
|-
| style="width:10%; background:#7B8ABD" | 11:00-11:05 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | Registration and Opening - ''OWASP-Turkey''
|-
| style="width:10%; background:#7B8ABD" | 11:05-12:00 || colspan="2" style="width:40%; background:#F2F2F2" align="left" | OWASP World (tools, documents, projects,etc..) - ''Dinis Cruz (Chief Evangelist)''
|-
| style="width:10%; background:#7B8ABD" | 12:10-12:30 || colspan="2" style="width:40%; background:#F2F2F2" align="left" | HTTP Response Splitting, Demo (Web Cache Poisoning and a little more) - ''Bedirhan Urgun''
|-
| style="width:10%; background:#7B8ABD" | 12:30-13:45 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | Lunch
|-
| style="width:10%; background:#7B8ABD" | 13:45-14:25 || colspan="2" style="width:40%; background:#F2F2F2" align="left" | XSS Tunnelling - ''Ferruh Mavituna''
|-
| style="width:10%; background:#7B8ABD" | 14:35-15:00 || colspan="2" style="width:40%; background:#F2F2F2" align="left" | Web Application Security With ModSecurity - ''Bunyamin Demir''
|-
| style="width:10%; background:#7B8ABD" | 15:10-16:50 || colspan="2" style="width:40%; background:#F2F2F2" align="left" | Security Practices In Java - ''GP Bilisim Kulubu''
|-
| style="width:10%; background:#7B8ABD" | 16:50-16:10 || colspan="2" style="width:40%; background:#C2C2C2" align="left" | Break
|-
| style="width:10%; background:#7B8ABD" | 16:10-16:50 || colspan="2" style="width:40%; background:#F2F2F2" align="left" | Live Demo Of An Web Application Security Review (And Source Code Analysis) - ''Dinis Cruz''
|-
| style="width:10%; background:#7B8ABD" | 17:00-17:45 || colspan="2" style="width:40%; background:#F2F2F2" align="left" | Q&A and What can we do for OWASP?
|-
| style="width:10%; background:#7B8ABD" | 17:45-18:00 || colspan="2" style="width:40%; background:#C2C2C2" align="left" | Closing - ''OWASP-Turkey''
|}

== Sponsored ==

The event was sponsored by Gelisim Platformu and Pro-G

<center>[[Image:Gelisim_platformu_logo.gif]]    [[Image:Pro-g_web_security_days_logo.gif|Pro-g_web_security_days_logo.gif]]</center>

1st Web Security Days OWASP Turkey

2007-07-16T19:40:48Z

Bunyamin: New page: == 1st Web Security Days - July 14 (Turkey 2007) == First of the Web Security Days has been realized by Owasp-Turkey chapter on 14th of July 2007 in İstanbul. With a ~70 registered atte...

== 1st Web Security Days - July 14 (Turkey 2007) ==

First of the Web Security Days has been realized by Owasp-Turkey chapter on 14th of July 2007 in İstanbul. With a ~70 registered attendees, it was great to have a pack of web security oriented people for a five hours of mostly technical presentations.

Dinis Cruz (Chief OWASP Evangelist) actively participating with his two presentations, attendees had the chance of capturing a first hand understanding of OWASP’s general structure, projects, the current state, in short, the spirit. Moreover, Dinis also presented a general view of an application audit by combining the best of two worlds; black box testing and source code review. Both of the presentations are humbly translated into Turkish onsite.

Ferruh Mavituna has launched his fresh new testing/attacking tool on what he dubbed as “XSS Tunnelling” vowing the audience. Bunyamin Demir has provided a general overview of modsecurity WAF module of Apache with practical attack and prevention steps. Bedirhan Urgun has demoed an attack vector (cache poisoning) by using HRS, backed up with a master/zombie scenerio implemented on Attack API. Finally, Omur Camci has demonstrated fundamental Java security functionalities such as creating partial trust policies and signing jar files.

We’d like to thank our sponsors; Gelisim Platformu and Pro-G Security.

Encouraged with this one, we hope next meeting (could it be 6th September with Owasp Live…) will be more fluent, beneficial and definitely crowded.

Thanks again to all participated.

Last but not the least, presentation materials will be available soon and links to those materials (ppt, videos and papers) will be published here.

OWASP-Turkey chapter

== Agenda ==

'''Saturday 14 July 2007''' 
'''Time:''' 11:00-18:00 

'''Address''' to the meeting are:

[http://www.gelisimplatformu.org Gelisim Platformu] - Gayrettepe 80310 Istanbul - Turkey 
 

{| style="width:80%" border="0" align="center"
! colspan="3" align="center" style="background:#4058A0; color:white" | Agenda
|-
|-
| style="width:10%; background:#7B8ABD" | 11:00-11:05 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | Registration and Opening - ''OWASP-Turkey''
|-
| style="width:10%; background:#7B8ABD" | 11:05-12:00 || colspan="2" style="width:40%; background:#F2F2F2" align="left" | OWASP World (tools, documents, projects,etc..) - ''Dinis Cruz (Chief Evangelist)''
|-
| style="width:10%; background:#7B8ABD" | 12:10-12:30 || colspan="2" style="width:40%; background:#F2F2F2" align="left" | HTTP Response Splitting, Demo (Web Cache Poisoning and a little more) - ''Bedirhan Urgun''
|-
| style="width:10%; background:#7B8ABD" | 12:30-13:45 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | Lunch
|-
| style="width:10%; background:#7B8ABD" | 13:45-14:25 || colspan="2" style="width:40%; background:#F2F2F2" align="left" | XSS Tunnelling - ''Ferruh Mavituna''
|-
| style="width:10%; background:#7B8ABD" | 14:35-15:00 || colspan="2" style="width:40%; background:#F2F2F2" align="left" | Web Application Security With ModSecurity - ''Bunyamin Demir''
|-
| style="width:10%; background:#7B8ABD" | 15:10-16:50 || colspan="2" style="width:40%; background:#F2F2F2" align="left" | Security Practices In Java - ''GP Bilisim Kulubu''
|-
| style="width:10%; background:#7B8ABD" | 16:50-16:10 || colspan="2" style="width:40%; background:#C2C2C2" align="left" | Break
|-
| style="width:10%; background:#7B8ABD" | 16:10-16:50 || colspan="2" style="width:40%; background:#F2F2F2" align="left" | Live Demo Of An Web Application Security Review (And Source Code Analysis) - ''Dinis Cruz''
|-
| style="width:10%; background:#7B8ABD" | 17:00-17:45 || colspan="2" style="width:40%; background:#F2F2F2" align="left" | Q&A and What can we do for OWASP?
|-
| style="width:10%; background:#7B8ABD" | 17:45-18:00 || colspan="2" style="width:40%; background:#C2C2C2" align="left" | Closing - ''OWASP-Turkey''
|}

== Sponsored ==

The event was sponsored by Gelisim Platformu and Pro-G

<center>[[Image:Gelisim_platformu_logo.gif]]    [[Image:Pro-g_web_security_days_logo.gif|Pro-g_web_security_days_logo.gif]]</center>

File:Pro-g web security days logo.gif

2007-07-16T19:35:54Z

Bunyamin: Pro-G

Pro-G

File:Gelisim platformu logo.gif

2007-07-16T19:32:26Z

Bunyamin: Gelisim Platformu

Gelisim Platformu

Turkey

2007-07-12T12:10:03Z

Bunyamin: /* Next Event - 1st Web Security Days - July 14 (Turkey 2007) */

{{Chapter Template|chaptername=Turkey|extra=The chapter leader is [mailto:bunyamindemir@gmail.com Bunyamin Demir], [mailto:ferruh@mavituna.com Ferruh Mavituna], [mailto:urgunb@hotmail.com Bedirhan Urgun] |mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-turkey|emailarchives=http://lists.owasp.org/pipermail/owasp-turkey}}

== Local News ==

Ceviri projesine yardim etmek isteyen arkadaslar lutfen [mailto:bunyamindemir@gmail.com iletisime] geciniz.

== Next Event - 1st Web Security Days - July 14 (Turkey 2007) ==

Everyone is welcome to join us at our chapter event. We will meet at the conference room at [http://www.gelisimplatformu.org/ Gelisim Platformu].

'''Saturday 14 July 2007''' 
'''Time:''' 11:00-18:00 

'''Address''' to the meeting are:

[http://www.gelisimplatformu.org Gelisim Platformu] - Gayrettepe 80310 Istanbul - Turkey 
 

For registration [http://www.webguvenligi.org/owaspKayit/kayit.php please].

{| style="width:80%" border="0" align="center"
! colspan="3" align="center" style="background:#4058A0; color:white" | Agenda
|-
|-
| style="width:10%; background:#7B8ABD" | 11:00-11:05 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | Registration and Opening - ''OWASP-Turkey''
|-
| style="width:10%; background:#7B8ABD" | 11:05-12:00 || colspan="2" style="width:40%; background:#F2F2F2" align="left" | OWASP World (tools, documents, projects,etc..) - ''Dinis Cruz (Chief Evangelist)''
|-
| style="width:10%; background:#7B8ABD" | 12:10-12:30 || colspan="2" style="width:40%; background:#F2F2F2" align="left" | HTTP Response Splitting, Demo (Web Cache Poisoning and a little more) - ''Bedirhan Urgun''
|-
| style="width:10%; background:#7B8ABD" | 12:30-13:45 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | Lunch
|-
| style="width:10%; background:#7B8ABD" | 13:45-14:25 || colspan="2" style="width:40%; background:#F2F2F2" align="left" | XSS Tunnelling - ''Ferruh Mavituna''
|-
| style="width:10%; background:#7B8ABD" | 14:35-15:00 || colspan="2" style="width:40%; background:#F2F2F2" align="left" | Web Application Security With ModSecurity - ''Bunyamin Demir''
|-
| style="width:10%; background:#7B8ABD" | 15:10-16:50 || colspan="2" style="width:40%; background:#F2F2F2" align="left" | Security Practices In Java - ''GP Bilisim Kulubu''
|-
| style="width:10%; background:#7B8ABD" | 16:50-16:10 || colspan="2" style="width:40%; background:#C2C2C2" align="left" | Break
|-
| style="width:10%; background:#7B8ABD" | 16:10-16:50 || colspan="2" style="width:40%; background:#F2F2F2" align="left" | Live Demo Of An Web Application Security Review (And Source Code Analysis) - ''Dinis Cruz''
|-
| style="width:10%; background:#7B8ABD" | 17:00-17:45 || colspan="2" style="width:40%; background:#F2F2F2" align="left" | Q&A and What can we do for OWASP?
|-
| style="width:10%; background:#7B8ABD" | 17:45-18:00 || colspan="2" style="width:40%; background:#C2C2C2" align="left" | Closing - ''OWASP-Turkey''
|}

== Last Meetings ==

'''Sunday 6 May 2007''' 
'''Time:''' 11:15-12:30 

'''Address''' to the meeting are:

[http://www.metu.edu.tr Middle East Technical University] 
Ankara-Turkey 
 

'''Presentation''' 

Web Application Security with ModSecurity and OWASP

Turkey

2007-07-12T12:09:46Z

Bunyamin: /* Next Event - 1st Web Security Days - July 14 (Turkey 2007) */

{{Chapter Template|chaptername=Turkey|extra=The chapter leader is [mailto:bunyamindemir@gmail.com Bunyamin Demir], [mailto:ferruh@mavituna.com Ferruh Mavituna], [mailto:urgunb@hotmail.com Bedirhan Urgun] |mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-turkey|emailarchives=http://lists.owasp.org/pipermail/owasp-turkey}}

== Local News ==

Ceviri projesine yardim etmek isteyen arkadaslar lutfen [mailto:bunyamindemir@gmail.com iletisime] geciniz.

== Next Event - 1st Web Security Days - July 14 (Turkey 2007) ==

Everyone is welcome to join us at our chapter event. We will meet at the conference room at [http://www.gelisimplatformu.org/ Gelisim Platformu].

'''Saturday 14 July 2007''' 
'''Time:''' 11:00-18:00 

'''Address''' to the meeting are:

[http://www.gelisimplatformu.org Gelisim Platformu] - Gayrettepe 80310 Istanbul - Turkey 
 

For registration [http://www.webguvenligi.org/owaspKayit/kayit.php please].

{| style="width:80%" border="0" align="center"
! colspan="3" align="center" style="background:#4058A0; color:white" | Agenda
|-
|-
| style="width:10%; background:#7B8ABD" | 11:00-11:05 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | Registration and Opening - ''OWASP-Turkey''
|-
| style="width:10%; background:#7B8ABD" | 11:05-12:00 || colspan="2" style="width:40%; background:#F2F2F2" align="left" | OWASP World (tools, documents, projects,etc..) - ''Dinis Cruz (Chief Evangelist)''
|-
| style="width:10%; background:#7B8ABD" | 12:10-12:30 || colspan="2" style="width:40%; background:#F2F2F2" align="left" | HTTP Response Splitting, Demo (Web Cache Poisoning and a little more) - ''Bedirhan Urgun''
|-
| style="width:10%; background:#7B8ABD" | 12:30-13:45 || colspan="2" style="width:80%; background:#C2C2C2" align="left" | Lunch
|-
| style="width:10%; background:#7B8ABD" | 13:45-14:25 || colspan="2" style="width:40%; background:#F2F2F2" align="left" | XSS Tunnelling - ''Ferruh Mavituna''
|-
| style="width:10%; background:#7B8ABD" | 14:35-15:00 || colspan="2" style="width:40%; background:#F2F2F2" align="left" | Web Application Security With ModSecurity - ''Bunyamin Demir''
|-
| style="width:10%; background:#7B8ABD" | 15:10-16:50 || colspan="2" style="width:40%; background:#F2F2F2" align="left" | Security Practices In Java - ''GP Bilisim Kulubu''
|-
| style="width:10%; background:#7B8ABD" | 16:50-16:10 || colspan="2" style="width:40%; background:#C2C2C2" align="left" | Break
|-
| style="width:10%; background:#7B8ABD" | 16:10-16:50 || colspan="2" style="width:40%; background:#F2F2F2" align="left" | Live Demo Of An WebApplication Security Review (And Source Code Analysis) - ''Dinis Cruz''
|-
| style="width:10%; background:#7B8ABD" | 17:00-17:45 || colspan="2" style="width:40%; background:#F2F2F2" align="left" | Q&A and What can we do for OWASP?
|-
| style="width:10%; background:#7B8ABD" | 17:45-18:00 || colspan="2" style="width:40%; background:#C2C2C2" align="left" | Closing - ''OWASP-Turkey''
|}

== Last Meetings ==

'''Sunday 6 May 2007''' 
'''Time:''' 11:15-12:30 

'''Address''' to the meeting are:

[http://www.metu.edu.tr Middle East Technical University] 
Ankara-Turkey 
 

'''Presentation''' 

Web Application Security with ModSecurity and OWASP

Template:Latest Newsletter

2007-07-03T14:41:56Z

Bunyamin:

; '''Apr 17 - [[OWASP Newsletter 8]]'''
: OWASP SpoC projects selected, new OWASP WeBekci tool, OWASP Code Review project, OWASP updates and much more