OWASP - User contributions [en]

File:OWASP Workshop FinalV.pdf

2018-04-16T21:43:52Z

Conpap:

Greece

2018-04-16T21:27:52Z

Conpap: /* Meetings */

[[Image:Greekchapterlogo.gif]]

==== Welcome ====

{{Chapter Template|chaptername=Greece|extra=The chapter leader is [mailto:konstantinos@owasp.org Konstantinos Papapanagiotou]|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-greece|emailarchives=http://lists.owasp.org/pipermail/owasp-greece}}

<paypal>Greece</paypal>

== OWASP Greek Chapter Committee ==

Chapter Leader: [mailto:conpapATowasp.gr Konstantinos Papapanagiotou]

Committee Members: [mailto:manosATowasp.gr Emmanouel Kellinis], [mailto:steliosATowasp.gr Stelios Tigkas], [mailto:vsvlachosATowasp.gr Vasileios Vlachos]

 

== Τι είναι το OWASP ==

Το ΟWASP (Open Web Application Security Project – http://www.owasp.org) αποτελεί μία πρωτοβουλία που αποσκοπεί στον εντοπισμό και στην καταπολέμηση των τρωτών σημείων του λογισμικού τέτοιων εφαρμογών. Όντας ένας μη κερδοσκοπικός οργανισμός, ακολουθεί την ιδεολογία του Ελεύθερου/Ανοικτού λογισμικού, παρέχοντας δωρεάν αλλά επαγγελματικής ποιότητας έγγραφα, εργαλεία και πρότυπα. Παράλληλα, ενισχύει τη διοργάνωση συνεδρίων και τοπικών ομάδων εργασίας (local chapters), τη δημοσίευση άρθρων και συγγραμμάτων, καθώς και την ανταλλαγή απόψεων μέσα από forums και mailing lists. Το OWASP απαριθμεί μέλη σε όλο τον πλανήτη, συμπεριλαμβανομένων μεγάλων οργανισμών και εταιριών του χώρου όπως VISA, Deloitte, Unisys, Foundstone, και άλλες.

== Η Ελληνική Κοινότητα ==

Η ελληνική ομάδα εργασίας του OWASP δημιουργήθηκε το 2005, με κύριο στόχο την ενημέρωση και την αφύπνιση της ελληνικής κοινότητας αναφορικά με τους κινδύνους ασφαλείας στις διαδικτυακές εφαρμογές. Αφορμή για τη δημιουργία της αποτέλεσαν ουσιαστικά τα ολοένα αυξανόμενα περιστατικά ασφαλείας στο διαδίκτυο, όπως τα κρούσματα phishing σε ελληνικές τράπεζες.

Σήμερα, η ελληνική ομάδα του OWASP δραστηριοποιείται σε προγράμματα Ελεύθερου/Ανοικτού λογισμικού καθώς και μεταφράσεις κειμένων του OWASP στα ελληνικά, προωθώντας την ιδέα του OWASP σε τοπικό επίπεδο. Παράλληλα, μέσα από τη mailing list της ενημερώνει και προκαλεί συζητήσεις σχετικά με επίκαιρα θέματα ασφάλειας στο διαδίκτυο, ενώ εκδίδει και μηνιαίο newsletter.

'''Η Ελληνική Ομάδα Εργασίας του OWASP χρησιμοποιεί για τις εκτυπώσεις της τον [http://www8.hp.com/in/en/products/printers/product-detail.html?oid=5261595#!tab=features HP Deskjet Ink Advantage 4625], επιτυγχάνοντας μεγάλη οικονομία στα μελάνια εκτύπωσης.'''

== Συμμετοχή ==

Η ελληνική κοινότητα του OWASP επιθυμεί να φέρει σε επαφή όλους όσους ενδιαφέρονται και προβληματίζονται για την ασφάλεια των διαδικτυακών εφαρμογών. Ταυτόχρονα, ευπρόσδεκτοι είναι και εθελοντές που προτίθενται να δουλέψουν σε προγράμματα Ελεύθερου/Ανοιχτού λογισμικού που συντονίζει το OWASP. Σας προσκαλούμε να μοιραστείτε μαζί μας ιδέες, σκέψεις και προβληματισμούς σχετικά με επιθέσεις, μεθόδους άμυνας και αντιμετώπισης, εργαλεία και βέλτιστες πρακτικές ασφάλειας στο διαδίκτυο. Ανεξάρτητα από το τεχνικό επίπεδο, το βάθος της προσέγγισης και τις χρησιμοποιούμενες μεθόδους, θα χαρούμε ιδιαίτερα αν έρθετε σε επαφή μαζί μας.

Για να εγγραφείτε στη '''mailing list''' της ελληνικής ομάδας εργασίας επισκεφθείτε [http://lists.owasp.org/mailman/listinfo/owasp-greece αυτή τη σελίδα].

== Ευχαριστίες ==

Θα θέλαμε να ευχαριστήσουμε το [http://www.di.uoa.gr Τμήμα Πληροφορικής και Τηλεπικοινωνιών] του Πανεπιστημίου Αθηνών για τη βοήθεια που παρέχει στην ελληνική ομάδα εργασίας.

[[Image:Universityofathenslogo.gif]]

Επίσης θα θέλαμε να ευχαριστήσουμε θερμά το περιοδικό [http://www.linuxinside.gr/ Linux Inside] για την υποστήριξη και την προβολή καθώς και το [http://www.zero.gr zero.gr].

[[Image:Linuxinside-logo.png]] [[Image:zerologo.png]]

==== News ====

== Ομάδες Εργασίας ==

Αυτήν την περίοδο ψάχνουμε για νέες project ιδέες. Εάν έχεις καινούρια ίδεα για κάποιο εργαλείο, στατιστικά στοιχεία για το πόσο σοβαρά λαμβάνουν στην Ελλάδα το application security οι προγραμματιστές, εταιρίες λογισμικού κτλ ή αν έχεις οποιάδηποτε άλλη ιδέα με κεντρικό θέμα το application security επικοινωνήστε μαζί μας.

== Νέα ==

'''16/3/2011''' - Η πρώτη συνάντηση θα πραγματοποιηθεί στο [http://www.colabworkspace.com/ CoLab Athens Workspace]. Περισσότερες πληφορορίες και εγγραφές [http://owaspgr01.eventbrite.com/ εδώ].

'''20/9/2009''' - Ο [mailto:vsvlachosATowasp.gr Βασίλης Βλάχος], μέλος της ομάδας συντονισμού του OWASP στην Ελλάδα, θα συντονίσει στις 26/9/2009 τη συνεδρία με θέμα Web Application Security που συνδιοργανώνει το OWASP.gr στα πλάισια του συνεδρίου 4th Mediterranean Conference on Information Systems ([http://www.mcis2009.org MCIS 2009]). Η συνεδρία θα πραγματοποιηθεί στις 26 Σεπτεμβρίου 2009 και ώρα 15:30 στο Οικονομικό Πανεπιστήμιο Αθηνών.

'''5/3/2009''' - Ο [mailto:conpapATowasp.gr Κωνσταντίνος Παπαπαναγιώτου], μέλος της ομάδας συντονισμού του OWASP στην Ελλάδα, θα συντονίσει στις 18 Μαρτίου την ενότητα "Πρότυπα και Νομικές Απαιτήσεις" στα πλαίσια της [http://www.tsomokos.gr/projects2.php EXPOSEC 2009], που διεξάγεται στις 17 και 18 Μαρτίου στο Ζάππειο Μέγαρο.

'''3/2/2009''' - Ο [mailto:conpapATowasp.gr Κωνσταντίνος Παπαπαναγιώτου], μέλος της ομάδας συντονισμού του OWASP στην Ελλάδα, έδωσε ζωντανή συνέντευξη στην εκπομπή Ατζέντα+ της ψηφιακής πλατφόρμας της ΕΡΤ (κανάλι Σπορ+/Info+), όπου μίλησε για τις δραστηριότητες του OWASP στην Ελλάδα και έδωσε απλές συμβουλές για την ασφάλεια στο Internet. Μπορείτε να παρακολουθήσετε το βίντεο της συνέντευξης [http://www.youtube.com/watch?v=q0RPKaPGICI εδώ].

'''10/10/2008''' - Το OWASP.gr συμμετέχει στο Athens Digital Week που πραγματοποιείται από τις 13 ως τις 19 Οκτωβρίου στη Τεχνόπολη στο Γκάζι (http://conf.ellak.gr).

'''30/9/2008''' - Το OWASP.gr παρουσιάζει το πρώτο Ελληνικό blog με θέμα την ασφάλεια των διαδικτυακών εφαρμογών αλλά και των υπολογιστικών συστημάτων γενικότερα. Επισκεφθείτε το επίσημο blog της Ελληνικής ομάδας εργασίας του OWASP στο: http://blog.owasp.gr.

'''5/6/2008''' - Η παρουσίαση του OWASP.gr στο 3ο Συνέδριο ΕΛ/ΛΑΚ είναι διαθέσιμη μέσα από την ενότητα [https://www.owasp.org/index.php/OWASP_Education_Presentation#Chapter_Presentations Chapter Presentations] και συγκεκριμένα [http://www.owasp.org/images/e/e5/OWASP_ellak-Greece.ppt εδώ]. Επίσης, βίντεο της παρουσίασης μπορείτε να βρείτε [http://conf.ellak.gr/2008/index.php?option=com_eventlist&Itemid=119&func=details&did=19 εδώ].

'''26/5/2008''' - Το OWASP.gr αναπτύσσει έναν Web Vulnerability Scanner. Μπορείτε να κατεβάσετε την beta έκδοσή του από [https://www.owasp.org/images/6/65/WVS_beta-0.2.1.zip εδώ].

'''15/5/2008''' - Το OWASP.gr συμμετέχει στο 3ο Συνέδριο ΕΛ/ΛΑΚ που πραγματοποιείται στις 27 και 28 Μαΐου στο Εθνικό Μετσόβιο Πολυτεχνείο (http://conf.ellak.gr).

'''20/2/2008''' - Το OWASP.gr συμμετέχει στο 1ο Συνέδριο Κοινοτήτων Ελεύθερου Λογισμικού/Λογισμικού Ανοιχτού Κώδικα που διοργανώνεται στις 21 και 22 Μαρτίου στο Εθνικό Μετσόβειο Πολυτεχνείο (http://www.fosscomm.gr/).

'''2/2/2008''' - Το OWASP.gr συμμετέχει στην παρουσίαση της ομάδας IA4 του E-Business Forum (Προπαρασκευαστικές δράσεις για τη δημιουργία Ελληνικού Κέντρου Επείγουσας Αντιμετώπισης Ψηφιακών Απειλών GR-CERT) στα πλαίσια του Money Show 2008 στις 2/2/2008 στην Αίγλη Ζαππείου.

'''18/4/2007''' - Το E-Βusiness Forum (http://www.ebusinessforum.gr/) έχει δημιουργήσει μία ομάδα εργασίας η οποία έχει αναλάβει τις "'''Προπαρασκευαστικές δράσεις για τη δημιουργία Ελληνικού Κέντρου Επείγουσας Αντιμετώπισης Ψηφιακών Απειλών (GR-CERT)'''". Πληροφορίες σχετικά με τους στόχους και τις δραστηριότητες της ομάδας υπάρχουν [http://www.ebusinessforum.gr/teams/teamsall/view/index.php?ctn=102&language=el εδώ] αλλά και [http://sense.dmst.aueb.gr/ia4/index.php/Main_Page εδώ]. Όποιος ενδιαφέρεται και μπορεί να βοηθήσει να δηλώσει συμμετοχή στις παραπάνω σελίδες ή να απευθυνθεί στο κ. Βασίλειο Βλάχο (στοιχεία επικοινωνίας υπάρχουν στα παραπάνω site).

Καταχωρήθηκε το [http://www.owasp.gr OWASP.gr]!

Με τη βοήθεια του Αναστάσιου Καζακώνη μετέφράστηκαν το "OWASP Top Ten Vulnerabilties in Web Application Security" και το OWASP AppSec FAQ στα Ελληνικά. Έτσι είναι πλέον διαθέσιμες οι ελληνικές εκδόσεις του [http://www.owasp.org/images/8/8b/OWASP_Top_Ten_2004_Greek.pdf OWASP Top Ten] και του [http://www.owasp.org/images/e/ed/OWASP_faq_Greek.pdf OWASP AppSec FAQ].

 

==== Meetings ====

== Call for Presentations ==
Anything related to '''Application''' or '''Information Security'''
*Secure Coding Practices
*Secure Application Development Lifecycle
*Penetration Testing and Exploitation
*Code Reviewing
*Projects and Tools
*Methodologies
*Best Practices

Send:
*Title
*Abstract
*Name and affiliation
*Short Bio
To: [mailto:konstantinos@owasp.org konstantinos@owasp.org]

== Meetings ==

=== '''26/4/2018''' ===
Χώρος: Υπουργείο Ψηφιακής Πολιτικής / Φραγκούδη 11 & Αλεξάνδρου Πάντου, Καλλιθέα

Περιγραφή: https://drive.google.com/file/d/1oPO_1VMcHTi_PjRaGTdDBH0OUxRVoqRA/view

=== 23/2/2017 ===
Χώρος: Lambda Space / Θεσσαλονίκη

Περιγραφή: https://www.facebook.com/events/1431147080237811

* '''Securing your WebApp Workshop by OWASP''' - Antonis Manaras (OWASP)

=== 19/4/2013 ===
Χώρος: PWC / Κηφισίας 260, Χαλάνδρι

Περιγραφή: https://www.owasp.org/images/e/e0/Training_19.04.13_ISACA_OWASP.pdf

* '''Being a spammer for 40 minutes: how spam works, why it's slowly going away and why it won't disappear''' - '''Martijn Grooten''' (Virus Bulletin)

=== 5/5/2011 ===
Χώρος: [http://www.di.uoa.gr/ Τμήμα Πληροφορικής και Τηλεπικοινωνιών/ΕΚΠΑ]

Περιγραφή: http://owaspgr02.eventbrite.com/

* '''Welcome and OWASP News''' - '''Konstantinos Papapanagiotou''' (OWASP Greek Chapter Leader/Syntax IT Inc) '''([[Media:OWASP_gr_meeting_2011_02.pdf‎|PDF]])'''
* '''Protecting the Core: Kernel Exploitation Mitigations''' - '''Patroklos Argyroudis and Dimitris Glynos''' (Census) '''([http://census.gr/media/bheu-2011-slides.pdf PDF])'''

=== 16/3/2011 ===
Χώρος: [http://www.colabworkspace.com/ coLab Athens Workspace]

Περιγραφή: http://owaspgr01.eventbrite.com/

* '''Welcome and Intro to OWASP Meetings''' '''([[Media:OWASP_gr_meeting_2011_01_intro.pdf‎‎|PDF]])'''
* '''Application Security for the Masses''' - '''Konstantinos Papapanagiotou''' (OWASP Greek Chapter Leader/Syntax IT Inc) '''([[Media:OWASP gr meeting 2011 01 appsec masses.pdf|PDF]])'''
* '''Cyberdefense and the Kobayashi Maru''' - '''Yiorgos Adamopoulos''' (TEE) '''([[Media:Adamopoulos_Cyberdefense_and_the_Kobayashi_Maru.pdf‎|PDF]])'''

 

==== Events ====

'''26/9/2009''' - Το OWASP.gr συνδιοργανώνει ένα session με θέμα Web Application Security στα πλαίσια του 4th Mediterranean Conference on Information Systems ([http://www.mcis2009.org MCIS 2009]) στις 26 Σεπτεμβρίου 2009 και ώρα 15:30 στο Οικονομικό Πανεπιστήμιο Αθηνών. Το αναλυτικό πρόγραμμα του συνεδρίου καθώς και περισσότερες πληροφορίες υπάρχουν [http://www.mcis2009.org εδώ]. Το session θα συντονίζει ο [mailto:vsvlachosATowasp.gr Βασίλης Βλάχος], μέλος της ομάδας συντονισμού του OWASP στην Ελλάδα.

'''18/3/2009''' - Συμμετοχή του OWASP.gr στην [http://www.tsomokos.gr/projects2.php EXPOSEC 2009] που θα πραγματοποιηθεί στις 17 και 18 Μαρτίου στο Ζάππειο Μέγαρο. Ο [mailto:conpapATowasp.gr Κωνσταντίνος Παπαπαναγιώτου], μέλος της ομάδας συντονισμού του OWASP στην Ελλάδα, θα συντονίσει στις 18 Μαρτίου την ενότητα "Πρότυπα και Νομικές Απαιτήσεις".

'''17 και 18/10/2008''' - Παρουσίαση του OWASP.gr στα πλαίσια του '''Athens Digital Week''' που πραγματοποιείται από τις 13 ως τις 19 Οκτωβρίου στην Τεχνόπολη στο Γκάζι (http://www.athensdigitalweek.gr). Σύμφωνα με το [http://www.athensdigitalweek.gr/el/the-core/talk-zone πρόγραμμα], η παρουσίαση θα γίνει την Παρασκευή, 17 Οκτωβρίου 2008 και ώρα 16:30 καθώς και το Σάββατο, 18 Οκτωβρίου 2008 και ώρα 18:00.

'''27/5/2008''' - Παρουσίαση του OWASP.gr στα πλαίσια του '''3ου Συνεδρίου Ελεύθερου Λογισμικού / Λογισμικού Ανοιχτού Κώδικα''' που πραγματοποιείται στις 27 και 28 Μαΐου στο Εθνικό Μετσόβειο Πολυτεχνείο (http://conf.ellak.gr). Σύμφωνα με το [http://conf.ellak.gr/2008/index.php?option=com_jcalpro&Itemid=138&extmode=week&date=2008-05-25 πρόγραμμα] του συνεδρίου, η παρουσίαση θα γίνει την Τρίτη, 27 Μαΐου 2008 και ώρα 11:15.

'''22/3/2008''' - Παρουσίαση του OWASP.gr στα πλαίσια του '''1ου Συνέδριο Κοινοτήτων Ελεύθερου Λογισμικού/Λογισμικού Ανοιχτού Κώδικα''' που διοργανώνεται στις 21 και 22 Μαρτίου στο Εθνικό Μετσόβειο Πολυτεχνείο (http://www.fosscomm.gr/). Σύμφωνα με το [http://www.fosscomm.gr/xoops20171/htdocs/uploads/programma_synedriou.html πρόγραμμα], η παρουσίαση θα γίνει στις 17:50.

'''2/2/2008''' - Παρουσίαση της ομάδας IA4 του E-Business Forum (Προπαρασκευαστικές δράσεις για τη δημιουργία Ελληνικού Κέντρου Επείγουσας Αντιμετώπισης Ψηφιακών Απειλών GR-CERT) στα πλαίσια του '''Money Show 2008'''.

==== Archive ====

== Μηνιαίο Ενημερωτικό Δελτίο ==

Καλώς ήλθατε στο μηνιαίο ενημερωτικό δελτίο της Ελληνικής ομάδας εργασίας του OWASP. Στόχος μας είναι η ενημέρωση γύρω από τα θέματα της ελληνικής επικαιρότητας που αφορούν στην ασφάλεια των εφαρμογών διαδικτύου αλλά και στην ασφάλεια γενικότερα. Αν και στο Internet υπάρχουν ήδη πολλές πηγές ενημέρωσης γύρω από θέματα ασφάλειας (π.χ. securityfocus, cryptogram, blogs, κλπ), αυτές επικεντρώνονται συνήθως στη διεθνή επικαιρότητα. Έτσι, μοιραία η ενημέρωση για τα security θέματα που αφορούν στην Ελλάδα προέρχεται από τα τοπικά ειδησεογραφικά site και μέσα.

Με το μηνιαίο αυτό newsletter στοχεύουμε στην αποτύπωση των κυριότερων θεμάτων ασφάλειας που απασχολούν την Ελληνική επικαιρότητα κάθε μήνα, αλλά και σημαντικών νέων από τη διεθνή infosec επικαιρότητα που κρίνουμε πως πρέπει να σχολιάσουμε. Παράλληλα, θα υπάρχουν ενδιαφέροντα επιστημονικά θέματα αλλά και ενημέρωση γύρω από τη δραστηριότητα του OWASP. Το newsletter θα διαμοιράζεται μέσω της mailing list του OWASP.gr, ενώ ταυτόχρονα θα δημοσιεύεται και εδώ σε μορφή pdf. Υπεύθυνος για την έκδοσή του είναι ο συνεργάτης του OWASP.gr Γιάννης Αναστασόπουλος.

Ελπίζουμε πως θα βρείτε το newsletter αυτό ενδιαφέρον και χρήσιμο. Φυσικά, βρίσκεται σε… εμβρυικό στάδιο. Για το λόγο αυτό κάθε συνεισφορά σας στη δημιουργία του θα ήταν ιδιαίτερα σημαντική, για να γίνει το newsletter πιο χρήσιμο για όλους. Έτσι, για οποιαδήποτε σχόλια, προσθήκες, προτάσεις, παρατηρήσεις ή συζητήσεις μπορείτε να απευθύνεστε στη mailing list του OWASP.gr ([mailto:owasp-greece@lists.owasp.org owasp-greece@lists.owasp.org]).

 [http://www.owasp.org/images/2/21/OWASP_gr_newsletter_1.pdf Ενημερωτικό Δελτίο νο1 - Δεκέμβριος 2006]

[http://www.owasp.org/images/0/0a/OWASP_gr_newsletter_2.pdf Ενημερωτικό Δελτίο νο2 - Ιανουάριος 2007]

[http://www.owasp.org/images/4/4e/OWASP_gr_newsletter_3.pdf Ενημερωτικό Δελτίο νο3 - Φεβρουάριος 2007]

[http://www.owasp.org/images/b/b1/OWASP_gr_newsletter_4.pdf Ενημερωτικό Δελτίο νο4 - Μάρτιος-Απρίλιος 2007]

[https://www.owasp.org/images/1/11/OWASP_gr_newsletter_5.pdf Ενημερωτικό Δελτίο νο5 - Ιανουάριος 2008]

[https://www.owasp.org/images/3/3f/OWASP_gr_newsletter_6.pdf Ενημερωτικό Δελτίο νο6 - Φεβρουάριος 2008]

__NOTOC__ <headertabs></headertabs>

[[Category:OWASP_Chapter]]
[[Category:Europe]]

Greece

2017-03-17T07:06:52Z

Conpap: /* Meetings */

[[Image:Greekchapterlogo.gif]]

==== Welcome ====

{{Chapter Template|chaptername=Greece|extra=The chapter leader is [mailto:konstantinos@owasp.org Konstantinos Papapanagiotou]|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-greece|emailarchives=http://lists.owasp.org/pipermail/owasp-greece}}

<paypal>Greece</paypal>

== OWASP Greek Chapter Committee ==

Chapter Leader: [mailto:conpapATowasp.gr Konstantinos Papapanagiotou]

Committee Members: [mailto:manosATowasp.gr Emmanouel Kellinis], [mailto:steliosATowasp.gr Stelios Tigkas], [mailto:vsvlachosATowasp.gr Vasileios Vlachos]

 

== Τι είναι το OWASP ==

Το ΟWASP (Open Web Application Security Project – http://www.owasp.org) αποτελεί μία πρωτοβουλία που αποσκοπεί στον εντοπισμό και στην καταπολέμηση των τρωτών σημείων του λογισμικού τέτοιων εφαρμογών. Όντας ένας μη κερδοσκοπικός οργανισμός, ακολουθεί την ιδεολογία του Ελεύθερου/Ανοικτού λογισμικού, παρέχοντας δωρεάν αλλά επαγγελματικής ποιότητας έγγραφα, εργαλεία και πρότυπα. Παράλληλα, ενισχύει τη διοργάνωση συνεδρίων και τοπικών ομάδων εργασίας (local chapters), τη δημοσίευση άρθρων και συγγραμμάτων, καθώς και την ανταλλαγή απόψεων μέσα από forums και mailing lists. Το OWASP απαριθμεί μέλη σε όλο τον πλανήτη, συμπεριλαμβανομένων μεγάλων οργανισμών και εταιριών του χώρου όπως VISA, Deloitte, Unisys, Foundstone, και άλλες.

== Η Ελληνική Κοινότητα ==

Η ελληνική ομάδα εργασίας του OWASP δημιουργήθηκε το 2005, με κύριο στόχο την ενημέρωση και την αφύπνιση της ελληνικής κοινότητας αναφορικά με τους κινδύνους ασφαλείας στις διαδικτυακές εφαρμογές. Αφορμή για τη δημιουργία της αποτέλεσαν ουσιαστικά τα ολοένα αυξανόμενα περιστατικά ασφαλείας στο διαδίκτυο, όπως τα κρούσματα phishing σε ελληνικές τράπεζες.

Σήμερα, η ελληνική ομάδα του OWASP δραστηριοποιείται σε προγράμματα Ελεύθερου/Ανοικτού λογισμικού καθώς και μεταφράσεις κειμένων του OWASP στα ελληνικά, προωθώντας την ιδέα του OWASP σε τοπικό επίπεδο. Παράλληλα, μέσα από τη mailing list της ενημερώνει και προκαλεί συζητήσεις σχετικά με επίκαιρα θέματα ασφάλειας στο διαδίκτυο, ενώ εκδίδει και μηνιαίο newsletter.

'''Η Ελληνική Ομάδα Εργασίας του OWASP χρησιμοποιεί για τις εκτυπώσεις της τον [http://www8.hp.com/in/en/products/printers/product-detail.html?oid=5261595#!tab=features HP Deskjet Ink Advantage 4625], επιτυγχάνοντας μεγάλη οικονομία στα μελάνια εκτύπωσης.'''

== Συμμετοχή ==

Η ελληνική κοινότητα του OWASP επιθυμεί να φέρει σε επαφή όλους όσους ενδιαφέρονται και προβληματίζονται για την ασφάλεια των διαδικτυακών εφαρμογών. Ταυτόχρονα, ευπρόσδεκτοι είναι και εθελοντές που προτίθενται να δουλέψουν σε προγράμματα Ελεύθερου/Ανοιχτού λογισμικού που συντονίζει το OWASP. Σας προσκαλούμε να μοιραστείτε μαζί μας ιδέες, σκέψεις και προβληματισμούς σχετικά με επιθέσεις, μεθόδους άμυνας και αντιμετώπισης, εργαλεία και βέλτιστες πρακτικές ασφάλειας στο διαδίκτυο. Ανεξάρτητα από το τεχνικό επίπεδο, το βάθος της προσέγγισης και τις χρησιμοποιούμενες μεθόδους, θα χαρούμε ιδιαίτερα αν έρθετε σε επαφή μαζί μας.

Για να εγγραφείτε στη '''mailing list''' της ελληνικής ομάδας εργασίας επισκεφθείτε [http://lists.owasp.org/mailman/listinfo/owasp-greece αυτή τη σελίδα].

== Ευχαριστίες ==

Θα θέλαμε να ευχαριστήσουμε το [http://www.di.uoa.gr Τμήμα Πληροφορικής και Τηλεπικοινωνιών] του Πανεπιστημίου Αθηνών για τη βοήθεια που παρέχει στην ελληνική ομάδα εργασίας.

[[Image:Universityofathenslogo.gif]]

Επίσης θα θέλαμε να ευχαριστήσουμε θερμά το περιοδικό [http://www.linuxinside.gr/ Linux Inside] για την υποστήριξη και την προβολή καθώς και το [http://www.zero.gr zero.gr].

[[Image:Linuxinside-logo.png]] [[Image:zerologo.png]]

==== News ====

== Ομάδες Εργασίας ==

Αυτήν την περίοδο ψάχνουμε για νέες project ιδέες. Εάν έχεις καινούρια ίδεα για κάποιο εργαλείο, στατιστικά στοιχεία για το πόσο σοβαρά λαμβάνουν στην Ελλάδα το application security οι προγραμματιστές, εταιρίες λογισμικού κτλ ή αν έχεις οποιάδηποτε άλλη ιδέα με κεντρικό θέμα το application security επικοινωνήστε μαζί μας.

== Νέα ==

'''16/3/2011''' - Η πρώτη συνάντηση θα πραγματοποιηθεί στο [http://www.colabworkspace.com/ CoLab Athens Workspace]. Περισσότερες πληφορορίες και εγγραφές [http://owaspgr01.eventbrite.com/ εδώ].

'''20/9/2009''' - Ο [mailto:vsvlachosATowasp.gr Βασίλης Βλάχος], μέλος της ομάδας συντονισμού του OWASP στην Ελλάδα, θα συντονίσει στις 26/9/2009 τη συνεδρία με θέμα Web Application Security που συνδιοργανώνει το OWASP.gr στα πλάισια του συνεδρίου 4th Mediterranean Conference on Information Systems ([http://www.mcis2009.org MCIS 2009]). Η συνεδρία θα πραγματοποιηθεί στις 26 Σεπτεμβρίου 2009 και ώρα 15:30 στο Οικονομικό Πανεπιστήμιο Αθηνών.

'''5/3/2009''' - Ο [mailto:conpapATowasp.gr Κωνσταντίνος Παπαπαναγιώτου], μέλος της ομάδας συντονισμού του OWASP στην Ελλάδα, θα συντονίσει στις 18 Μαρτίου την ενότητα "Πρότυπα και Νομικές Απαιτήσεις" στα πλαίσια της [http://www.tsomokos.gr/projects2.php EXPOSEC 2009], που διεξάγεται στις 17 και 18 Μαρτίου στο Ζάππειο Μέγαρο.

'''3/2/2009''' - Ο [mailto:conpapATowasp.gr Κωνσταντίνος Παπαπαναγιώτου], μέλος της ομάδας συντονισμού του OWASP στην Ελλάδα, έδωσε ζωντανή συνέντευξη στην εκπομπή Ατζέντα+ της ψηφιακής πλατφόρμας της ΕΡΤ (κανάλι Σπορ+/Info+), όπου μίλησε για τις δραστηριότητες του OWASP στην Ελλάδα και έδωσε απλές συμβουλές για την ασφάλεια στο Internet. Μπορείτε να παρακολουθήσετε το βίντεο της συνέντευξης [http://www.youtube.com/watch?v=q0RPKaPGICI εδώ].

'''10/10/2008''' - Το OWASP.gr συμμετέχει στο Athens Digital Week που πραγματοποιείται από τις 13 ως τις 19 Οκτωβρίου στη Τεχνόπολη στο Γκάζι (http://conf.ellak.gr).

'''30/9/2008''' - Το OWASP.gr παρουσιάζει το πρώτο Ελληνικό blog με θέμα την ασφάλεια των διαδικτυακών εφαρμογών αλλά και των υπολογιστικών συστημάτων γενικότερα. Επισκεφθείτε το επίσημο blog της Ελληνικής ομάδας εργασίας του OWASP στο: http://blog.owasp.gr.

'''5/6/2008''' - Η παρουσίαση του OWASP.gr στο 3ο Συνέδριο ΕΛ/ΛΑΚ είναι διαθέσιμη μέσα από την ενότητα [https://www.owasp.org/index.php/OWASP_Education_Presentation#Chapter_Presentations Chapter Presentations] και συγκεκριμένα [http://www.owasp.org/images/e/e5/OWASP_ellak-Greece.ppt εδώ]. Επίσης, βίντεο της παρουσίασης μπορείτε να βρείτε [http://conf.ellak.gr/2008/index.php?option=com_eventlist&Itemid=119&func=details&did=19 εδώ].

'''26/5/2008''' - Το OWASP.gr αναπτύσσει έναν Web Vulnerability Scanner. Μπορείτε να κατεβάσετε την beta έκδοσή του από [https://www.owasp.org/images/6/65/WVS_beta-0.2.1.zip εδώ].

'''15/5/2008''' - Το OWASP.gr συμμετέχει στο 3ο Συνέδριο ΕΛ/ΛΑΚ που πραγματοποιείται στις 27 και 28 Μαΐου στο Εθνικό Μετσόβιο Πολυτεχνείο (http://conf.ellak.gr).

'''20/2/2008''' - Το OWASP.gr συμμετέχει στο 1ο Συνέδριο Κοινοτήτων Ελεύθερου Λογισμικού/Λογισμικού Ανοιχτού Κώδικα που διοργανώνεται στις 21 και 22 Μαρτίου στο Εθνικό Μετσόβειο Πολυτεχνείο (http://www.fosscomm.gr/).

'''2/2/2008''' - Το OWASP.gr συμμετέχει στην παρουσίαση της ομάδας IA4 του E-Business Forum (Προπαρασκευαστικές δράσεις για τη δημιουργία Ελληνικού Κέντρου Επείγουσας Αντιμετώπισης Ψηφιακών Απειλών GR-CERT) στα πλαίσια του Money Show 2008 στις 2/2/2008 στην Αίγλη Ζαππείου.

'''18/4/2007''' - Το E-Βusiness Forum (http://www.ebusinessforum.gr/) έχει δημιουργήσει μία ομάδα εργασίας η οποία έχει αναλάβει τις "'''Προπαρασκευαστικές δράσεις για τη δημιουργία Ελληνικού Κέντρου Επείγουσας Αντιμετώπισης Ψηφιακών Απειλών (GR-CERT)'''". Πληροφορίες σχετικά με τους στόχους και τις δραστηριότητες της ομάδας υπάρχουν [http://www.ebusinessforum.gr/teams/teamsall/view/index.php?ctn=102&language=el εδώ] αλλά και [http://sense.dmst.aueb.gr/ia4/index.php/Main_Page εδώ]. Όποιος ενδιαφέρεται και μπορεί να βοηθήσει να δηλώσει συμμετοχή στις παραπάνω σελίδες ή να απευθυνθεί στο κ. Βασίλειο Βλάχο (στοιχεία επικοινωνίας υπάρχουν στα παραπάνω site).

Καταχωρήθηκε το [http://www.owasp.gr OWASP.gr]!

Με τη βοήθεια του Αναστάσιου Καζακώνη μετέφράστηκαν το "OWASP Top Ten Vulnerabilties in Web Application Security" και το OWASP AppSec FAQ στα Ελληνικά. Έτσι είναι πλέον διαθέσιμες οι ελληνικές εκδόσεις του [http://www.owasp.org/images/8/8b/OWASP_Top_Ten_2004_Greek.pdf OWASP Top Ten] και του [http://www.owasp.org/images/e/ed/OWASP_faq_Greek.pdf OWASP AppSec FAQ].

 

==== Meetings ====

== Call for Presentations ==
Anything related to '''Application''' or '''Information Security'''
*Secure Coding Practices
*Secure Application Development Lifecycle
*Penetration Testing and Exploitation
*Code Reviewing
*Projects and Tools
*Methodologies
*Best Practices

Send:
*Title
*Abstract
*Name and affiliation
*Short Bio
To: [mailto:konstantinos@owasp.org konstantinos@owasp.org]

== Meetings ==

=== 23/2/2017 ===
Χώρος: Lambda Space / Θεσσαλονίκη

Περιγραφή: https://www.facebook.com/events/1431147080237811

* '''Securing your WebApp Workshop by OWASP''' - Antonis Manaras (OWASP)

=== 19/4/2013 ===
Χώρος: PWC / Κηφισίας 260, Χαλάνδρι

Περιγραφή: https://www.owasp.org/images/e/e0/Training_19.04.13_ISACA_OWASP.pdf

* '''Being a spammer for 40 minutes: how spam works, why it's slowly going away and why it won't disappear''' - '''Martijn Grooten''' (Virus Bulletin)

=== 5/5/2011 ===
Χώρος: [http://www.di.uoa.gr/ Τμήμα Πληροφορικής και Τηλεπικοινωνιών/ΕΚΠΑ]

Περιγραφή: http://owaspgr02.eventbrite.com/

* '''Welcome and OWASP News''' - '''Konstantinos Papapanagiotou''' (OWASP Greek Chapter Leader/Syntax IT Inc) '''([[Media:OWASP_gr_meeting_2011_02.pdf‎|PDF]])'''
* '''Protecting the Core: Kernel Exploitation Mitigations''' - '''Patroklos Argyroudis and Dimitris Glynos''' (Census) '''([http://census.gr/media/bheu-2011-slides.pdf PDF])'''

=== 16/3/2011 ===
Χώρος: [http://www.colabworkspace.com/ coLab Athens Workspace]

Περιγραφή: http://owaspgr01.eventbrite.com/

* '''Welcome and Intro to OWASP Meetings''' '''([[Media:OWASP_gr_meeting_2011_01_intro.pdf‎‎|PDF]])'''
* '''Application Security for the Masses''' - '''Konstantinos Papapanagiotou''' (OWASP Greek Chapter Leader/Syntax IT Inc) '''([[Media:OWASP_gr_meeting_2011_01_appsec_masses.pdf|PDF]])'''
* '''Cyberdefense and the Kobayashi Maru''' - '''Yiorgos Adamopoulos''' (TEE) '''([[Media:Adamopoulos_Cyberdefense_and_the_Kobayashi_Maru.pdf‎|PDF]])'''

 

==== Events ====

'''26/9/2009''' - Το OWASP.gr συνδιοργανώνει ένα session με θέμα Web Application Security στα πλαίσια του 4th Mediterranean Conference on Information Systems ([http://www.mcis2009.org MCIS 2009]) στις 26 Σεπτεμβρίου 2009 και ώρα 15:30 στο Οικονομικό Πανεπιστήμιο Αθηνών. Το αναλυτικό πρόγραμμα του συνεδρίου καθώς και περισσότερες πληροφορίες υπάρχουν [http://www.mcis2009.org εδώ]. Το session θα συντονίζει ο [mailto:vsvlachosATowasp.gr Βασίλης Βλάχος], μέλος της ομάδας συντονισμού του OWASP στην Ελλάδα.

'''18/3/2009''' - Συμμετοχή του OWASP.gr στην [http://www.tsomokos.gr/projects2.php EXPOSEC 2009] που θα πραγματοποιηθεί στις 17 και 18 Μαρτίου στο Ζάππειο Μέγαρο. Ο [mailto:conpapATowasp.gr Κωνσταντίνος Παπαπαναγιώτου], μέλος της ομάδας συντονισμού του OWASP στην Ελλάδα, θα συντονίσει στις 18 Μαρτίου την ενότητα "Πρότυπα και Νομικές Απαιτήσεις".

'''17 και 18/10/2008''' - Παρουσίαση του OWASP.gr στα πλαίσια του '''Athens Digital Week''' που πραγματοποιείται από τις 13 ως τις 19 Οκτωβρίου στην Τεχνόπολη στο Γκάζι (http://www.athensdigitalweek.gr). Σύμφωνα με το [http://www.athensdigitalweek.gr/el/the-core/talk-zone πρόγραμμα], η παρουσίαση θα γίνει την Παρασκευή, 17 Οκτωβρίου 2008 και ώρα 16:30 καθώς και το Σάββατο, 18 Οκτωβρίου 2008 και ώρα 18:00.

'''27/5/2008''' - Παρουσίαση του OWASP.gr στα πλαίσια του '''3ου Συνεδρίου Ελεύθερου Λογισμικού / Λογισμικού Ανοιχτού Κώδικα''' που πραγματοποιείται στις 27 και 28 Μαΐου στο Εθνικό Μετσόβειο Πολυτεχνείο (http://conf.ellak.gr). Σύμφωνα με το [http://conf.ellak.gr/2008/index.php?option=com_jcalpro&Itemid=138&extmode=week&date=2008-05-25 πρόγραμμα] του συνεδρίου, η παρουσίαση θα γίνει την Τρίτη, 27 Μαΐου 2008 και ώρα 11:15.

'''22/3/2008''' - Παρουσίαση του OWASP.gr στα πλαίσια του '''1ου Συνέδριο Κοινοτήτων Ελεύθερου Λογισμικού/Λογισμικού Ανοιχτού Κώδικα''' που διοργανώνεται στις 21 και 22 Μαρτίου στο Εθνικό Μετσόβειο Πολυτεχνείο (http://www.fosscomm.gr/). Σύμφωνα με το [http://www.fosscomm.gr/xoops20171/htdocs/uploads/programma_synedriou.html πρόγραμμα], η παρουσίαση θα γίνει στις 17:50.

'''2/2/2008''' - Παρουσίαση της ομάδας IA4 του E-Business Forum (Προπαρασκευαστικές δράσεις για τη δημιουργία Ελληνικού Κέντρου Επείγουσας Αντιμετώπισης Ψηφιακών Απειλών GR-CERT) στα πλαίσια του '''Money Show 2008'''.

==== Archive ====

== Μηνιαίο Ενημερωτικό Δελτίο ==

Καλώς ήλθατε στο μηνιαίο ενημερωτικό δελτίο της Ελληνικής ομάδας εργασίας του OWASP. Στόχος μας είναι η ενημέρωση γύρω από τα θέματα της ελληνικής επικαιρότητας που αφορούν στην ασφάλεια των εφαρμογών διαδικτύου αλλά και στην ασφάλεια γενικότερα. Αν και στο Internet υπάρχουν ήδη πολλές πηγές ενημέρωσης γύρω από θέματα ασφάλειας (π.χ. securityfocus, cryptogram, blogs, κλπ), αυτές επικεντρώνονται συνήθως στη διεθνή επικαιρότητα. Έτσι, μοιραία η ενημέρωση για τα security θέματα που αφορούν στην Ελλάδα προέρχεται από τα τοπικά ειδησεογραφικά site και μέσα.

Με το μηνιαίο αυτό newsletter στοχεύουμε στην αποτύπωση των κυριότερων θεμάτων ασφάλειας που απασχολούν την Ελληνική επικαιρότητα κάθε μήνα, αλλά και σημαντικών νέων από τη διεθνή infosec επικαιρότητα που κρίνουμε πως πρέπει να σχολιάσουμε. Παράλληλα, θα υπάρχουν ενδιαφέροντα επιστημονικά θέματα αλλά και ενημέρωση γύρω από τη δραστηριότητα του OWASP. Το newsletter θα διαμοιράζεται μέσω της mailing list του OWASP.gr, ενώ ταυτόχρονα θα δημοσιεύεται και εδώ σε μορφή pdf. Υπεύθυνος για την έκδοσή του είναι ο συνεργάτης του OWASP.gr Γιάννης Αναστασόπουλος.

Ελπίζουμε πως θα βρείτε το newsletter αυτό ενδιαφέρον και χρήσιμο. Φυσικά, βρίσκεται σε… εμβρυικό στάδιο. Για το λόγο αυτό κάθε συνεισφορά σας στη δημιουργία του θα ήταν ιδιαίτερα σημαντική, για να γίνει το newsletter πιο χρήσιμο για όλους. Έτσι, για οποιαδήποτε σχόλια, προσθήκες, προτάσεις, παρατηρήσεις ή συζητήσεις μπορείτε να απευθύνεστε στη mailing list του OWASP.gr ([mailto:owasp-greece@lists.owasp.org owasp-greece@lists.owasp.org]).

 [http://www.owasp.org/images/2/21/OWASP_gr_newsletter_1.pdf Ενημερωτικό Δελτίο νο1 - Δεκέμβριος 2006]

[http://www.owasp.org/images/0/0a/OWASP_gr_newsletter_2.pdf Ενημερωτικό Δελτίο νο2 - Ιανουάριος 2007]

[http://www.owasp.org/images/4/4e/OWASP_gr_newsletter_3.pdf Ενημερωτικό Δελτίο νο3 - Φεβρουάριος 2007]

[http://www.owasp.org/images/b/b1/OWASP_gr_newsletter_4.pdf Ενημερωτικό Δελτίο νο4 - Μάρτιος-Απρίλιος 2007]

[https://www.owasp.org/images/1/11/OWASP_gr_newsletter_5.pdf Ενημερωτικό Δελτίο νο5 - Ιανουάριος 2008]

[https://www.owasp.org/images/3/3f/OWASP_gr_newsletter_6.pdf Ενημερωτικό Δελτίο νο6 - Φεβρουάριος 2008]

__NOTOC__ <headertabs></headertabs>

[[Category:OWASP_Chapter]]
[[Category:Europe]]

GSoC2016 Ideas

2016-02-24T07:14:16Z

Conpap: Created page with "Oops! Typo! You can find the OWASP GSOC 2016 Ideas page here: https://www.owasp.org/index.php/GSOC2016_Ideas"

Oops! Typo!
You can find the OWASP GSOC 2016 Ideas page here: https://www.owasp.org/index.php/GSOC2016_Ideas

GSOC2016 Ideas

2016-02-18T07:09:40Z

Conpap:

=OWASP Project Requests=

'''Tips to get you started in no particular order:'''
* Read the [[GSoC SAT]]
* Check the Hackademic wiki page linked above
* Contact us through the mailing list or irc channel.
* Check our [https://github.com/Hackademic/hackademic github repository] and especially the [https://github.com/Hackademic/hackademic/issues open tickets]

== OWASP Hackademic Challenges ==

[[OWASP Hackademic Challenges Project]] helps you test your knowledge on web application security. You can use it to actually attack web applications in a realistic but also controllable and safe environment. After a wonderfull 2014 GSoC with 100 new challenges and a couple of new plugins we're mainly looking to get new features in and maybe a couple of challenges. Bellow is a list of proposed features.

=== REST API for the sandbox ===

'''Brief Explanation:'''

During the last summer code sprint Hackademic got challenge sandboxing in the form of vagrant and docker wrappers as well as an engine to start and stop the container or vm instances.
What is needed now is a rest api which supports endpoint authentication and authorization which enables the sandbox engine to be completely independed from the rest of the project.

Ideas on the project:
Since the sandbox is written in python, you can use microframeworks such as flask to implement the api.
The endpoint authorization can be done via certificates or plain signature or username/password type authentication.
However the communication between the two has to be over a secure channel.

'''Expected Results:'''
* A REST style api which allows an authenticated remote entity control the sandbox engine.
* PEP8 compliant code
* Acceptable unit test coverage

'''Knowledge Prerequisites:'''

Python, test driven developmen, some idea what REST is, some security knowledge would be preferable.

'''Mentors:''' Konstantinos Papapanagiotou, Spyros Gasteratos - Hackademic Challenges Project Leaders

=== New CMS ===

'''Brief Explanation:'''

The CMS part of the project is really old and has accumulated a significant amount of technical debt.
In addition many design decisions are either outdated or could be improved.
Therefore it may be a good idea to leverage the power of modern web frameworks to create a new CMS.
The new cms can be written in php or python using any compoennts we agree are necesary and based on the framework we agree on.

'''Expected Results:'''
* New cms with same functionality as the old one (3 types of users -- student, teacher, admin--, 3 types of resources -- article challenge, class--, ACL type permissions, CRUD operations on every resource/user, all functionality can be extended by Plugins.
* REST endpoints in addition to classic ones
* tests covering all routes implemented
* PSR/PEP 8 code

''' Note: '''
This is a huge project, it is ok if the student implements a part of it. However whatever implemented must be up to spec.
If you decide to take on this project contact us and we can agree on a list of routes.
If you don't decide to take on this project contact us.
Generally contact us, we like it when students have insightful questions and the community is active

'''Knowledge Prerequisites:'''
Python or PHP, the framework suggested, what REST is, the technologies used, some security knowledge would be nice.

'''Mentors:''' Konstantinos Papapanagiotou, Spyros Gasteratos - Hackademic Challenges Project Leaders

=== First Course Type Challenge ===

'''Brief Explanation:'''
We have a wonderful sandbox engine which allows for complex guided challenges to be implemented.
We'd like to build a challenge that guides the user through a series of steps to an end goal and teaches more information on the subject matter on the way.
This is a very open-ended project on purpose to allow creative student to come up with nice ideas.
Bellow you will find some examples that we thought might be interesting.

Ideas on the project:
* Purposefully vulnerable web page that guides the user via javascript tooltips and hints to exploiting it using ZAP. ( Bonus: using ZAP via the ZAP api). The challenge is solved when the the student submits the contents of a text file located on the disk (obtained by exploited an RCE)

* Reversing a provided binary to extract information by providing step by step instructions to reversing using any popular reversing tool (well, you can't use IDA so gdb should have to do). Challenge is solved when the keys are extracted from the binary and submitted. Bonus points if each binary donwloaded has different keys.

* Guide to exploiting the TOP10. (Using ZAP?)

* Defensive Type challenges -- Here's how to create a patch for this kind of vulnerability -- Challenge is solved when the unit tests are run and the vulnerability isn't there.

'''Expected Results:'''

* One or more Course - style challenges provided either as a docker container or as a vagrant box.
* Concrete documentation on how to build a challenge like this.

'''Knowledge Prerequisites:'''
The technologies used.

'''Mentors:''' Konstantinos Papapanagiotou, Spyros Gasteratos - Hackademic Challenges Project Leaders

=== Advanced Sandboxed Challenges ===

'''Brief Explanation:'''

In the spirit of the challenges above, we're looking for true ctf type challenges.
This is an open ended task. We're expecting awesome fresh ideas.

Ideas on the project:
* An application vulnerable to one or more TOP 10 elements.
* A logic flaws based ctf
* Your idea here

'''Expected Results:'''
Docker containers or Vagrant boxes that contain complete new challenges.

'''Knowledge Prerequisites:'''
Knowledge of the technologies used

'''Mentors:''' Konstantinos Papapanagiotou, Spyros Gasteratos - Hackademic Challenges Project Leaders

=== Your idea ===

'''Brief Explanation:'''

Amazing students, in our experience the best, most creative and unique ideas show up when we let students suggest their own feature in relation to the project.
The above should give you a general idea where we're going but don't let them constrain you.
Do you wanna do something that would fit into Hackademic? Send us an email!

Ideas on the project:
No idea, that's your turn to shine!

'''Expected Results:'''
If it's code, code according to our coding standards.
If it's challenges, something new and interesting.
If it's something else, then written like the person who's going to maintain your code is a raging psychopath with an axe who knows where you live.

In short we'd like some quality. ;-)

'''Knowledge Prerequisites:'''

'''Mentors:''' Konstantinos Papapanagiotou, Spyros Gasteratos - Hackademic Challenges Project Leaders

== OWASP OWTF ==

=== OWASP OWTF - VMS - OWTF Vulnerability Management System ===

'''Brief explanation:'''

Background problem to solve:

We are trying to reduce the human work burden where there will be hundreds of issues listing apache out of date or php out of date.

Proposed solution:

We can meta aggregate these duplicate issues into one issue of "outdated software / apache / php detected". with XYZ list of issues in them.

A separate set of scripts that allows for grouping and management of vulnerabilities (i.e. think huge assessments), to be usable *both* from inside + outside of OWTF in a separate sub-repo here: https://github.com/owtf

VMS will have the following features:
* Vulnerability correlation engine which will allow for quick identification of unique vulnerability and deduplication.
* Vulnerability table optimization : combining redundant vulnerabilities like example : PHP <5.1 , PHP < 5.2 , PHP < 5.3 all suggest upgrade php so if multiple issues are reported they should be combined.
* Integration with existing bug tracking system like example bugzilla, jira : Should not be too hard as all such system have one or the other method exposed (REST API or similar)
* Fix Validation : Since we integrate with bug tracking once dev fixed the bug and code deployed we can run specific checks via * OWTF or other tool (may be specific nessus or nexpose plugin or similar.)
* Management Dashboard : Could be exposed to Pentester, Higher Management where stats are shown with lesser details but more of high level overview.

[http://www.slideshare.net/null0x00/nessus-and-reporting-karma Similar previous work for Nessus]

For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]

'''Expected results:'''

* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''
* CRITICAL: Excellent reliability -i.e. the Health Monitor cannot crash! :)-
* Good performance
* Unit tests / Functional tests
* Good documentation

'''Knowledge Prerequisite:'''

Python and bash experience would be beneficial, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn

'''OWASP OWTF Mentor:'''

Abraham Aranguren, Bharadwaj Machiraju - OWASP OWTF Project Leaders - Contact: Abraham.Aranguren@owasp.org, bharadwaj.machiraju@gmail.com

=== OWASP OWTF - HTTP Request Translator Improvements ===

'''Brief explanation:'''

Problem to solve:

There are many situations in web app pentests where just no tool will do the job and you need to script something, or mess around with the command line (classic example: sequence of steps where each step requires input from the previous step). In these situations, translating an HTTP request or a sequence of HTTP requests, takes valuable time which the pentester might just not really have.

Proposed solution:

An HTTP request translator, a *standalone* *tool* that can:

1) Be used from inside OR outside of OWTF.

2) Translate raw HTTP requests into curl commands or bash/python/php/ruby/PowerShell scripts

3) Provide essential quick and dirty transforms: base64 (encode/decode), urlencode (encode/decode)
* Transforms with boundary strings? (TBD)
* Individually or in bulk? (TBD)

'''Essential Function: "--output" argument'''

CRITICAL: The command/script should be generated so that the request is sent as literally as possible.

Example: NO client specific headers are sent. IF the original request had "User-Agent: X", the generated command/script should have EXACTLY that (i.e. NOT a curl user agent, etc.). Obviously, the same applies to ALL other headers.

NOTE: Ideally the following should be implemented using an extensible plugin architecture (i.e. NEW plugins are EASY to add)
* http request in => curl command out
* http request in => bash script out
* http request in => python script out
* http request in => php script out
* http request in => ruby script out
* http request in => PowerShell script out

'''Basic additional arguments:'''

- "--proxy" argument: generates the command/script with the relevant proxy option

NOTE: With this the command/script may send requests through a MiTM proxy (i.e. OWTF, ZAP, Burp, etc.)

- "--string-search" argument: generates the command/script so that it:

1) performs the request

2) then searches for something in the response (i.e. literal match)

- "--regex-search" argument: generates the command/script so that it:
1) performs the request

2) then searches for something in the response (i.e. regex match)

'''OWTF integration'''

The idea here, is to invoke this tool from:

1) Single HTTP transactions:

For example, have a button to "export http request" + then show options equivalent to the flags

2) Multiple HTTP transactions:

Same as with Single transactions, but letting the user "select a number of transactions" first (maybe a checkbox?).

'''Desired input formats:'''

* Read raw HTTP request from stdin -Suggested default behaviour! :)-

Example: cat path/to/http_request.txt | http-request-translator.py --output

* Interactive mode: read raw HTTP request from keyboard + "hit enter when ready"

Suggestion: This could be a "-i" (for "interactive") flag and/or the fallback option when "stdin is empty"

Example:

1) User runs tool with desired flags (i.e. "--output ruby --proxy 127.0.0.1:1234 ...", etc.)

2) Tool prints: "Please paste a raw HTTP request and hit enter when ready"

3) User pastes a raw HTTP requests + hits enter

4) Tool outputs whatever is relevant for the flags + http request given

* For bulk processing: Maybe a directory of raw http request files?

'''Nice to have: Transforms'''

In the context of translating raw HTTP requests into commands/scripts, what we want here is to provide some handy "macros" so that the relevant command/script is generated accordingly.

Example:

NOTE: Assume something like the following arguments: "--transform-boundary=@@@@@@@ --transform-language=php"

Step 1) The user provides a raw HTTP request like this:

GET /path/to/urlencode@@@@@@@abc d@@@@@@@/test
Host: target.com
...

Step 2) The tool generates a bash script like the following:

#!/bin/bash

PARAM1=$(echo 'abc d' | php -r "echo urlencode(fgets(STDIN));")
curl ...... "http://target.com/path/to/$PARAM1/test"

OR a "curl command" like the following:
PARAM1=$(echo 'abc d' | php -r "echo urlencode(fgets(STDIN));"); curl ...... "http://target.com/path/to/$PARAM1/test"

This feature can be valuable to shave a bit more time in script writing.

For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]

'''Expected results:'''

* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''
* CRITICAL: Excellent reliability -i.e. the Health Monitor cannot crash! :)-
* Good performance
* Unit tests / Functional tests
* Good documentation

'''Knowledge Prerequisite:'''

Python and bash experience would be beneficial, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn

'''OWASP OWTF Mentor:'''

Abraham Aranguren, Bharadwaj Machiraju - OWASP OWTF Project Leaders - Contact: Abraham.Aranguren@owasp.org, bharadwaj.machiraju@gmail.com

=== OWASP OWTF - JavaScript Library Sniper Improvements ===

'''Brief explanation:'''
This is a project that tries to resolve a very common problem during penetration tests:

The customer is running a number of outdated JavaScript Libraries, but there is just not enough time to determine if something useful -i.e. something *really* bad! :)- can be done with that or not.

To solve this problem, we propose a *standalone* *tool* that can:

1) Be run BOTH from inside AND outside of OWTF

2) Build and *update* a fingerprint JavaScript library database of:
* Library File hashes => JavaScript Library version
* Library File lengths => JavaScript Library version
* (Nice to have:) As above, but for each individual github commit (possible drawback: too big?)

3) Build and *update* a vulnerability database of:
* JavaScript Library version => CVE - CVSS score - Vulnerability info

4) Given a [ JavaScript file OR hash OR length ], found in the database, provides:
* JavaScript Library version
* List of vulnerabilities sorted in descending CVSS score order

5) (very cool to have) Given a list of JavaScript files (maybe a directory), provides:
* ALL Library/vulnerability matches described on 4)

Once the standalone tool is built and verified to be working, OWTF should be able to:

Feature 1) GREP plugin improvement (Web Application Fingerprint):

Step 1) Lookup file lengths and hashes in the "JavaScript library database"

Step 2) If a match is found: provide the list of known vulnerabilities against "JavaScript library X" to the user

Feature 2) SEMI-PASSIVE plugin improvement (Web Application Fingerprint):

1) Requests all referenced BUT missing JavaScript files -i.e. scanners won't load JavaScript files! :)-

2) re-runs the GREP plugin on the new files (i.e. to avoid missing vulns due to unrequested JavaScript files)

Potential projects worth having a look for potential overlap/inspiration:
* [https://owasp.org/index.php/OWASP_Dependency_Check OWASP Dependency Check?]

How many JavaScript libraries should be included?
* As many as possible, but especially the major ones: jQuery, knockout, etc.
* "Nirvana" Nice to have: ALL Individual versions of ALL JavaScript files from ALL opensource projects, (ideally) even if the project is not a JavaScript library -i.e. JavaScript files from Joomla, Wordpress, etc.-

Common JavaScript library fingerprinting techniques include:
* Parse the JavaScript file and grab the version from there
* Determine the JavaScript version based on a hash of the file
* Determine the JavaScript version based on the length of the file

Other Challenges:
* "the file" could be "the minimised file", "the expanded file" or even "a specific JavaScript file from Library X"
* When the JavaScript file does not match a specific version:
1) The commit that matches the closest should (ideally) be found
2) The NEXT library version after that commit (if present) should be found
3) From there, it is about reusing the knowledge to figure out public vulnerabilities, CVSS scores, etc. again

For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]

'''Expected results:'''

* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''
* CRITICAL: Excellent reliability -i.e. the Health Monitor cannot crash! :)-
* Good performance
* Unit tests / Functional tests
* Good documentation

'''Knowledge Prerequisite:'''

Python and bash experience would be beneficial, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn

'''OWASP OWTF Mentor:'''

Abraham Aranguren, Bharadwaj Machiraju - OWASP OWTF Project Leaders - Contact: Abraham.Aranguren@owasp.org, bharadwaj.machiraju@gmail.com

=== OWASP OWTF - Off-line HTTP traffic uploader ===

'''Brief explanation:'''

Although it is awesome that OWTF runs a lot of tools on behalf of the user, there are situations where uploading the HTTP traffic of another tool off-line can be very interesting for OWTF, for example:

* Tools that OWTF has trouble proxying right now: skipfish, hoppy
* Tools that the user may have run manually OR even from a tool aggregator -very common! :)-
* Tools that we just don't run from OWTF: ZAP, Burp, Fiddler

This project is about implementing an off-line utility able to parse HTTP traffic:

1) Figure out how to read output files from various tools like:
skipfish, hoppy, w3af, arachni, etc.
Nice to have: ZAP database, Burp database

2) Translate that into the following clearly defined fields:

* HTTP request
* HTTP response status code
* HTTP response headers
* HTTP response body

3) IMPORTANT: Implement a plugin-based uploader system

4) IMPORTANT: Implement ONE plugin, that uploads that into the OWTF database

5) IMPORTANT: OWTF should ideally be able to invoke the uploader right after running a tool
Example: OWTF runs skipfish, skipfish finishes, OWTF runs the HTTP traffic uploader, all skipfish data is pushed to the OWTF DB.

6) CRITICAL: The off-line HTTP traffic uploader should be smart enough to read + push 1-by-1 instead of *stupidly* trying to load everything into memory first, you have been warned! :)

Why? Because in a huge assessment, the output of "tool X" can be "10 GB", which is *stupid* to load into memory, this is OWTF, we *really* try to foresee the crash before it happens! ;)

CRITICAL: It is important to implement a plugin-based uploader system, so that other projects can benefit from this work (i.e. to be able to import third-party tool data to ZAP, Burp, and other tools in a similar fashion), and hence hopefully join us in maintaining this project moving forward.

For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]

'''Expected results:'''

* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''
* CRITICAL: Excellent reliability -i.e. the Health Monitor cannot crash! :)-
* Good performance
* Unit tests / Functional tests
* Good documentation

'''Knowledge Prerequisite:'''

Python and bash experience would be beneficial, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn

'''OWASP OWTF Mentor:'''

Abraham Aranguren, Bharadwaj Machiraju - OWASP OWTF Project Leaders - Contact: Abraham.Aranguren@owasp.org, bharadwaj.machiraju@gmail.com

=== OWASP OWTF - Health Monitor ===

'''Brief explanation:'''

In some cases, especially on large assessments (think: > 30 URLs) a number of things often go wrong and OWTF needs to recover from everything, which is difficult.

For this reason, OWTF needs an independent module, which is completely detached from OWTF (a different process), to ensure the health of the assessment is in check at all times, this includes the following:

'''Feature 1) Alerting mechanisms'''

When any of the monitor alerts (see below) is triggered. The OWTF user will be notified immediately through ALL of the following means:
* Playing an mp3 song (both local and possibly remote locations)
* Scan status overview on the CLI
* Scan status overview on the GUI

NOTE: A configuration file from where the user can enable/disable/configure all these mechanisms is desired.

'''Feature 2) Corrective mechanisms'''

Corrective mechanisms are also expected in this project, these will be accomplished sending OWTF api messages such as:
* Stop this tool
* Freeze this process (to continue later)
* Freeze the whole scan (to continue later)

Additional mechanisms:
* Show a ranking of files that take the most space

'''Feature 3) Target monitor'''

Brief overview:

All target URLs are checked for availability periodically (i.e. once x 5 minutes?), if a URL in scope goes down the pentester is alerted (see above).

Potential approach: Check if length of 1st page changes every 60 seconds.

NOTE: It might be needed to change this on the fly.

More background

Consider the following scenario:

Current Situation aka "problem to solve":

1) Website X goes down during a scan

2) the customer notices

3) the customer tells the boss

4) the boss tells the pentester

5) the pentester stops the tool which was *still* trying to scan THAT target (!!!!)

Desired situation aka "solution":

It would be much more professional AND efficient that:

1) The pentester notices

2) The pentester tells the boss

3) The boss tells the customer

4) OWTF stops the tool because it knows that website is DEAD anyway

A target monitor could easily do this with heartbeat requests + playing mp3s

The target monitor will use the api to tell OWTF "this target is dead: freeze(stop?) current tests, skip target in future tests"

'''Feature 4) Disk space monitor'''

Another problem that is relatively common in large assessments, is that all disk space is used and the scanning box becomes unresponsive or crashes. When this happens it is too late, the pentester may also see this coming but wonder “which are the biggest files in the filesystem that I can delete”, it is not ideal to have to look for these files in a moment when the scanning box is about to crash :).

Proposed solution:

Regularly monitor how much disk space is left, especially on the partition where OWTF is writing the review (but also tool directories such as /home/username/.w3af/tmp, etc.). Keep track of files created by OWTF and all called tools and sort them by size in descending order. Then when the disk space is going low (i.e. predefined threshold), an mp3 or similar is played and this list is displayed to the user, so that they know what to delete to survive :).

'''Feature 5) Network/Internet Connectivity monitor'''

Sometimes it may also happen that ISP, etc. connectivity go down in the middle of a scan, this is often a very unfortunate situation since most tools are scanning in parallel and they won’t be able to produce a report OR even resume (i.e. A LOT is lost). The goal here is that OWTF does all of the following automatically:

1) Detects the lack of connectivity

2) Freezes all the tools (read: processes) in progress

3) Resumes the scan when the connectivity is back.

'''Feature 6) Tool crash detection'''

Sometimes, certain tools (most notably, ahem, w3af), when they crash they do NOT exit. This leaves OWTF in a difficult position where 1+ process is waiting for nothing, forever (i.e. because “Tool X” will never finish)

'''Feature 7) Tool (Plugin?) CPU/RAM/Bandwidth abuse detection and correction'''

OWTF needs to notice when some tools crash and/or “go beserk” with RAM/CPU/Bandwidth consumption, this is different from the existing built-in checks in OWTF like “do not launch a new tool if there is less than XYZ RAM free” and more like “if tool X is using > XYZ of the available RAM/CPU/Bandwidth” and this is (potentially) negatively affecting other tools/tests, then throttle it.

For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]

'''Expected results:'''

* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''
* CRITICAL: Excellent reliability -i.e. the Health Monitor cannot crash! :)-
* Good performance
* Unit tests / Functional tests
* Good documentation

'''Knowledge Prerequisite:'''

Python and bash experience would be beneficial, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn

'''OWASP OWTF Mentor:'''

Abraham Aranguren, Bharadwaj Machiraju - OWASP OWTF Project Leaders - Contact: Abraham.Aranguren@owasp.org, bharadwaj.machiraju@gmail.com

=== OWASP OWTF - Installation Improvements and Package manager ===

'''Brief explanation:'''

This project is to implement what was suggested in the following github issue:
[https://github.com/owtf/owtf/issues/192 https://github.com/owtf/owtf/issues/192]

Recently i tried to make a fresh installation of OWTF. The installation process takes too much time. Is there any way to make the installation faster?
Having a private server with:
* pre-installed files for VMs
* pre-configured and patched tools
* Merged Lists
* Pre-configured certificates
Additionally a minimal installation which will install the core of OWTF with the option of update can increase the installation speed. The update procedure will start fetching the latest file versions from the server and copy them to the right path.
Additional ideas are welcome.

-- They could be hosted on Dropbox or a private VPS :)

2 Installation Modes
* For high speed connections (Downloading the files uncompressed)
* For low speed connections (Downloading the files compressed)
and the installation crashed because i runned out of space in the vm
IMPORTANT NOTE: OWTF should check the available disk space BEFORE installation starts + warn the user if problems are likely

For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]

'''Expected results:'''

* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''
* Excellent reliability (i.e. proper exception handling, etc.)
* Good performance
* Unit tests / Functional tests
* Good documentation

'''Knowledge Prerequisite:'''

Python and bash experience would be beneficial, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn

'''OWASP OWTF Mentor:'''

Abraham Aranguren, Bharadwaj Machiraju - OWASP OWTF Project Leaders - Contact: Abraham.Aranguren@owasp.org, bharadwaj.machiraju@gmail.com

=== OWASP OWTF - Testing Framework Improvements ===

'''Brief explanation:'''

As OWASP OWTF grows it makes sense to build custom unit tests to automatically re-test that functionality has not been broken. In this project we would like to improve the existing unit testing framework so that creating OWASP OWTF unit tests is as simple as possible and all missing tests for new functionality are created. The goal of this project is to update the existing Unit Test Framework to create all missing tests as well as improve the existing ones to verify OWASP OWTF functionality in an automated fashion.

'''Top features'''

In this improvement phase, the Testing Framework should:
* (Top Prio) Focus more on functional tests
For example: Improve coverage of OWASP Testing Guide, PTES, etc. (lots of room for improvement there!)
* (Top Prio) Put together a great wiki documentation section for contributors
The goal here is to help contributors write tests for the functionality that they implement. This should be as easy as possible.
* (Top Prio) Fix the current Travis issues :)
* (Nice to have) Bring the unit tests up to speed with the codebase
This will be challenging but very worth trying after top priorities.
The wiki should be heavily updated so that contributors create their own unit tests easily moving forward.

'''General background'''

The Unit Test Framework should be able to:
* Define test categories: For example, "all plugins", "web plugins", "aux plugins", "test framework core", etc. (please see [http://www.slideshare.net/abrahamaranguren/introducing-owasp-owtf-workshop-brucon-2012 this presentation] for more background)
* Allow to regression test isolated plugins (i.e. "only test _this_ plugin")
* Allow to regression test by test categories (i.e. "test only web plugins")
* Allow to regression test everything (i.e. plugins + framework core: "test all")
* Produce meaningful statistics and easy to navigate logs to identify which tests failed and ideally also hints on how to potentially fix the problem where possible
* Allow for easy creation of _new_ unit tests specific to OWASP OWTF
* Allow for easy modification and maintenance of _existing_ unit tests specific to OWASP OWTF
* Perform well so that we can run as many tests as possible in a given period of time
* Potentially leverage the python unittest library: [http://docs.python.org/2/library/unittest.html http://docs.python.org/2/library/unittest.html]

For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]

'''Expected results:'''

* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''
* Performant and automated regression testing
* Unit tests for a wide coverage of OWASP OWTF, ideally leveraging the Unit Test Framework where possible
* Good documentation

'''Knowledge Prerequisite:'''

Python, experience with unit tests and automated regression testing would be beneficial, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn

'''OWASP OWTF Mentor:'''

Abraham Aranguren, Bharadwaj Machiraju - OWASP OWTF Project Leaders - Contact: Abraham.Aranguren@owasp.org, bharadwaj.machiraju@gmail.com

=== OWASP OWTF - Tool utilities module ===

'''Brief explanation:'''

The spirit of this feature is something that may or may not be used from OWTF: These are utilities that may be chained together by OWTF OR a penetration tester using the command line. The idea is to automate mundane tasks that take time but may provide a lever to a penetration tester short on time.

'''Feature 1) Vulnerable software version database:'''

Implement a searchable vulnerable software version database so that a penetration tester enters a version and gets vulnerabilities sorted by criticality with MAX Impact vulnerabilities at the top (possibly: CVSS score in DESC order).

Example:
[http://www.cvedetails.com/vulnerability-list.php?vendor_id=74&product_id=128&version_id=149817&page=1&hasexp=0&opdos=0&opec=0&opov=0&opcsrf=0&opgpriv=0&opsqli=0&opxss=0&opdirt=0&opmemc=0&ophttprs=0&opbyp=0&opfileinc=0&opginf=0&cvssscoremin=0&cvssscoremax=0&year=0&month=0&cweid=0&order=3&trc=17&sha=0d26af6f3ba8ea20af18d089df40c252ea09b711 Vulnerabilities against specific software version]

'''Feature 2) Nmap output file merger:'''

Unify nmap files *without* losing data: XML, text and greppable formats
For example: Sometimes 2 scans pass through the same port, one returns the server version, the other does not, we obviously do not want to lose banner information :).

'''Feature 3) Nmap output file vulnerability mapper'''

From an nmap output file, get the unique software version banners, and provide a list of (maybe in tabs?):

1) CVEs in reverse order of CVSS score, with links.

2) Metasploit modules available for each CVE / issue

NOTE: Can supply an *old* shell script for reference

3) Servers/ports affected (i.e. all server / port combinations using that software version)

'''Feature 4) URL target list creator:'''

Turn all “speaks http” ports (from any nmap format) into a list of URL targets for OWTF

'''Feature 5) Hydra command creator:'''

nmap file in => Hydra command list out

grep http auth / login pages in output files to identify login interfaces => Hydra command list out

'''Feature 6) WP-scan command creator:'''

look at all URLs (i.e. nmap file), check if they might be running word press, generate a list of suggested wp-scan commands for all targets that might be running word press

For background on OWASP OWTF please see: [https://www.owasp.org/index.php/OWASP_OWTF https://www.owasp.org/index.php/OWASP_OWTF]

'''Expected results:'''

* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''
* Excellent reliability (i.e. proper exception handling, etc.)
* Good performance
* Unit tests / Functional tests
* Good documentation

'''Knowledge Prerequisite:'''

Python, experience with unit tests and automated regression testing would be beneficial, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn

'''OWASP OWTF Mentor:'''

Abraham Aranguren, Bharadwaj Machiraju - OWASP OWTF Project Leaders - Contact: Abraham.Aranguren@owasp.org, bharadwaj.machiraju@gmail.com

''' OWASP Mentors '''

== OWASP ZAP ==

We are in the process of deciding the set of ZAP projects for Google Summer of Code 2015.

You can follow (and join in) the discussions on the ZAP Developer Group: https://groups.google.com/d/msg/zaproxy-develop/Uy0JPkzsI_s/Bj7OTSkISCIJ

=== Example Idea ===

Currently ZAP provides only a limited set of report data. While this can be extended dynamically this feature is not currently used, and there is no way for users to choose what data they get back. It also provides a set of API calls, some of which return data that could be incorporated into reports, and some of which allow the fixed report to be accessed.

==== Expected Results ====

* Report data will be a distinct type of data returned via API calls
* An add-on that provides report data - so this becomes 'plug-able'
* Report data and meta data should be fully internationalized
* Users can specify which sites / contexts report data should apply to

==== Knowledge Prerequisite: ====
ZAP is written in Java, so a good knowledge of this language is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.

==== Mentors ====
Simon Bennetts

== OWASP AppSensor ==

[[OWASP AppSensor Project]] provides real-time application layer intrusion detection. The software has recently hit v2.0. We have some ambitious plans across a variety of areas for the next year to build on the recent momentum.

* Check the AppSensor wiki page linked above
* Contact us through the mailing list.
* Check our [https://github.com/jtmelton/appsensor github repository] and the [https://github.com/jtmelton/appsensor/issues open tickets]
* Also see our [http://www.appsensor.org appsensor website]

=== Example Idea ===

'''Brief Explanation:'''

This is a feature request that's been driven by the community. AppSensor provides great utility by allowing applications to defend themselves. AppSensor can/will also provide a UI (another possible GSOC project) to view and manage the information produced by the applications. However, larger organizations often already have a system in place for managing system security alerts. It would provide a lot of value if we can integrate with those systems and data formats. This project will involve a bit of up-front research, then primarily systems integration work.

'''Expected Results:'''

We want to support a number of integrations. Some that have been requested by our community are:
* SNMP
* JMX
* SCOM
* syslog
* CEF
* AppDynamics

Source code and associated tests for these integrations will be created, along with the associated end user documentation for how to setup and configure them.

'''Knowledge Prerequisites:'''

Comfortable in Java and unit testing.

'''Mentors:''' John Melton - OWASP AppSensor Project Leader (Development)

== OWASP Seraphimdroid [[OWASP_SeraphimDroid_Project| ]] ==

=== Behavioral malware and intrusion analysis ===

'''Brief Explanation:'''

[[OWASP_SeraphimDroid_Project|OWASP Seraphimdroid]] is an Android mobile app which already has a capability to statically analyze malware using machine learning (weka toolkit) relying on permissions. However, this is usually not enough and we intend to improve this with behavioral analysis. There are a number of paper in scientific literature describing how to detect malware and intrusions by dynamically analyzing its behavior (system calls, battery consumption, etc.). The idea of this project is to find the best approach that can be implemented on the device and implement it.

'''Expected Results:'''

* Reviewing scientific literature and find feasible approach we can take
* Implement and possibly improve the approach in Seraphimdroid
* Test the model and provide controls to switch algorithm on or off and possibly fine tune it
* Documenting approach as a technical report

'''Knowledge Prerequisites:'''
* Java
* Android
* CSV, XML
* Basic knowledge and interest in machine learning

'''Mentors:'''
* [[User:Nikola_Milosevic|Nikola Milosevic]] - OWASP Seraphimdroid Project Leader

=== Framework for plugin development ===

'''Brief Explanation:'''

[[OWASP_SeraphimDroid_Project|OWASP Seraphimdroid]] is well rounded security and privacy app, however, it lacks some components community can provide. We would like to provide community the way to develop plugins that can add features to OWASP Seraphimdroid app. However, the way of integrating external components into Android app may be challenge. The way of presenting GUI and integration between processes need to be examined and developed.

'''Expected Results:'''

* Examining the way of integrating third party apps through some provided API to OWASP Seraphimdroid
* Providing GUI integration with third party components
* Develop at least one test plugin
* Document the development process and API

'''Knowledge Prerequisites:'''
* Java
* Android
* CSV, XML

'''Mentors:'''
* [[User:Nikola_Milosevic|Nikola Milosevic]] - OWASP Seraphimdroid Project Leader

=== Educational component ===

'''Brief Explanation:'''

[[OWASP_SeraphimDroid_Project|OWASP Seraphimdroid]] is well rounded security and privacy app. The initial idea of the project was to provide educational platform for common users, where by using the application, users can learn about risks for their privacy and security. Some components already has some sort of explanation, which is educational. However, it lacks of uneatable knowledge source and some of the components that monitor user's behavior do not provide sufficient information. Idea of this project is to develop monitoring of user activity and an component that can warn user about risks if he does something risky. Also, mobile security knowledge base that can be updated remotely will be a huge new asset to the application.

'''Expected Results:'''

* Develop uneatable knowledge base and GUI for it
* Develop web server where the knowledge base can be updated
* Improve current educational reporting
* Develop methodology for monitoring users and notifying them about risky activities

'''Knowledge Prerequisites:'''
* Java
* Android
* CSV, XML

'''Mentors:'''
* [[User:Nikola_Milosevic|Nikola Milosevic]] - OWASP Seraphimdroid Project Leader

== OWASP ZSC Tool ==

'''Brief Explanation:'''

[[OWASP_ZSC_Tool_Project|OWASP ZSC]] is an open source software in python language which lets you generate customized shellcodes and convert scripts to an obfuscated script. This software can be run on Windows/Linux/OSX under python.

'''Expected Results:'''

Please take a look of our TODO list in Github to get some ideas:
https://github.com/Ali-Razmjoo/OWASP-ZSC/issues

Another ideas:
* Help us develop shellcode module for windows
* Develop shellcode module for OSX

Read about the project here:
https://ali-razmjoo.gitbooks.io/owasp-zsc/content/

Recommended reading:
http://www.vividmachines.com/shellcode/shellcode.html

'''Knowledge Prerequisites:'''
* Python
* Basic knowledge about Shellcode and assembly language

'''Mentors:'''
*Christo and Timo Goosen and Brian Beaudry- OWASP ZSC Contributors

Contact us through our mailing list for questions:
https://groups.google.com/d/forum/owasp-zsc

GSoC

2016-02-17T21:58:02Z

Conpap:

'''OWASP is applying to be a Google Summer of Code (“GSoC”) mentoring organization in 2016!'''



'''STUDENTS: THE PROPOSAL SUBMISSION PERIOD WILL BE OPEN UNTIL MARCH 14TH'''

[https://summerofcode.withgoogle.com/ '''Google Summer of Code Program Site''']

OWASP is an open community dedicated to enabling organizations to conceive, develop, acquire, operate, and maintain applications that can be trusted.

All students currently enrolled in an accredited institution are welcome to participate in the Google Summer of Code 2016 program, hopefully along with the OWASP Foundation.

Below you could find all the instructions on how to participate.

== What is GSOC? ==

The Google Summer of Code program (“GSoC”) is designed to encourage student participation in open source development. Through GSoC, accepted student applicants will be paired with OWASP mentors that will guide them through their coding tasks.

Benefits to students include:

* Gaining exposure to real-world software development scenarios,
* An opportunity for employment in areas related to their academic pursuits and
* Google will be offering successful student contributors a 5,500 USD stipend, enabling them to focus on their coding projects for three months.

This program is done completely online. Students and mentors from more than 100 countries have participated in past years.

==Instructions common to all participants==

All participants should take a look at the [https://developers.google.com/open-source/gsoc/faq Google Summer of Code Program Site] every now and then to be informed about updates and advice. It is also important to read the [https://developers.google.com/open-source/gsoc/faq Summer of Code FAQ], as it contains useful information.
All participants will need a Google account in order to join the program. You'll save some time if you create one now.

===Programming Language===

While the majority of OWASP tools are developed using C++/Java, we do accept other languages, including (but not limited to) Python, Ruby and C#. C++ will be accepted for any project. Submissions and ideas for projects in any other language should specifically mention the choice.

==Instructions for students==

Are you a student and want to code for an OWASP project?
Here are the steps and some tips on getting started:

1) Think of a good idea – For reference see
[https://www.owasp.org/index.php/GSoC2016_Ideas GSoC 2016 Ideas]

2) Do some research yourself based on the idea, write up a proposal draft

3) Post it to the mailing list at https://groups.google.com/d/forum/owasp-gsoc for initial discussions with OWASP mentors.

4) Based on feedback, write a full proposal – See template below:
https://www.owasp.org/index.php/GSoC_SAT

5) Submit your proposal to Google from March 14th to March 25th 2014.

Students wishing to participate in GSoC must realize this is a formal commitment to produce code for the selected OWASP Project during three months. You will also take some resources from OWASP project leaders, who will dedicate a portion of their time to mentor you. Therefore, we'd like to have candidates who are committed to helping OWASP mission. You don't have to be a proven developer -- in fact, this whole program is meant to facilitate joining OWASP and other Open Source communities. However, experience in coding and applications are welcome.

You should start familiarising yourself with the components that you plan on working on before the start date. OWASP Project Mentors are available on the mailing list https://groups.google.com/d/forum/owasp-gsoc for help.

===General instructions===
First of all, please read the instructions common to all participants and the [https://developers.google.com/open-source/gsoc/faq GSoC FAQ]. Pay special attention to the '''Eligibility''' section of the FAQ.

===Getting in touch===
* Google Group: OWASP Organization Administrators and Mentors are available at https://groups.google.com/d/forum/owasp-gsoc ready to answer any questions and discuss any idea.
* Mailing list: Each project has its own development mailing list (eg. ESAPI: http://lists.owasp.org/pipermail/esapi-dev/). Feel free t osubscribe in order to discuss your ideas directly with the project's contributors.
* IRC channel: You can find us at irc.freenode.net channel #owasp-gsoc

===Recommended steps===
* Read Google's instructions for participating
* Take a look at the list of ideas
* Come up with project that you're interested in
* Write a first draft proposal and get someone to review it for you
* Submit it using Google's web interface

Coming up with an interesting idea is probably the most difficult part of all. It should be something interesting for an OWASP Project, and more importantly for you. It also has to be something that you can realistically achieve in the time available to you.

Finding out what the most pressing issues are in the projects you're interested in is a good start. You can optionally join the mailing lists for that project: you can make acquaintance with developers and your potential mentor, as well as start learning the codebase. We recommend strongly doing that and we will look favourably on applications from students who have started to act like Open Source developers.

===Student proposal guidelines===
A project proposal is what you will be judged upon. So, as a general recommendation, write a clear proposal on what you plan to do, what your project is and what it is not, etc. Several websites now contain hints and other useful information on writing up such proposals.
OWASP does not require a specific format or specific list of information, but there is an application template on the OWASP page in Google Melange with some specific points that you should address in your application:
* Who are you? What are you studying?
* What exactly do you intend to do? What will not be done?
* Why are you the right person for this task?
* To what extent are you familiar with the software you're proposing to work with? Have you used it? Have you read the source? Have you modified the source?
* How many hours are you going to work on this a week? 10? 20? 30? 40?
* Do you have other commitments that we should know about? If so, please suggest a way to compensate if it will take much time away from Summer of Code.
* Are you comfortable working independently under a supervisor or mentor who is several thousand miles away, not to mention 12 time zones away? How will you work with your mentor to track your work? Have you worked in this style before?
* If your native language is not English, are you comfortable working closely with a supervisor whose native language is English? What is your native language, as that may help us find a mentor who has the same native language?
* Where do you live, and can we assign a mentor who is local to you so you can meet in a coffee shop for lunch?

After you have written your proposal, you should get it reviewed. Do not rely on the OWASP mentors to do it for you via the web interface: they will only send back a proposal if they find it lacking. Instead, ask a colleague or a developer to do it for you.

===Hints===
'''Submit your proposal early:''' early submissions get more attention from developers for the simple fact that they have more time to dedicate to reading them. The more people see it, the more it'll get known.

'''Do not leave it all to the last minute:''' while it is Google that is operating the webserver, it would be wise to expect a last-minute overload on the server. So, make sure you send your application before the final rush. Also, note that the applications submitted very late will get the least attention from mentors, so you may get a low vote because of that.

'''Keep it simple:''' we don't need a 10-page essay on the project and on you (Google won't even let you submit a text that long). You just need to be concise and precise.

'''Know what you are talking about:''' the last thing we need is for students to submit ideas that cannot be accomplished realistically or ideas that aren't even remotely related to OWASP Projects. If your idea is unusual, be sure to explain why you have chosen OWASP to be your mentoring organisation.

'''Aim wide:''' submit more than one proposal, to different OWASP Projects. We also recommend submitting to more than one organisation too. This will increase your chances of being chosen.

The PostgreSQL project has also released a list of [http://www.postgresql.org/developer/summerofcodeadvice.html hints] that you can take a look.

==Instructions for mentors==
===Ideas===
If you're a developer and you wish to participate in Summer of Code, you can do it in two ways: the first and easiest is to make a proposal in the [https://www.owasp.org/index.php/GSoC2016_Ideas ideas] page. Take a look at what the different OWASP Projects needs or what you feel should have. Feel free to submit ideas even if you cannot elaborate too much on them.

The second possibility is to be a mentor for a more specific idea. If you wish to do that, please read the instructions common to all participants and the Summer of Code FAQ. Also, please contact the project leader for your application or module and get the go-ahead from him/her. Then edit the ideas page, adding your idea.

Your idea proposal should be a brief description of what the project is, what the desired goals would be, what the student should know and your email address for contact. Please note, though, that the students are not required to follow your idea to the letter, so regard your proposal as just a suggestion.

===Mentoring===
If you wish to help us even more, you can be an OWASP mentor. We will potentially assign a student to you who has never worked on such a large project and will need some help. Make sure you're up for the task.
When subscribing yourself as a mentor, please make sure that your application or module maintainer is aware of that. Ask him/her to send the Summer of Code OWASP Administrators an email confirming to know you. This is just a formality to make sure you are a real person we can trust -- the administrators cannot know all active developers by their Google account ID.

If you would like to get an idea of what is involved in being a good mentor, be sure to read the [http://www.booki.cc/gsoc-mentoring mentoring guide].

You will be subscribed to a mailing list to discuss ideas. We will also require you to read the proposals as they come in and you will be allowed to vote on the proposals, according to rules we will publish later.

Finally, know that we will never assign you to a project you do not want to work on. We will not assign you more projects than you can/want to take on either. And you will have a backup mentor, just in case something unforeseen takes place.

===Subscribing as mentor===
To subscribe as mentor, you need to complete a few easy steps.
* Contact the OWASP GSoC administrators to let them know which project you want to mentor for
* Log in to [https://summerofcode.withgoogle.com/ Google Summer of Code Program Site]
* Apply as a mentor for OWASP
* Subscribe to https://groups.google.com/d/forum/owasp-gsoc

'''The current list of GSOC 2016 Mentors are:'''
* Abraham Aranguren
* Mennouchi Islam Azeddine
* Ryan Barnett
* Simon Bennetts
* Johanna Curiel
* Spyros Gasteratos
* Gareth Heyes
* Krzysztof Kotowicz
* Andres Morales
* Kostas Papapanagiotou
* Andres Riancho
* Guifre Ruiz
* Prasad Shenoy
* Breno Silva
* Andrew van der Stock
* Kevin W. Wall
* Tom Brennan

==Instructions for OWASP Project Leaders==
If you are an OWASP Project Leader, you may be contacted by developers in your project about an idea he wants to submit.
You should judge whether the idea being proposed coincides with the general goals for your OWASP Project. If you feel that is not the case, you should reply to your developer and suggest that he modify the proposal.
You do not need yourself to be a mentor, but we would like you to.

==Contact OWASP GSoC Admininstrators==
To reach the OWASP administrators for Summer of Code, please send an email to the GSOC Administrators below.

'''The GSOC 2016 Administrators are:'''

* Kostas Papapanagiotou (konstantinos@owasp.org)
* Claudia Casanovas (claudia.aviles-casanovas@owasp.org)
* Fabio Cerullo (fcerullo@owasp.org)

GSoC

2016-02-16T11:41:58Z

Conpap:

'''OWASP is applying to be a Google Summer of Code (“GSoC”) mentoring organization in 2016!'''



'''STUDENTS: THE PROPOSAL SUBMISSION PERIOD WILL BE OPEN UNTIL MARCH 14TH'''

[https://summerofcode.withgoogle.com/ '''Google Summer of Code Program Site''']

OWASP is an open community dedicated to enabling organizations to conceive, develop, acquire, operate, and maintain applications that can be trusted.

All students currently enrolled in an accredited institution are welcome to participate in the Google Summer of Code 2016 program, hopefully along with the OWASP Foundation.

Below you could find all the instructions on how to participate.

== What is GSOC? ==

The Google Summer of Code program (“GSoC”) is designed to encourage student participation in open source development. Through GSoC, accepted student applicants will be paired with OWASP mentors that will guide them through their coding tasks.

Benefits to students include:

* Gaining exposure to real-world software development scenarios,
* An opportunity for employment in areas related to their academic pursuits and
* Google will be offering successful student contributors a 5,500 USD stipend, enabling them to focus on their coding projects for three months.

This program is done completely online. Students and mentors from more than 100 countries have participated in past years.

==Instructions common to all participants==

All participants should take a look at the [https://developers.google.com/open-source/gsoc/faq Google Summer of Code Program Site] every now and then to be informed about updates and advice. It is also important to read the [https://developers.google.com/open-source/gsoc/faq Summer of Code FAQ], as it contains useful information.
All participants will need a Google account in order to join the program. You'll save some time if you create one now.

===Programming Language===

While the majority of OWASP tools are developed using C++/Java, we do accept other languages, including (but not limited to) Python, Ruby and C#. C++ will be accepted for any project. Submissions and ideas for projects in any other language should specifically mention the choice.

==Instructions for students==

Are you a student and want to code for an OWASP project?
Here are the steps and some tips on getting started:

1) Think of a good idea – For reference see
[https://www.owasp.org/index.php/GSoC2015_Ideas GSoC 2016 Ideas]

2) Do some research yourself based on the idea, write up a proposal draft

3) Post it to the mailing list at https://groups.google.com/d/forum/owasp-gsoc for initial discussions with OWASP mentors.

4) Based on feedback, write a full proposal – See template below:
https://www.owasp.org/index.php/GSoC_SAT

5) Submit your proposal to Google from March 14th to March 25th 2014.

Students wishing to participate in GSoC must realize this is a formal commitment to produce code for the selected OWASP Project during three months. You will also take some resources from OWASP project leaders, who will dedicate a portion of their time to mentor you. Therefore, we'd like to have candidates who are committed to helping OWASP mission. You don't have to be a proven developer -- in fact, this whole program is meant to facilitate joining OWASP and other Open Source communities. However, experience in coding and applications are welcome.

You should start familiarising yourself with the components that you plan on working on before the start date. OWASP Project Mentors are available on the mailing list https://groups.google.com/d/forum/owasp-gsoc for help.

===General instructions===
First of all, please read the instructions common to all participants and the [https://developers.google.com/open-source/gsoc/faq GSoC FAQ]. Pay special attention to the '''Eligibility''' section of the FAQ.

===Recommended steps===
* Read Google's instructions for participating
* Take a look at the list of ideas
* Come up with project that you're interested in
* Write a first draft proposal and get someone to review it for you
* Submit it using Google's web interface

Coming up with an interesting idea is probably the most difficult part of all. It should be something interesting for an OWASP Project, and more importantly for you. It also has to be something that you can realistically achieve in the time available to you.

Finding out what the most pressing issues are in the projects you're interested in is a good start. You can optionally join the mailing lists for that project: you can make acquaintance with developers and your potential mentor, as well as start learning the codebase. We recommend strongly doing that and we will look favourably on applications from students who have started to act like Open Source developers.

===Student proposal guidelines===
A project proposal is what you will be judged upon. So, as a general recommendation, write a clear proposal on what you plan to do, what your project is and what it is not, etc. Several websites now contain hints and other useful information on writing up such proposals.
OWASP does not require a specific format or specific list of information, but there is an application template on the OWASP page in Google Melange with some specific points that you should address in your application:
* Who are you? What are you studying?
* What exactly do you intend to do? What will not be done?
* Why are you the right person for this task?
* To what extent are you familiar with the software you're proposing to work with? Have you used it? Have you read the source? Have you modified the source?
* How many hours are you going to work on this a week? 10? 20? 30? 40?
* Do you have other commitments that we should know about? If so, please suggest a way to compensate if it will take much time away from Summer of Code.
* Are you comfortable working independently under a supervisor or mentor who is several thousand miles away, not to mention 12 time zones away? How will you work with your mentor to track your work? Have you worked in this style before?
* If your native language is not English, are you comfortable working closely with a supervisor whose native language is English? What is your native language, as that may help us find a mentor who has the same native language?
* Where do you live, and can we assign a mentor who is local to you so you can meet in a coffee shop for lunch?

After you have written your proposal, you should get it reviewed. Do not rely on the OWASP mentors to do it for you via the web interface: they will only send back a proposal if they find it lacking. Instead, ask a colleague or a developer to do it for you.

===Hints===
'''Submit your proposal early:''' early submissions get more attention from developers for the simple fact that they have more time to dedicate to reading them. The more people see it, the more it'll get known.

'''Do not leave it all to the last minute:''' while it is Google that is operating the webserver, it would be wise to expect a last-minute overload on the server. So, make sure you send your application before the final rush. Also, note that the applications submitted very late will get the least attention from mentors, so you may get a low vote because of that.

'''Keep it simple:''' we don't need a 10-page essay on the project and on you (Google won't even let you submit a text that long). You just need to be concise and precise.

'''Know what you are talking about:''' the last thing we need is for students to submit ideas that cannot be accomplished realistically or ideas that aren't even remotely related to OWASP Projects. If your idea is unusual, be sure to explain why you have chosen OWASP to be your mentoring organisation.

'''Aim wide:''' submit more than one proposal, to different OWASP Projects. We also recommend submitting to more than one organisation too. This will increase your chances of being chosen.

The PostgreSQL project has also released a list of [http://www.postgresql.org/developer/summerofcodeadvice.html hints] that you can take a look.

==Instructions for mentors==
===Ideas===
If you're a developer and you wish to participate in Summer of Code, you can do it in two ways: the first and easiest is to make a proposal in the [https://www.owasp.org/index.php/GSoC2016_Ideas ideas] page. Take a look at what the different OWASP Projects needs or what you feel should have. Feel free to submit ideas even if you cannot elaborate too much on them.

The second possibility is to be a mentor for a more specific idea. If you wish to do that, please read the instructions common to all participants and the Summer of Code FAQ. Also, please contact the project leader for your application or module and get the go-ahead from him/her. Then edit the ideas page, adding your idea.

Your idea proposal should be a brief description of what the project is, what the desired goals would be, what the student should know and your email address for contact. Please note, though, that the students are not required to follow your idea to the letter, so regard your proposal as just a suggestion.

===Mentoring===
If you wish to help us even more, you can be an OWASP mentor. We will potentially assign a student to you who has never worked on such a large project and will need some help. Make sure you're up for the task.
When subscribing yourself as a mentor, please make sure that your application or module maintainer is aware of that. Ask him/her to send the Summer of Code OWASP Administrators an email confirming to know you. This is just a formality to make sure you are a real person we can trust -- the administrators cannot know all active developers by their Google account ID.

If you would like to get an idea of what is involved in being a good mentor, be sure to read the [http://www.booki.cc/gsoc-mentoring mentoring guide].

You will be subscribed to a mailing list to discuss ideas. We will also require you to read the proposals as they come in and you will be allowed to vote on the proposals, according to rules we will publish later.

Finally, know that we will never assign you to a project you do not want to work on. We will not assign you more projects than you can/want to take on either. And you will have a backup mentor, just in case something unforeseen takes place.

===Subscribing as mentor===
To subscribe as mentor, you need to complete a few easy steps.
* Contact the OWASP GSoC administrators to let them know which project you want to mentor for
* Log in to [https://summerofcode.withgoogle.com/ Google Summer of Code Program Site]
* Apply as a mentor for OWASP
* Subscribe to https://groups.google.com/d/forum/owasp-gsoc

'''The current list of GSOC 2016 Mentors are:'''
* Abraham Aranguren
* Mennouchi Islam Azeddine
* Ryan Barnett
* Simon Bennetts
* Johanna Curiel
* Spyros Gasteratos
* Gareth Heyes
* Krzysztof Kotowicz
* Andres Morales
* Kostas Papapanagiotou
* Andres Riancho
* Guifre Ruiz
* Prasad Shenoy
* Breno Silva
* Andrew van der Stock
* Kevin W. Wall
* Tom Brennan

==Instructions for OWASP Project Leaders==
If you are an OWASP Project Leader, you may be contacted by developers in your project about an idea he wants to submit.
You should judge whether the idea being proposed coincides with the general goals for your OWASP Project. If you feel that is not the case, you should reply to your developer and suggest that he modify the proposal.
You do not need yourself to be a mentor, but we would like you to.

==Contact OWASP GSoC Admininstrators==
To reach the OWASP administrators for Summer of Code, please send an email to the GSOC Administrators below.

'''The GSOC 2016 Administrators are:'''

* Kostas Papapanagiotou (konstantinos@owasp.org)
* Claudia Casanovas (claudia.aviles-casanovas@owasp.org)
* Fabio Cerullo (fcerullo@owasp.org)

GSOC2016 Ideas

2016-02-09T09:47:13Z

Conpap:

GSOC2016 Ideas

2016-02-09T09:46:43Z

Conpap:

Summer Code Sprint2015

2015-05-20T15:56:34Z

Conpap:

== OWASP Summer Code Sprint 2015 ==

== Goal ==

The OWASP Summer Code Sprint 2015 is a program that aims to provide incentives to students to contribute to OWASP projects. By participating in the OWASP Summer Code Sprint a student can get real life experience while contributing to an open source project. A student that successfully completes the program will receive in total $1500.

== Program details ==

''Projects that are eligible:'' All code/tools projects. Documentation projects are excluded.

''Duration:'' 2 months of full-time engagement.

== How it works ==

Any code/tool project can participate in the OWASP Summer Code Sprint. Each project will be guided by an OWASP mentor. Students are evaluated in the middle and at the end of the coding period, based on success criteria identified at the beginning of the project. Successful students will receive $750 after each evaluation, a total of $1500 per student.

Projects are focused on developing security tools. It is required that the code any student produces for those projects will be released as Open Source.

Note on language: English is required for code comments and documentation, but not for interactions between students and advisers. Advisers who speak the same language as their students are encouraged to interact in that language.

== How you can participate ==

=== As a student: ===

1. Review the list of OWASP Projects currently participating in the OWASP Summer Code Sprint 2015.

2. Get in touch with the OWASP Project mentor of your choice.

3. Agree deliverables with OWASP mentor.

4. Work away during Summer 2015.

5. Rise to Open Source Development Glory :-)

(Students apply now!)Google form application link

=== As an OWASP Project Leader: ===

1. Edit this page adding your project and some proposed tasks as per the examples

2. Promote the initiative to your academic contacts

== Timeplan ==

'''Phase 1: Proposals'''

Project leaders who want to include their project to the program should submit some initial proposal ideas on this page. These ideas serve as guidance to the students; they are things that project leaders would like to get done, like new features, improvements, etc.

Subsequently students are invited to submit detailed proposals that can (but do not necessarily have to) be based on these ideas. Students are strongly encouraged to engage with project leaders and each project's community (e.g. through the project's mailing list) in order to discuss the details of their proposal. Proposals should provide details about the implementation, time plan, milestones, etc.

'''Phase 2: Scoring of proposals'''

After the submission of proposals, project leaders and contributors/mentors are required to review the submitted proposals and score them (on a 1 to 5 scale). Each proposal should receive at least 3 assessments/scores from different mentors. Each mentor, contributor or leader can score only proposals for their OWN project. All assessments should provide justification. Reviewers are strongly encouraged to provide constructive comments for students so that they can improve in the future.

Project leaders are responsible to attract a sufficient number of volunteer mentors to score proposals and subsequently supervise those that will get selected.

'''Phase 3: Slot allocation.'''

When proposal scoring has been completed, each project leader requests a specific number of slots. This number should be based on:
The number of truly outstanding proposals according to submitted scores.
The importance of the proposal to the project's roadmap.
The number of available mentors for the project. At least 2 mentors are needed for each proposal that gets accepted.
If the total number of requested slots is less than or equal to the available number of slots, then all projects get the requested slots. If not, the following rules apply:
All projects that have requested a slot get at least 1 slot, provided they have a high quality proposal and sufficient number of mentors.
Two mentors are required per slot allocated to the project.
The program's administrators get in touch with project leaders, especially those that have requested a large number of slots to receive additional feedback on the requested slots and explore any available possibilities for reducing the requested number of slots. A project leader might choose to donate one or more requested slots back to the pool so that other projects can get more slots. The program administrators can choose to initiate a public discussion between projects in need of more slots and projects that have requested a lot of slots in order to determine the best possible outcome for everyone.
If all else fails, slots are equally allocated to projects, i.e. all projects get 1 slot; projects that have requested 2 or more slots get an extra slot if available; projects that have requested 3 or more slots get an extra slot if available, etc. When there are no more slots available for all projects that have requested them a draw is used to allocate the remaining slots.

In any case, the program's administrators should perform a final review of the selected proposals to ensure that they are of high quality. If concerns arise they should request additional information from project leaders.

'''Phase 4: Coding.'''

This is the main phase of the program. Students implement their proposal according to the submitted timeplan and under the supervision
of their mentors.

== Evaluations ==

In the middle of the coding period, mentors should submit an evaluation of their students to ensure that they are on track and provide some feedback both to OWASP and the students.

If no/little progress has been made up to this point, the mentors could decide to fail the student in which case the student does not receive money. If successful, OWASP will pay half the amount ($750). The final evaluations are submitted at the end of the coding period and the second installment ($750) is paid to the student if all agreed deliverables are met. If the student has failed to demonstrate progress during the second period, then the second installment will not be paid and the student will get only half of the amount.

== Deadlines ==
Program announcement: June 1st, 2015

Student Applications: June 21st, 2015

Proposal Evaluations: from June 22nd until June 28th.

Successful proposals announcement: July 1st

Coding Period Starts: July 10th

Mid-term evaluations: Submitted from August 10th until August 15th.

Coding period ends: September 10th.

Final evaluations: Until September 18th.

== Mailing List ==
Please subscribe to the following mailing list to receive updates or ask any particular questions:

== Ideas ==
=== OWASP OWTF ===

''' Brief explanation: '''

Background problem to solve:

''' Expected results '''

You should be able to...

''' Prerequisites '''

''' OWASP Mentors '''

Summer Code Sprint2015

2015-05-20T15:51:59Z

Conpap:

== OWASP Summer Code Sprint 2015 ==

== Goal ==

The OWASP Summer Code Sprint 2015 is a program that aims to provide incentives to students to contribute to OWASP projects. By participating in the OWASP Summer Code Sprint a student can get real life experience while contributing to an open source project. A student that successfully completes the program will receive in total $1500.

== Program details ==

''Projects that are eligible:'' All code/tools projects. Documentation projects are excluded.

''Duration:'' 2 months of full-time engagement.

== How it works ==

Any code/tool project can participate in the OWASP Summer Code Sprint. Each project will be guided by an OWASP mentor. Students are evaluated in the middle and at the end of the coding period, based on success criteria identified at the beginning of the project. Successful students will receive $750 after each evaluation, a total of $1500 per student.

Projects are focused on developing security tools. It is required that the code any student produces for those projects will be released as Open Source.

Note on language: English is required for code comments and documentation, but not for interactions between students and advisers. Advisers who speak the same language as their students are encouraged to interact in that language.

== How you can participate ==

=== As a student: ===

1. Review the list of OWASP Projects currently participating in the OWASP Summer Code Sprint 2015.

2. Get in touch with the OWASP Project mentor of your choice.

3. Agree deliverables with OWASP mentor.

4. Work away during Summer 2015.

5. Rise to Open Source Development Glory :-)

(Students apply now!)Google form application link

=== As an OWASP Project Leader: ===

1. Edit this page adding your project and some proposed tasks as per the examples

2. Promote the initiative to your academic contacts

== Timeplan ==

'''Phase 1: Proposals'''

Project leaders who want to include their project to the program should submit some initial proposal ideas on this page. These ideas serve as guidance to the students; they are things that project leaders would like to get done, like new features, improvements, etc.

Subsequently students are invited to submit detailed proposals that can (but do not necessarily have to) be based on these ideas. Students are strongly encouraged to engage with project leaders and each project's community (e.g. through the project's mailing list) in order to discuss the details of their proposal. Proposals should provide details about the implementation, time plan, milestones, etc.

'''Phase 2: Scoring of proposals'''

After the submission of proposals, project leaders and contributors/mentors are required to review the submitted proposals and score them (on a 1 to 5 scale). Each proposal should receive at least 3 assessments/scores from different mentors. Each mentor, contributor or leader can score only proposals for their OWN project. All assessments should provide justification. Reviewers are strongly encouraged to provide constructive comments for students so that they can improve in the future.

Project leaders are responsible to attract a sufficient number of volunteer mentors to score proposals and subsequently supervise those that will get selected.

'''Phase 3: Slot allocation.'''

When proposal scoring has been completed, each project leader requests a specific number of slots. This number should be based on:
The number of truly outstanding proposals according to submitted scores.
The importance of the proposal to the project's roadmap.
The number of available mentors for the project. At least 2 mentors are needed for each proposal that gets accepted.
If the total number of requested slots is less than or equal to the available number of slots, then all projects get the requested slots. If not, the following rules apply:
All projects that have requested a slot get at least 1 slot, provided they have a high quality proposal and sufficient number of mentors.
Two mentors are required per slot allocated to the project.
The program's administrators get in touch with project leaders, especially those that have requested a large number of slots to receive additional feedback on the requested slots and explore any available possibilities for reducing the requested number of slots. A project leader might choose to donate one or more requested slots back to the pool so that other projects can get more slots. The program administrators can choose to initiate a public discussion between projects in need of more slots and projects that have requested a lot of slots in order to determine the best possible outcome for everyone.
If all else fails, slots are equally allocated to projects, i.e. all projects get 1 slot; projects that have requested 2 or more slots get an extra slot if available; projects that have requested 3 or more slots get an extra slot if available, etc. When there are no more slots available for all projects that have requested them a draw is used to allocate the remaining slots.

In any case, the program's administrators should perform a final review of the selected proposals to ensure that they are of high quality. If concerns arise they should request additional information from project leaders.

'''Phase 4: Coding.'''

This is the main phase of the program. Students implement their proposal according to the submitted timeplan and under the supervision
of their mentors.

== Evaluations ==

In the middle of the coding period, mentors should submit an evaluation of their students to ensure that they are on track and provide some feedback both to OWASP and the students.

If no/little progress has been made up to this point, the mentors could decide to fail the student in which case the student does not receive money. If successful, OWASP will pay half the amount ($750). The final evaluations are submitted at the end of the coding period and the second installment ($750) is paid to the student if all agreed deliverables are met. If the student has failed to demonstrate progress during the second period, then the second installment will not be paid and the student will get only half of the amount.

== Deadlines ==
Student Applications: June 30th, 2015

Mid-term evaluations: Submitted from August 1st until August 7th.

Coding period ends:

Final evaluations:

== Mailing List ==
Please subscribe to the following mailing list to receive updates or ask any particular questions:

== Ideas ==
=== OWASP OWTF ===

''' Brief explanation: '''

Background problem to solve:

''' Expected results '''

You should be able to...

''' Prerequisites '''

''' OWASP Mentors '''

Summer Code Sprint2015

2015-05-20T15:44:04Z

Conpap:

== OWASP Summer Code Sprint 2015 ==

== Goal ==

The OWASP Summer Code Sprint 2015 is a program that aims to provide incentives to students to contribute to OWASP projects. By participating in the OWASP Summer Code Sprint a student can get real life experience while contributing to an open source project. A student that successfully completes the program will receive in total $1500.

== Program details ==

''Projects that are eligible:'' All code/tools projects. Documentation projects are excluded.

''Duration:'' 2 months of full-time engagement.

== How it works ==

Any code/tool project can participate in the OWASP Summer Code Sprint. Each project will be guided by an OWASP mentor. Students are graded by their University, based on success criteria identified at the beginning of the project.

Projects are focused on developing security tools. It is required that the code any student produces for those projects will be released as Open Source.

Note on language: English is required for code comments and documentation, but not for interactions between students and advisers. Advisers who speak the same language as their students are encouraged to interact in that language.

== How you can participate ==

=== As a student: ===

1. Review the list of OWASP Projects currently participating in the OWASP Summer Code Sprint 2015.

2. Get in touch with the OWASP Project mentor of your choice.

3. Agree deliverables with OWASP mentor.

4. Work away during Summer 2015.

5. Rise to Open Source Development Glory :-)

(Students apply now!)Google form application link

=== As an OWASP Project Leader: ===

1. Edit this page adding your project and some proposed tasks as per the examples

2. Promote the initiative to your academic contacts

== Timeplan ==

'''Phase 1: Proposals'''

Project leaders who want to include their project to the program should submit some initial proposal ideas on this page. These ideas serve as guidance to the students; they are things that project leaders would like to get done, like new features, improvements, etc.

Subsequently students are invited to submit detailed proposals that can (but do not necessarily have to) be based on these ideas. Students are strongly encouraged to engage with project leaders and each project's community (e.g. through the project's mailing list) in order to discuss the details of their proposal. Proposals should provide details about the implementation, time plan, milestones, etc.

'''Phase 2: Scoring of proposals'''

After the submission of proposals, project leaders and contributors/mentors are required to review the submitted proposals and score them (on a 1 to 5 scale). Each proposal should receive at least 3 assessments/scores from different mentors. Each mentor, contributor or leader can score only proposals for their OWN project. All assessments should provide justification. Reviewers are strongly encouraged to provide constructive comments for students so that they can improve in the future.

Project leaders are responsible to attract a sufficient number of volunteer mentors to score proposals and subsequently supervise those that will get selected.

'''Phase 3: Slot allocation.'''

When proposal scoring has been completed, each project leader requests a specific number of slots. This number should be based on:
The number of truly outstanding proposals according to submitted scores.
The importance of the proposal to the project's roadmap.
The number of available mentors for the project. At least 2 mentors are needed for each proposal that gets accepted.
If the total number of requested slots is less than or equal to the available number of slots, then all projects get the requested slots. If not, the following rules apply:
All projects that have requested a slot get at least 1 slot, provided they have a high quality proposal and sufficient number of mentors.
Two mentors are required per slot allocated to the project.
The program's administrators get in touch with project leaders, especially those that have requested a large number of slots to receive additional feedback on the requested slots and explore any available possibilities for reducing the requested number of slots. A project leader might choose to donate one or more requested slots back to the pool so that other projects can get more slots. The program administrators can choose to initiate a public discussion between projects in need of more slots and projects that have requested a lot of slots in order to determine the best possible outcome for everyone.
If all else fails, slots are equally allocated to projects, i.e. all projects get 1 slot; projects that have requested 2 or more slots get an extra slot if available; projects that have requested 3 or more slots get an extra slot if available, etc. When there are no more slots available for all projects that have requested them a draw is used to allocate the remaining slots.

In any case, the program's administrators should perform a final review of the selected proposals to ensure that they are of high quality. If concerns arise they should request additional information from project leaders.

'''Phase 4: Coding.'''

This is the main phase of the program. Students implement their proposal according to the submitted timeplan and under the supervision
of their mentors.

== Evaluations ==

In the middle of the coding period, mentors should submit an evaluation of their students to ensure that they are on track and provide some feedback both to OWASP and the students.

If no/little progress has been made up to this point, the mentors could decide to fail the student in which case the student does not receive money. If successful, OWASP will pay half the amount ($750). The final evaluations are submitted at the end of the coding period and the second installment ($750) is paid to the student if all agreed deliverables are met. If the student has failed to demonstrate progress during the second period, then the second installment will not be paid and the student will get only half of the amount.

== Deadlines ==

== Mailing List ==

== Ideas ==
=== OWASP OWTF ===

''' Brief explanation: '''

Background problem to solve:

''' Expected results '''

You should be able to...

''' Prerequisites '''

''' OWASP Mentors '''

Summer Code Sprint2015

2015-05-20T15:41:24Z

Conpap:

== OWASP Summer Code Sprint 2015 ==

== Goal ==

The OWASP Summer Code Sprint 2015 is a program that aims to provide incentives to students to contribute to OWASP projects. By participating in the OWASP Summer Code Sprint a student can get real life experience while contributing to an open source project. A student that successfully completes the program will receive in total $1500.

== Program details ==

''Projects that are eligible:'' All code/tools projects. Documentation projects are excluded.

''Duration:'' 2 months of full-time engagement.

== How it works ==

Any code/tool project can participate in the OWASP Summer Code Sprint. Each project will be guided by an OWASP mentor. Students are graded by their University, based on success criteria identified at the beginning of the project.

Projects are focused on developing security tools. It is required that the code any student produces for those projects will be released as Open Source.

Note on language: English is required for code comments and documentation, but not for interactions between students and advisers. Advisers who speak the same language as their students are encouraged to interact in that language.

== How you can participate ==

== Timeplan ==

'''Phase 1: Proposals'''
Project leaders who want to include their project to the program should submit some initial proposal ideas on this page. These ideas serve as guidance to the students; they are things that project leaders would like to get done, like new features, improvements, etc.

Subsequently students are invited to submit detailed proposals that can (but do not necessarily have to) be based on these ideas. Students are strongly encouraged to engage with project leaders and each project's community (e.g. through the project's mailing list) in order to discuss the details of their proposal. Proposals should provide details about the implementation, time plan, milestones, etc.

'''Phase 2: Scoring of proposals'''
After the submission of proposals, project leaders and contributors/mentors are required to review the submitted proposals and score them (on a 1 to 5 scale). Each proposal should receive at least 3 assessments/scores from different mentors. Each mentor, contributor or leader can score only proposals for their OWN project. All assessments should provide justification. Reviewers are strongly encouraged to provide constructive comments for students so that they can improve in the future.

Project leaders are responsible to attract a sufficient number of volunteer mentors to score proposals and subsequently supervise those that will get selected.

'''Phase 3: Slot allocation.'''
When proposal scoring has been completed, each project leader requests a specific number of slots. This number should be based on:
The number of truly outstanding proposals according to submitted scores.
The importance of the proposal to the project's roadmap.
The number of available mentors for the project. At least 2 mentors are needed for each proposal that gets accepted.
If the total number of requested slots is less than or equal to the available number of slots, then all projects get the requested slots. If not, the following rules apply:
All projects that have requested a slot get at least 1 slot, provided they have a high quality proposal and sufficient number of mentors.
Two mentors are required per slot allocated to the project.
The program's administrators get in touch with project leaders, especially those that have requested a large number of slots to receive additional feedback on the requested slots and explore any available possibilities for reducing the requested number of slots. A project leader might choose to donate one or more requested slots back to the pool so that other projects can get more slots. The program administrators can choose to initiate a public discussion between projects in need of more slots and projects that have requested a lot of slots in order to determine the best possible outcome for everyone.
If all else fails, slots are equally allocated to projects, i.e. all projects get 1 slot; projects that have requested 2 or more slots get an extra slot if available; projects that have requested 3 or more slots get an extra slot if available, etc. When there are no more slots available for all projects that have requested them a draw is used to allocate the remaining slots.

In any case, the program's administrators should perform a final review of the selected proposals to ensure that they are of high quality. If concerns arise they should request additional information from project leaders.

'''Phase 4: Coding.'''
This is the main phase of the program. Students implement their proposal according to the submitted timeplan and under the supervision
of their mentors.

== Evaluations ==

In the middle of the coding period, mentors should submit an evaluation of their students to ensure that they are on track and provide some feedback both to OWASP and the students.

If no/little progress has been made up to this point, the mentors could decide to fail the student in which case the student does not receive money. If successful, OWASP will pay half the amount ($750). The final evaluations are submitted at the end of the coding period and the second installment ($750) is paid to the student if all agreed deliverables are met. If the student has failed to demonstrate progress during the second period, then the second installment will not be paid and the student will get only half of the amount.

== Deadlines ==

== Mailing List ==

== Ideas ==
=== OWASP OWTF - VMS - OWTF Vulnerability Management System (FREE!) ===

''' Brief explanation: '''

Background problem to solve:

''' Expected results '''

You should be able to...

''' Prerequisites '''

''' OWASP Mentors '''

Summer Code Sprint2015

2015-05-20T15:33:31Z

Conpap:

Summer Code Sprint2015

2015-05-20T15:32:36Z

Conpap:

Summer Code Sprint2015

2015-05-20T15:26:21Z

Conpap: Created page with "== OWASP Summer Code Sprint 2015 == == Goal == The OWASP Summer Code Sprint 2015 is a program that aims to provide incentives to students to contribute to OWASP projects. B..."

GSoC2015 Ideas

2015-02-09T20:05:48Z

Conpap:

=OWASP Project Requests=

== OWASP Hackademic Challenges ==
=== OWASP Hackademic Challenges - New challenges and Improvements to the existing ones ===

'''Brief Explanation:'''

The challenges that have been implemented so far include: web application challenges covering several vulnerabilities included in the OWASP Top 10, cryptographic challenges, and entire virtual machines including several vulnerabilities.
New challenges need to be created in order to cover a broader set of vulnerabilities.
Also existing challenges can be modified to accept a broader set of valid answers, e.g. by using regular expressions.

Ideas on the project:

* Simulated simple buffer overflows
* SQL injections
* Man in the middle simulation
* Bypassing regular expression filtering
* Your idea here

'''Expected Results:'''

New cool challenges

'''Knowledge Prerequisites:'''

Comfortable in PHP, HTML and possibly Javascript. Good understanding of Application Security and related vulnerabilities.

'''Mentors:''' Konstantinos Papapanagiotou, Spyros Gasteratos - Hackademic Challenges Project Leaders

=== OWASP Hackademic Challenges - Source Code testing environment ===

'''Brief Explanation:'''

Existing challenges are based on a dynamic application testing concept. We would like to work on a project that will give the capability to the attacker to review a vulnerable piece of source code, make corrections and see the result in a realistic (but yet safe) runtime environment. The code can either be run if needed or tested for correctness and security. The implementation challenges of such a project can be numerous, including creating a realistic but also secure environment, testing submitted solutions and grading them in an automatic manner. At the same time there are now numerous sites that support submitting code and then simulate or implement a compiler's functionality.

'''Expected Results:'''

A source code testing and improvement environment where a user will be able to review, improve and test the result of a piece of source code.

'''Knowledge Prerequisites:'''

Comfortable in PHP, HTML and possibly Java. Good understanding of Application Security, source code analysis and related vulnerabilities.

'''Mentors:''' Konstantinos Papapanagiotou, Spyros Gasteratos - Hackademic Challenges Project Leaders

=== OWASP Hackademic Challenges - Challenge Sandbox ===

Now, in order to create a challenge, one has to validate the solution with regular expressions (or just plaintext comparison) and report success or failure to the backend,
we'd like the ability to write a normal vulnerable web application as a challenge and leave it to hackademic to make sure that the server is not affected.
Since this is probably the most difficult task proposed, if you are considering it, please get in touch with us early on so we can discuss about it and plan it correctly.

Ideas on the project:

''' *Administrator's point of view* '''

Create an infrastructure that spawns virtual environments for users while keeping the load reasonable on the server(s).
Or configure apache,php,mysql in a way that allows for multiple instances of the programms to run in parallel completely seperated from the rest of the server.
The student is expected to provide configuration scripts that do the above

''' *Coder's Way* '''

This is better explained with an example:
In order to create an sql injection challenge one should be able to call a common unsecure mysql execute statement function.
The student can override common functions like this providing their own implementation of a very temporary database (based on flat files or nosql solutions e.t.c.).
The new functions should be able to detect the sqli and apply its results in a secure way(if the student drops a table no actual tables should be dropped but the table should not be visible to the student anymore).

''' * Your solution here * '''

The above solutions are by no way complete,their intention is to start you thinking.
This is a difficult task so if you consider takling it talk to us early on so we can reach a good solution which is possible in the GSoC timeframe.

''' Expected results '''

You should be able to run a big enough subset of OWASP WebGoat PHP with minimal modification as a Hackademic Challenge

GSoC2015 Ideas

2015-02-09T20:04:59Z

Conpap: Created page with "=OWASP Project Requests= == OWASP Hackademic Challenges == === OWASP Hackademic Challenges - New challenges and Improvements to the existing ones === '''Brief Explanation:''..."

GSoC

2014-03-06T16:55:31Z

Conpap:

'''OWASP has been selected as an official Google Summer of Code (“GSoC”) mentoring organization in 2014!'''

Open source software is changing the world and creating the future.
Want to help shaping it? We’re looking for students to join us in making 2014 the best Summer of Code yet!

'''STUDENTS: THE PROPOSAL SUBMISSION PERIOD WILL BE OPEN UNTIL MARCH 21ST 19:00UTC - SUBMIT YOUR APPLICATION NOW HERE:'''

[http://www.google-melange.com/gsoc/homepage/google/gsoc2014 '''GOOGLE MELANGE''']

OWASP is an open community dedicated to enabling organizations to conceive, develop, acquire, operate, and maintain applications that can be trusted.

All students currently enrolled in an accredited institution are welcome to participate in the Google Summer of Code 2014 program, hopefully along with the OWASP Foundation.

Below you could find all the instructions on how to participate.

== What is GSOC? ==

The Google Summer of Code program (“GSoC”) is designed to encourage student participation in open source development. Through GSoC, accepted student applicants will be paired with OWASP mentors that will guide them through their coding tasks.

Benefits to students include:

* Gaining exposure to real-world software development scenarios,
* An opportunity for employment in areas related to their academic pursuits and
* Google will be offering successful student contributors a 5,000 USD stipend, enabling them to focus on their coding projects for three months.

This program is done completely online. Students and mentors from more than 100 countries have participated in past years.

==Instructions common to all participants==

All participants should take a look at the [http://code.google.com/p/google-summer-of-code/ Summer of Code Program Wiki] every now and then to be informed about updates and advices. It is also important to read the [http://www.google-melange.com/gsoc/document/show/gsoc_program/google/gsoc2013/help_page Summer of Code FAQ], as it contains useful information.
All participants will need a Google account in order to join the program. You'll save some time if you create one now.

===Programming Language===

While the majority of OWASP tools are developed using C++/Java, we do accept other languages, including (but not limited to) Python, Ruby and C#. C++ will be accepted for any project. Submissions and ideas for projects in any other language should specifically mention the choice.

==Instructions for students==

Are you a student and want to code for an OWASP project?
Here are the steps and some tips on getting started:

1) Think of a good idea – For reference see
[https://www.owasp.org/index.php/GSoC2014_Ideas GSoC 2014 Ideas]

2) Do some research yourself based on the idea, write up a proposal draft

3) Post it to the mailing list at https://groups.google.com/d/forum/owasp-gsoc for initial discussions with OWASP mentors.

4) Based on feedback, write a full proposal – See template below:
https://www.owasp.org/index.php/GSoC_SAT

5) Submit your proposal to Google from March 10th to March 21st 2014.

Students wishing to participate in GSoC must realize this is a formal commitment to produce code for the selected OWASP Project during three months. You will also take some resources from OWASP project leaders, who will dedicate a portion of their time to mentor you. Therefore, we'd like to have candidates who are committed to helping OWASP mission. You don't have to be a proven developer -- in fact, this whole program is meant to facilitate joining OWASP and other Open Source communities. However, experience in coding and applications are welcome.

You should start familiarising yourself with the components that you plan on working on before the start date. OWASP Project Mentors are available on the mailing list https://groups.google.com/d/forum/owasp-gsoc for help.

===General instructions===
First of all, please read the instructions common to all participants and the [http://www.google-melange.com/gsoc/document/show/gsoc_program/google/gsoc2014/help_page GSoC FAQ]. Pay special attention to the '''Eligibility''' section of the FAQ.

===Recommended steps===
* Read Google's instructions for participating
* Take a look at the list of ideas
* Come up with project that you're interested in
* Write a first draft proposal and get someone to review it for you
* Submit it using Google's web interface

Coming up with an interesting idea is probably the most difficult part of all. It should be something interesting for an OWASP Project, and more importantly for you. It also has to be something that you can realistically achieve in the time available to you.

Finding out what the most pressing issues are in the projects you're interested in is a good start. You can optionally join the mailing lists for that project: you can make acquaintance with developers and your potential mentor, as well as start learning the codebase. We recommend strongly doing that and we will look favourably on applications from students who have started to act like Open Source developers.

===Student proposal guidelines===
A project proposal is what you will be judged upon. So, as a general recommendation, write a clear proposal on what you plan to do, what your project is and what it is not, etc. Several websites now contain hints and other useful information on writing up such proposals.
OWASP does not require a specific format or specific list of information, but there is an application template on the OWASP page in Google Melange with some specific points that you should address in your application:
* Who are you? What are you studying?
* What exactly do you intend to do? What will not be done?
* Why are you the right person for this task?
* To what extent are you familiar with the software you're proposing to work with? Have you used it? Have you read the source? Have you modified the source?
* How many hours are you going to work on this a week? 10? 20? 30? 40?
* Do you have other commitments that we should know about? If so, please suggest a way to compensate if it will take much time away from Summer of Code.
* Are you comfortable working independently under a supervisor or mentor who is several thousand miles away, not to mention 12 time zones away? How will you work with your mentor to track your work? Have you worked in this style before?
* If your native language is not English, are you comfortable working closely with a supervisor whose native language is English? What is your native language, as that may help us find a mentor who has the same native language?
* Where do you live, and can we assign a mentor who is local to you so you can meet in a coffee shop for lunch?

After you have written your proposal, you should get it reviewed. Do not rely on the OWASP mentors to do it for you via the web interface: they will only send back a proposal if they find it lacking. Instead, ask a colleague or a developer to do it for you.

===Hints===
'''Submit your proposal early:''' early submissions get more attention from developers for the simple fact that they have more time to dedicate to reading them. The more people see it, the more it'll get known.

'''Do not leave it all to the last minute:''' while it is Google that is operating the webserver, it would be wise to expect a last-minute overload on the server. So, make sure you send your application before the final rush. Also, note that the applications submitted very late will get the least attention from mentors, so you may get a low vote because of that.

'''Keep it simple:''' we don't need a 10-page essay on the project and on you (Google won't even let you submit a text that long). You just need to be concise and precise.

'''Know what you are talking about:''' the last thing we need is for students to submit ideas that cannot be accomplished realistically or ideas that aren't even remotely related to OWASP Projects. If your idea is unusual, be sure to explain why you have chosen OWASP to be your mentoring organisation.

'''Aim wide:''' submit more than one proposal, to different OWASP Projects. We also recommend submitting to more than one organisation too. This will increase your chances of being chosen.

The PostgreSQL project has also released a list of [http://www.postgresql.org/developer/summerofcodeadvice.html hints] that you can take a look.

==Instructions for mentors==
===Ideas===
If you're a developer and you wish to participate in Summer of Code, you can do it in two ways: the first and easiest is to make a proposal in the [https://www.owasp.org/index.php/GSoC2014_Ideas ideas] page. Take a look at what the different OWASP Projects needs or what you feel should have. Feel free to submit ideas even if you cannot elaborate too much on them.

The second possibility is to be a mentor for a more specific idea. If you wish to do that, please read the instructions common to all participants and the Summer of Code FAQ. Also, please contact the project leader for your application or module and get the go-ahead from him/her. Then edit the ideas page, adding your idea.

Your idea proposal should be a brief description of what the project is, what the desired goals would be, what the student should know and your email address for contact. Please note, though, that the students are not required to follow your idea to the letter, so regard your proposal as just a suggestion.

===Mentoring===
If you wish to help us even more, you can be an OWASP mentor. We will potentially assign a student to you who has never worked on such a large project and will need some help. Make sure you're up for the task.
When subscribing yourself as a mentor, please make sure that your application or module maintainer is aware of that. Ask him/her to send the Summer of Code OWASP Administrators an email confirming to know you. This is just a formality to make sure you are a real person we can trust -- the administrators cannot know all active developers by their Google account ID.

If you would like to get an idea of what is involved in being a good mentor, be sure to read the [http://www.booki.cc/gsoc-mentoring mentoring guide].

You will be subscribed to a mailing list to discuss ideas. We will also require you to read the proposals as they come in and you will be allowed to vote on the proposals, according to rules we will publish later.

Finally, know that we will never assign you to a project you do not want to work on. We will not assign you more projects than you can/want to take on either. And you will have a backup mentor, just in case something unforeseen takes place.

===Subscribing as mentor===
To subscribe as mentor, you need to complete a few easy steps.
* Contact the OWASP GSoC administrators to let them know which project you want to mentor for
* Log in to [http://www.google-melange.com/ Google Melange]
* Apply as a mentor for OWASP
* Subscribe to https://groups.google.com/d/forum/owasp-gsoc

'''The current list of GSOC 2014 Mentors are:'''
* Abraham Aranguren
* Mennouchi Islam Azeddine
* Ryan Barnett
* Simon Bennetts
* Johanna Curiel
* Spyros Gasteratos
* Gareth Heyes
* Krzysztof Kotowicz
* Andres Morales
* Kostas Papapanagiotou
* Andres Riancho
* Guifre Ruiz
* Prasad Shenoy
* Breno Silva
* Andrew van der Stock
* Kevin W. Wall

==Instructions for OWASP Project Leaders==
If you are an OWASP Project Leader, you may be contacted by developers in your project about an idea he wants to submit.
You should judge whether the idea being proposed coincides with the general goals for your OWASP Project. If you feel that is not the case, you should reply to your developer and suggest that he modify the proposal.
You do not need yourself to be a mentor, but we would like you to.

==Contact OWASP GSoC Admininstrators==
To reach the OWASP administrators for Summer of Code, please send an email to the GSOC Administrators below.

'''The GSOC 2014 Administrators are:'''

* Kostas Papapanagiotou (konstantinos@owasp.org)
* Fabio Cerullo (fcerullo@owasp.org)

GSoC

2014-02-12T18:44:43Z

Conpap:

'''OWASP has been selected as an official Google Summer of Code (“GSoC”) mentoring organization in 2013!'''

Open source software is changing the world and creating the future.
Want to help shaping it? We’re looking for students to join us in making 2013 the best Summer of Code yet!

'''STUDENTS: THE PROPOSAL SUBMISSION PERIOD IS OPEN UNTIL 3RD MAY 19:00UTC - SUBMIT YOUR APPLICATION NOW HERE:'''

[http://www.google-melange.com/gsoc/homepage/google/gsoc2013 '''GOOGLE MELANGE''']

OWASP is an open community dedicated to enabling organizations to conceive, develop, acquire, operate, and maintain applications that can be trusted.

All students currently enrolled in an accredited institution are welcome to participate in the Google Summer of Code 2013 program, hopefully along with the OWASP Foundation.

Below you could find all the instructions on how to participate.

== What is GSOC? ==

The Google Summer of Code program (“GSoC”) is designed to encourage student participation in open source development. Through GSoC, accepted student applicants will be paired with OWASP mentors that will guide them through their coding tasks.

Benefits to students include:

* Gaining exposure to real-world software development scenarios,
* An opportunity for employment in areas related to their academic pursuits and
* Google will be offering successful student contributors a 5,000 USD stipend, enabling them to focus on their coding projects for three months.

This program is done completely online. Students and mentors from more than 100 countries have participated in past years.

==Instructions common to all participants==

All participants should take a look at the [http://code.google.com/p/google-summer-of-code/ Summer of Code Program Wiki] every now and then to be informed about updates and advices. It is also important to read the [http://www.google-melange.com/gsoc/document/show/gsoc_program/google/gsoc2013/help_page Summer of Code FAQ], as it contains useful information.
All participants will need a Google account in order to join the program. You'll save some time if you create one now.

===Programming Language===

While the majority of OWASP tools are developed using C++/Java, we do accept other languages, including (but not limited to) Python, Ruby and C#. C++ will be accepted for any project. Submissions and ideas for projects in any other language should specifically mention the choice.

==Instructions for students==

Are you a student and want to code for an OWASP project?
Here are the steps and some tips on getting started:

1) Think of a good idea – For reference see
[https://www.owasp.org/index.php/GSoC2013_Ideas GSoC 2013 Ideas]

2) Do some research yourself based on the idea, write up a proposal draft

3) Post it to the mailing list at https://groups.google.com/d/forum/owasp-gsoc for initial discussions with OWASP mentors.

4) Based on feedback, write a full proposal – See template below:
https://www.owasp.org/index.php/GSoC_SAT

5) Submit your proposal to Google from April 22th April to May 3rd 2013.

Students wishing to participate in GSoC must realize this is a formal commitment to produce code for the selected OWASP Project during three months. You will also take some resources from OWASP project leaders, who will dedicate a portion of their time to mentor you. Therefore, we'd like to have candidates who are committed to helping OWASP mission. You don't have to be a proven developer -- in fact, this whole program is meant to facilitate joining OWASP and other Open Source communities. However, experience in coding and applications are welcome.

You should start familiarising yourself with the components that you plan on working on before the start date. OWASP Project Mentors are available on the mailing list https://groups.google.com/d/forum/owasp-gsoc for help.

===General instructions===
First of all, please read the instructions common to all participants and the [http://www.google-melange.com/gsoc/document/show/gsoc_program/google/gsoc2013/help_page GSoC FAQ]. Pay special attention to the '''Eligibility''' section of the FAQ.

===Recommended steps===
* Read Google's instructions for participating
* Take a look at the list of ideas
* Come up with project that you're interested in
* Write a first draft proposal and get someone to review it for you
* Submit it using Google's web interface

Coming up with an interesting idea is probably the most difficult part of all. It should be something interesting for an OWASP Project, and more importantly for you. It also has to be something that you can realistically achieve in the time available to you.

Finding out what the most pressing issues are in the projects you're interested in is a good start. You can optionally join the mailing lists for that project: you can make acquaintance with developers and your potential mentor, as well as start learning the codebase. We recommend strongly doing that and we will look favourably on applications from students who have started to act like Open Source developers.

===Student proposal guidelines===
A project proposal is what you will be judged upon. So, as a general recommendation, write a clear proposal on what you plan to do, what your project is and what it is not, etc. Several websites now contain hints and other useful information on writing up such proposals.
OWASP does not require a specific format or specific list of information, but there is an application template on the OWASP page in Google Melange with some specific points that you should address in your application:
* Who are you? What are you studying?
* What exactly do you intend to do? What will not be done?
* Why are you the right person for this task?
* To what extent are you familiar with the software you're proposing to work with? Have you used it? Have you read the source? Have you modified the source?
* How many hours are you going to work on this a week? 10? 20? 30? 40?
* Do you have other commitments that we should know about? If so, please suggest a way to compensate if it will take much time away from Summer of Code.
* Are you comfortable working independently under a supervisor or mentor who is several thousand miles away, not to mention 12 time zones away? How will you work with your mentor to track your work? Have you worked in this style before?
* If your native language is not English, are you comfortable working closely with a supervisor whose native language is English? What is your native language, as that may help us find a mentor who has the same native language?
* Where do you live, and can we assign a mentor who is local to you so you can meet in a coffee shop for lunch?

After you have written your proposal, you should get it reviewed. Do not rely on the OWASP mentors to do it for you via the web interface: they will only send back a proposal if they find it lacking. Instead, ask a colleague or a developer to do it for you.

===Hints===
'''Submit your proposal early:''' early submissions get more attention from developers for the simple fact that they have more time to dedicate to reading them. The more people see it, the more it'll get known.

'''Do not leave it all to the last minute:''' while it is Google that is operating the webserver, it would be wise to expect a last-minute overload on the server. So, make sure you send your application before the final rush. Also, note that the applications submitted very late will get the least attention from mentors, so you may get a low vote because of that.

'''Keep it simple:''' we don't need a 10-page essay on the project and on you (Google won't even let you submit a text that long). You just need to be concise and precise.

'''Know what you are talking about:''' the last thing we need is for students to submit ideas that cannot be accomplished realistically or ideas that aren't even remotely related to OWASP Projects. If your idea is unusual, be sure to explain why you have chosen OWASP to be your mentoring organisation.

'''Aim wide:''' submit more than one proposal, to different OWASP Projects. We also recommend submitting to more than one organisation too. This will increase your chances of being chosen.

The PostgreSQL project has also released a list of [http://www.postgresql.org/developer/summerofcodeadvice.html hints] that you can take a look.

==Instructions for mentors==
===Ideas===
If you're a developer and you wish to participate in Summer of Code, you can do it in two ways: the first and easiest is to make a proposal in the [https://www.owasp.org/index.php/GSoC2013_Ideas ideas] page. Take a look at what the different OWASP Projects needs or what you feel should have. Feel free to submit ideas even if you cannot elaborate too much on them.

The second possibility is to be a mentor for a more specific idea. If you wish to do that, please read the instructions common to all participants and the Summer of Code FAQ. Also, please contact the project leader for your application or module and get the go-ahead from him/her. Then edit the ideas page, adding your idea.

Your idea proposal should be a brief description of what the project is, what the desired goals would be, what the student should know and your email address for contact. Please note, though, that the students are not required to follow your idea to the letter, so regard your proposal as just a suggestion.

===Mentoring===
If you wish to help us even more, you can be an OWASP mentor. We will potentially assign a student to you who has never worked on such a large project and will need some help. Make sure you're up for the task.
When subscribing yourself as a mentor, please make sure that your application or module maintainer is aware of that. Ask him/her to send the Summer of Code OWASP Administrators an email confirming to know you. This is just a formality to make sure you are a real person we can trust -- the administrators cannot know all active developers by their Google account ID.

If you would like to get an idea of what is involved in being a good mentor, be sure to read the [http://www.booki.cc/gsoc-mentoring mentoring guide].

You will be subscribed to a mailing list to discuss ideas. We will also require you to read the proposals as they come in and you will be allowed to vote on the proposals, according to rules we will publish later.

Finally, know that we will never assign you to a project you do not want to work on. We will not assign you more projects than you can/want to take on either. And you will have a backup mentor, just in case something unforeseen takes place.

===Subscribing as mentor===
To subscribe as mentor, you need to complete a few easy steps.
* Contact the OWASP GSoC administrators to let them know which project you want to mentor for
* Log in to [http://www.google-melange.com/ Google Melange]
* Apply as a mentor for OWASP
* Subscribe to https://groups.google.com/d/forum/owasp-gsoc

'''The current list of GSOC 2013 Mentors are:'''
* Abraham Aranguren
* Mennouchi Islam Azeddine
* Ryan Barnett
* Simon Bennetts
* Johanna Curiel
* Spyros Gasteratos
* Gareth Heyes
* Krzysztof Kotowicz
* Andres Morales
* Kostas Papapanagiotou
* Andres Riancho
* Guifre Ruiz
* Prasad Shenoy
* Breno Silva
* Andrew van der Stock
* Kevin W. Wall

==Instructions for OWASP Project Leaders==
If you are an OWASP Project Leader, you may be contacted by developers in your project about an idea he wants to submit.
You should judge whether the idea being proposed coincides with the general goals for your OWASP Project. If you feel that is not the case, you should reply to your developer and suggest that he modify the proposal.
You do not need yourself to be a mentor, but we would like you to.

==Contact OWASP GSoC Admininstrators==
To reach the OWASP administrators for Summer of Code, please send an email to the GSOC Administrators below.

'''The GSOC 2013 Administrators are:'''

* Fabio Cerullo (fcerullo@owasp.org)

GSoC2014 Ideas

2014-02-05T21:47:31Z

Conpap: Created page with "==OWASP Project Requests== === OWASP Hackademic Challenges - New challenges and Improvements to the existing ones === ''''Brief Explanation:''' The challenges that have bee..."

==OWASP Project Requests==

=== OWASP Hackademic Challenges - New challenges and Improvements to the existing ones ===

''''Brief Explanation:'''

The challenges that have been implemented so far include: web application challenges covering several vulnerabilities included in the OWASP Top 10, cryptographic challenges, and entire virtual machines including several vulnerabilities.
New challenges need to be created in order to cover a broader set of vulnerabilities.
Also existing challenges can be modified to accept a broader set of valid answers, e.g. by using regular expressions.

Ideas on the project:

* Simulated simple buffer overflows
* SQL injections
* Man in the middle simulation
* Bypassing regular expression filtering
* Your idea here

'''Expected Results:'''

New cool challenges

'''Knowledge Prerequisites:'''

Comfortable in PHP, HTML and possibly Javascript. Good understanding of Application Security and related vulnerabilities.

'''Mentors:''' Konstantinos Papapanagiotou, Spyros Gasteratos - Hackademic Challenges Project Leaders

=== OWASP Hackademic Challenges - Source Code testing environment ===

''''Brief Explanation:'''

Existing challenges are based on a dynamic application testing concept. We would like to work on a project that will give the capability to the attacker to review a vulnerable piece of source code, make corrections and see the result in a realistic (but yet safe) runtime environment. The code can either be run if needed or tested for correctness and security. The implementation challenges of such a project can be numerous, including creating a realistic but also secure environment, testing submitted solutions and grading them in an automatic manner. At the same time there are now numerous sites that support submitting code and then simulate or implement a compiler's functionality.

'''Expected Results:'''

A source code testing and improvement environment where a user will be able to review, improve and test the result of a piece of source code.

'''Knowledge Prerequisites:'''

Comfortable in PHP, HTML and possibly Java. Good understanding of Application Security, source code analysis and related vulnerabilities.

'''Mentors:''' Konstantinos Papapanagiotou, Spyros Gasteratos - Hackademic Challenges Project Leaders

=== OWASP Hackademic Challenges - CMS improvements ===

''''Brief Explanation:'''

The new CMS was created during last year's GSOC. We have received feedback from users that suggest various improvements regarding functionality e.g. better user, teacher and challenges management. There are also some security improvements that are needed and in general any functionality that adds up to the educational nature of the project is more than welcome.

Ideas on this project:

* '''Plugin api and plugin actions interface'''

An easy way for users to code their own plugins which will modify the appearance of hackademic or add to the functionality.

* '''Ability to show different articles on the user's home screen'''

Now each user is served the latest article in her/his home screen. We need the ability for either the teacher/admin to be able to define what article each class is served.

* '''Ability to define series of challenges'''

The teacher/admin should be able to define a series of challenges (e.g. 2,5,3,1) which are meant to be solved in that order and if one is not solved then the student can't try the next one.

* ''' Tagging of articles, users, challenges '''

A user should be able to put tags on articles and challenges if he is a student and on users, classes, articles and challenges if he is a teacher.
Also the user should be able to search according to the tags.

* '''Your idea here'''

We welcome new ideas to make the project look awesome.

'''Expected Results:'''

New features and security improvements on the CMS part of the project.

'''Knowledge Prerequisites:'''

Comfortable in PHP and HTML. Good understanding of Application Security and related vulnerabilities if you undertake security improvements.

'''Mentors:''' Konstantinos Papapanagiotou, Spyros Gasteratos - Hackademic Challenges Project Leaders

Greece

2013-11-19T18:48:26Z

Conpap: /* Η Ελληνική Κοινότητα */

[[Image:Greekchapterlogo.gif]]

==== Welcome ====

{{Chapter Template|chaptername=Greece|extra=The chapter leader is [mailto:konstantinos@owasp.org Konstantinos Papapanagiotou]|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-greece|emailarchives=http://lists.owasp.org/pipermail/owasp-greece}}

<paypal>Greece</paypal>

== OWASP Greek Chapter Committee ==

Chapter Leader: [mailto:conpapATowasp.gr Konstantinos Papapanagiotou]

Committee Members: [mailto:manosATowasp.gr Emmanouel Kellinis], [mailto:steliosATowasp.gr Stelios Tigkas], [mailto:vsvlachosATowasp.gr Vasileios Vlachos]

 

== Τι είναι το OWASP ==

Το ΟWASP (Open Web Application Security Project – http://www.owasp.org) αποτελεί μία πρωτοβουλία που αποσκοπεί στον εντοπισμό και στην καταπολέμηση των τρωτών σημείων του λογισμικού τέτοιων εφαρμογών. Όντας ένας μη κερδοσκοπικός οργανισμός, ακολουθεί την ιδεολογία του Ελεύθερου/Ανοικτού λογισμικού, παρέχοντας δωρεάν αλλά επαγγελματικής ποιότητας έγγραφα, εργαλεία και πρότυπα. Παράλληλα, ενισχύει τη διοργάνωση συνεδρίων και τοπικών ομάδων εργασίας (local chapters), τη δημοσίευση άρθρων και συγγραμμάτων, καθώς και την ανταλλαγή απόψεων μέσα από forums και mailing lists. Το OWASP απαριθμεί μέλη σε όλο τον πλανήτη, συμπεριλαμβανομένων μεγάλων οργανισμών και εταιριών του χώρου όπως VISA, Deloitte, Unisys, Foundstone, και άλλες.

== Η Ελληνική Κοινότητα ==

Η ελληνική ομάδα εργασίας του OWASP δημιουργήθηκε το 2005, με κύριο στόχο την ενημέρωση και την αφύπνιση της ελληνικής κοινότητας αναφορικά με τους κινδύνους ασφαλείας στις διαδικτυακές εφαρμογές. Αφορμή για τη δημιουργία της αποτέλεσαν ουσιαστικά τα ολοένα αυξανόμενα περιστατικά ασφαλείας στο διαδίκτυο, όπως τα κρούσματα phishing σε ελληνικές τράπεζες.

Σήμερα, η ελληνική ομάδα του OWASP δραστηριοποιείται σε προγράμματα Ελεύθερου/Ανοικτού λογισμικού καθώς και μεταφράσεις κειμένων του OWASP στα ελληνικά, προωθώντας την ιδέα του OWASP σε τοπικό επίπεδο. Παράλληλα, μέσα από τη mailing list της ενημερώνει και προκαλεί συζητήσεις σχετικά με επίκαιρα θέματα ασφάλειας στο διαδίκτυο, ενώ εκδίδει και μηνιαίο newsletter.

'''Η Ελληνική Ομάδα Εργασίας του OWASP χρησιμοποιεί για τις εκτυπώσεις της τον [http://www8.hp.com/in/en/products/printers/product-detail.html?oid=5261595#!tab=features HP Deskjet Ink Advantage 4625], επιτυγχάνοντας μεγάλη οικονομία στα μελάνια εκτύπωσης.'''

== Συμμετοχή ==

Η ελληνική κοινότητα του OWASP επιθυμεί να φέρει σε επαφή όλους όσους ενδιαφέρονται και προβληματίζονται για την ασφάλεια των διαδικτυακών εφαρμογών. Ταυτόχρονα, ευπρόσδεκτοι είναι και εθελοντές που προτίθενται να δουλέψουν σε προγράμματα Ελεύθερου/Ανοιχτού λογισμικού που συντονίζει το OWASP. Σας προσκαλούμε να μοιραστείτε μαζί μας ιδέες, σκέψεις και προβληματισμούς σχετικά με επιθέσεις, μεθόδους άμυνας και αντιμετώπισης, εργαλεία και βέλτιστες πρακτικές ασφάλειας στο διαδίκτυο. Ανεξάρτητα από το τεχνικό επίπεδο, το βάθος της προσέγγισης και τις χρησιμοποιούμενες μεθόδους, θα χαρούμε ιδιαίτερα αν έρθετε σε επαφή μαζί μας.

Για να εγγραφείτε στη '''mailing list''' της ελληνικής ομάδας εργασίας επισκεφθείτε [http://lists.owasp.org/mailman/listinfo/owasp-greece αυτή τη σελίδα].

== Ευχαριστίες ==

Θα θέλαμε να ευχαριστήσουμε το [http://www.di.uoa.gr Τμήμα Πληροφορικής και Τηλεπικοινωνιών] του Πανεπιστημίου Αθηνών για τη βοήθεια που παρέχει στην ελληνική ομάδα εργασίας.

[[Image:Universityofathenslogo.gif]]

Επίσης θα θέλαμε να ευχαριστήσουμε θερμά το περιοδικό [http://www.linuxinside.gr/ Linux Inside] για την υποστήριξη και την προβολή καθώς και το [http://www.zero.gr zero.gr].

[[Image:Linuxinside-logo.png]] [[Image:zerologo.png]]

==== News ====

== Ομάδες Εργασίας ==

Αυτήν την περίοδο ψάχνουμε για νέες project ιδέες. Εάν έχεις καινούρια ίδεα για κάποιο εργαλείο, στατιστικά στοιχεία για το πόσο σοβαρά λαμβάνουν στην Ελλάδα το application security οι προγραμματιστές, εταιρίες λογισμικού κτλ ή αν έχεις οποιάδηποτε άλλη ιδέα με κεντρικό θέμα το application security επικοινωνήστε μαζί μας.

== Νέα ==

'''16/3/2011''' - Η πρώτη συνάντηση θα πραγματοποιηθεί στο [http://www.colabworkspace.com/ CoLab Athens Workspace]. Περισσότερες πληφορορίες και εγγραφές [http://owaspgr01.eventbrite.com/ εδώ].

'''20/9/2009''' - Ο [mailto:vsvlachosATowasp.gr Βασίλης Βλάχος], μέλος της ομάδας συντονισμού του OWASP στην Ελλάδα, θα συντονίσει στις 26/9/2009 τη συνεδρία με θέμα Web Application Security που συνδιοργανώνει το OWASP.gr στα πλάισια του συνεδρίου 4th Mediterranean Conference on Information Systems ([http://www.mcis2009.org MCIS 2009]). Η συνεδρία θα πραγματοποιηθεί στις 26 Σεπτεμβρίου 2009 και ώρα 15:30 στο Οικονομικό Πανεπιστήμιο Αθηνών.

'''5/3/2009''' - Ο [mailto:conpapATowasp.gr Κωνσταντίνος Παπαπαναγιώτου], μέλος της ομάδας συντονισμού του OWASP στην Ελλάδα, θα συντονίσει στις 18 Μαρτίου την ενότητα "Πρότυπα και Νομικές Απαιτήσεις" στα πλαίσια της [http://www.tsomokos.gr/projects2.php EXPOSEC 2009], που διεξάγεται στις 17 και 18 Μαρτίου στο Ζάππειο Μέγαρο.

'''3/2/2009''' - Ο [mailto:conpapATowasp.gr Κωνσταντίνος Παπαπαναγιώτου], μέλος της ομάδας συντονισμού του OWASP στην Ελλάδα, έδωσε ζωντανή συνέντευξη στην εκπομπή Ατζέντα+ της ψηφιακής πλατφόρμας της ΕΡΤ (κανάλι Σπορ+/Info+), όπου μίλησε για τις δραστηριότητες του OWASP στην Ελλάδα και έδωσε απλές συμβουλές για την ασφάλεια στο Internet. Μπορείτε να παρακολουθήσετε το βίντεο της συνέντευξης [http://www.youtube.com/watch?v=q0RPKaPGICI εδώ].

'''10/10/2008''' - Το OWASP.gr συμμετέχει στο Athens Digital Week που πραγματοποιείται από τις 13 ως τις 19 Οκτωβρίου στη Τεχνόπολη στο Γκάζι (http://conf.ellak.gr).

'''30/9/2008''' - Το OWASP.gr παρουσιάζει το πρώτο Ελληνικό blog με θέμα την ασφάλεια των διαδικτυακών εφαρμογών αλλά και των υπολογιστικών συστημάτων γενικότερα. Επισκεφθείτε το επίσημο blog της Ελληνικής ομάδας εργασίας του OWASP στο: http://blog.owasp.gr.

'''5/6/2008''' - Η παρουσίαση του OWASP.gr στο 3ο Συνέδριο ΕΛ/ΛΑΚ είναι διαθέσιμη μέσα από την ενότητα [https://www.owasp.org/index.php/OWASP_Education_Presentation#Chapter_Presentations Chapter Presentations] και συγκεκριμένα [http://www.owasp.org/images/e/e5/OWASP_ellak-Greece.ppt εδώ]. Επίσης, βίντεο της παρουσίασης μπορείτε να βρείτε [http://conf.ellak.gr/2008/index.php?option=com_eventlist&Itemid=119&func=details&did=19 εδώ].

'''26/5/2008''' - Το OWASP.gr αναπτύσσει έναν Web Vulnerability Scanner. Μπορείτε να κατεβάσετε την beta έκδοσή του από [https://www.owasp.org/images/6/65/WVS_beta-0.2.1.zip εδώ].

'''15/5/2008''' - Το OWASP.gr συμμετέχει στο 3ο Συνέδριο ΕΛ/ΛΑΚ που πραγματοποιείται στις 27 και 28 Μαΐου στο Εθνικό Μετσόβιο Πολυτεχνείο (http://conf.ellak.gr).

'''20/2/2008''' - Το OWASP.gr συμμετέχει στο 1ο Συνέδριο Κοινοτήτων Ελεύθερου Λογισμικού/Λογισμικού Ανοιχτού Κώδικα που διοργανώνεται στις 21 και 22 Μαρτίου στο Εθνικό Μετσόβειο Πολυτεχνείο (http://www.fosscomm.gr/).

'''2/2/2008''' - Το OWASP.gr συμμετέχει στην παρουσίαση της ομάδας IA4 του E-Business Forum (Προπαρασκευαστικές δράσεις για τη δημιουργία Ελληνικού Κέντρου Επείγουσας Αντιμετώπισης Ψηφιακών Απειλών GR-CERT) στα πλαίσια του Money Show 2008 στις 2/2/2008 στην Αίγλη Ζαππείου.

'''18/4/2007''' - Το E-Βusiness Forum (http://www.ebusinessforum.gr/) έχει δημιουργήσει μία ομάδα εργασίας η οποία έχει αναλάβει τις "'''Προπαρασκευαστικές δράσεις για τη δημιουργία Ελληνικού Κέντρου Επείγουσας Αντιμετώπισης Ψηφιακών Απειλών (GR-CERT)'''". Πληροφορίες σχετικά με τους στόχους και τις δραστηριότητες της ομάδας υπάρχουν [http://www.ebusinessforum.gr/teams/teamsall/view/index.php?ctn=102&language=el εδώ] αλλά και [http://sense.dmst.aueb.gr/ia4/index.php/Main_Page εδώ]. Όποιος ενδιαφέρεται και μπορεί να βοηθήσει να δηλώσει συμμετοχή στις παραπάνω σελίδες ή να απευθυνθεί στο κ. Βασίλειο Βλάχο (στοιχεία επικοινωνίας υπάρχουν στα παραπάνω site).

Καταχωρήθηκε το [http://www.owasp.gr OWASP.gr]!

Με τη βοήθεια του Αναστάσιου Καζακώνη μετέφράστηκαν το "OWASP Top Ten Vulnerabilties in Web Application Security" και το OWASP AppSec FAQ στα Ελληνικά. Έτσι είναι πλέον διαθέσιμες οι ελληνικές εκδόσεις του [http://www.owasp.org/images/8/8b/OWASP_Top_Ten_2004_Greek.pdf OWASP Top Ten] και του [http://www.owasp.org/images/e/ed/OWASP_faq_Greek.pdf OWASP AppSec FAQ].

 

==== Meetings ====

== Call for Presentations ==
Anything related to '''Application''' or '''Information Security'''
*Secure Coding Practices
*Secure Application Development Lifecycle
*Penetration Testing and Exploitation
*Code Reviewing
*Projects and Tools
*Methodologies
*Best Practices

Send:
*Title
*Abstract
*Name and affiliation
*Short Bio
To: [mailto:konstantinos@owasp.org konstantinos@owasp.org]

== Meetings ==

=== 19/4/2013 ===
Χώρος: PWC / Κηφισίας 260, Χαλάνδρι

Περιγραφή: [https://www.owasp.org/images/e/e0/Training_19.04.13_ISACA_OWASP.pdf https://www.owasp.org/images/e/e0/Training_19.04.13_ISACA_OWASP.pdf]

* '''Being a spammer for 40 minutes: how spam works, why it's slowly going away and why it won't disappear''' - '''Martijn Grooten''' (Virus Bulletin)

=== 5/5/2011 ===
Χώρος: [http://www.di.uoa.gr/ Τμήμα Πληροφορικής και Τηλεπικοινωνιών/ΕΚΠΑ]

Περιγραφή: [http://owaspgr02.eventbrite.com/ http://owaspgr02.eventbrite.com/]

* '''Welcome and OWASP News''' - '''Konstantinos Papapanagiotou''' (OWASP Greek Chapter Leader/Syntax IT Inc) '''([[Media:OWASP_gr_meeting_2011_02.pdf‎|PDF]])'''
* '''Protecting the Core: Kernel Exploitation Mitigations''' - '''Patroklos Argyroudis and Dimitris Glynos''' (Census) '''([http://census.gr/media/bheu-2011-slides.pdf PDF])'''

=== 16/3/2011 ===
Χώρος: [http://www.colabworkspace.com/ coLab Athens Workspace]

Περιγραφή: [http://owaspgr01.eventbrite.com/ http://owaspgr01.eventbrite.com/]

* '''Welcome and Intro to OWASP Meetings''' '''([[Media:OWASP_gr_meeting_2011_01_intro.pdf‎‎|PDF]])'''
* '''Application Security for the Masses''' - '''Konstantinos Papapanagiotou''' (OWASP Greek Chapter Leader/Syntax IT Inc) '''([[Media:OWASP_gr_meeting_2011_01_appsec_masses.pdf|PDF]])'''
* '''Cyberdefense and the Kobayashi Maru''' - '''Yiorgos Adamopoulos''' (TEE) '''([[Media:Adamopoulos_Cyberdefense_and_the_Kobayashi_Maru.pdf‎|PDF]])'''

 

==== Events ====

'''26/9/2009''' - Το OWASP.gr συνδιοργανώνει ένα session με θέμα Web Application Security στα πλαίσια του 4th Mediterranean Conference on Information Systems ([http://www.mcis2009.org MCIS 2009]) στις 26 Σεπτεμβρίου 2009 και ώρα 15:30 στο Οικονομικό Πανεπιστήμιο Αθηνών. Το αναλυτικό πρόγραμμα του συνεδρίου καθώς και περισσότερες πληροφορίες υπάρχουν [http://www.mcis2009.org εδώ]. Το session θα συντονίζει ο [mailto:vsvlachosATowasp.gr Βασίλης Βλάχος], μέλος της ομάδας συντονισμού του OWASP στην Ελλάδα.

'''18/3/2009''' - Συμμετοχή του OWASP.gr στην [http://www.tsomokos.gr/projects2.php EXPOSEC 2009] που θα πραγματοποιηθεί στις 17 και 18 Μαρτίου στο Ζάππειο Μέγαρο. Ο [mailto:conpapATowasp.gr Κωνσταντίνος Παπαπαναγιώτου], μέλος της ομάδας συντονισμού του OWASP στην Ελλάδα, θα συντονίσει στις 18 Μαρτίου την ενότητα "Πρότυπα και Νομικές Απαιτήσεις".

'''17 και 18/10/2008''' - Παρουσίαση του OWASP.gr στα πλαίσια του '''Athens Digital Week''' που πραγματοποιείται από τις 13 ως τις 19 Οκτωβρίου στην Τεχνόπολη στο Γκάζι (http://www.athensdigitalweek.gr). Σύμφωνα με το [http://www.athensdigitalweek.gr/el/the-core/talk-zone πρόγραμμα], η παρουσίαση θα γίνει την Παρασκευή, 17 Οκτωβρίου 2008 και ώρα 16:30 καθώς και το Σάββατο, 18 Οκτωβρίου 2008 και ώρα 18:00.

'''27/5/2008''' - Παρουσίαση του OWASP.gr στα πλαίσια του '''3ου Συνεδρίου Ελεύθερου Λογισμικού / Λογισμικού Ανοιχτού Κώδικα''' που πραγματοποιείται στις 27 και 28 Μαΐου στο Εθνικό Μετσόβειο Πολυτεχνείο (http://conf.ellak.gr). Σύμφωνα με το [http://conf.ellak.gr/2008/index.php?option=com_jcalpro&Itemid=138&extmode=week&date=2008-05-25 πρόγραμμα] του συνεδρίου, η παρουσίαση θα γίνει την Τρίτη, 27 Μαΐου 2008 και ώρα 11:15.

'''22/3/2008''' - Παρουσίαση του OWASP.gr στα πλαίσια του '''1ου Συνέδριο Κοινοτήτων Ελεύθερου Λογισμικού/Λογισμικού Ανοιχτού Κώδικα''' που διοργανώνεται στις 21 και 22 Μαρτίου στο Εθνικό Μετσόβειο Πολυτεχνείο (http://www.fosscomm.gr/). Σύμφωνα με το [http://www.fosscomm.gr/xoops20171/htdocs/uploads/programma_synedriou.html πρόγραμμα], η παρουσίαση θα γίνει στις 17:50.

'''2/2/2008''' - Παρουσίαση της ομάδας IA4 του E-Business Forum (Προπαρασκευαστικές δράσεις για τη δημιουργία Ελληνικού Κέντρου Επείγουσας Αντιμετώπισης Ψηφιακών Απειλών GR-CERT) στα πλαίσια του '''Money Show 2008'''.

==== Archive ====

== Μηνιαίο Ενημερωτικό Δελτίο ==

Καλώς ήλθατε στο μηνιαίο ενημερωτικό δελτίο της Ελληνικής ομάδας εργασίας του OWASP. Στόχος μας είναι η ενημέρωση γύρω από τα θέματα της ελληνικής επικαιρότητας που αφορούν στην ασφάλεια των εφαρμογών διαδικτύου αλλά και στην ασφάλεια γενικότερα. Αν και στο Internet υπάρχουν ήδη πολλές πηγές ενημέρωσης γύρω από θέματα ασφάλειας (π.χ. securityfocus, cryptogram, blogs, κλπ), αυτές επικεντρώνονται συνήθως στη διεθνή επικαιρότητα. Έτσι, μοιραία η ενημέρωση για τα security θέματα που αφορούν στην Ελλάδα προέρχεται από τα τοπικά ειδησεογραφικά site και μέσα.

Με το μηνιαίο αυτό newsletter στοχεύουμε στην αποτύπωση των κυριότερων θεμάτων ασφάλειας που απασχολούν την Ελληνική επικαιρότητα κάθε μήνα, αλλά και σημαντικών νέων από τη διεθνή infosec επικαιρότητα που κρίνουμε πως πρέπει να σχολιάσουμε. Παράλληλα, θα υπάρχουν ενδιαφέροντα επιστημονικά θέματα αλλά και ενημέρωση γύρω από τη δραστηριότητα του OWASP. Το newsletter θα διαμοιράζεται μέσω της mailing list του OWASP.gr, ενώ ταυτόχρονα θα δημοσιεύεται και εδώ σε μορφή pdf. Υπεύθυνος για την έκδοσή του είναι ο συνεργάτης του OWASP.gr Γιάννης Αναστασόπουλος.

Ελπίζουμε πως θα βρείτε το newsletter αυτό ενδιαφέρον και χρήσιμο. Φυσικά, βρίσκεται σε… εμβρυικό στάδιο. Για το λόγο αυτό κάθε συνεισφορά σας στη δημιουργία του θα ήταν ιδιαίτερα σημαντική, για να γίνει το newsletter πιο χρήσιμο για όλους. Έτσι, για οποιαδήποτε σχόλια, προσθήκες, προτάσεις, παρατηρήσεις ή συζητήσεις μπορείτε να απευθύνεστε στη mailing list του OWASP.gr ([mailto:owasp-greece@lists.owasp.org owasp-greece@lists.owasp.org]).

 [http://www.owasp.org/images/2/21/OWASP_gr_newsletter_1.pdf Ενημερωτικό Δελτίο νο1 - Δεκέμβριος 2006]

[http://www.owasp.org/images/0/0a/OWASP_gr_newsletter_2.pdf Ενημερωτικό Δελτίο νο2 - Ιανουάριος 2007]

[http://www.owasp.org/images/4/4e/OWASP_gr_newsletter_3.pdf Ενημερωτικό Δελτίο νο3 - Φεβρουάριος 2007]

[http://www.owasp.org/images/b/b1/OWASP_gr_newsletter_4.pdf Ενημερωτικό Δελτίο νο4 - Μάρτιος-Απρίλιος 2007]

[https://www.owasp.org/images/1/11/OWASP_gr_newsletter_5.pdf Ενημερωτικό Δελτίο νο5 - Ιανουάριος 2008]

[https://www.owasp.org/images/3/3f/OWASP_gr_newsletter_6.pdf Ενημερωτικό Δελτίο νο6 - Φεβρουάριος 2008]

__NOTOC__ <headertabs />

[[Category:OWASP_Chapter]]
[[Category:Europe]]

Projects Summit 2013/Attendes

2013-09-27T08:22:36Z

Conpap: /* Attendees List and availability */

This page has the current list of projected attendee.

If you are going to be at the Projects Summit, please add your name to the list bellow, indicating your availability

===Legend:===

* AD = All Day
* MO = Morning
* AF = Afternoon
* EV = Evening

===Attendees List and availability===

* '''Andrew van der Stock''': Mon (AD) Tue (AD), Wed (MO)
* '''Andrew Muller''': Mon (AD) Tue (AD), Wed (MO)
* '''Chris Smith''': Mon (AD) Tue (AD), Wed (MO)
* '''Dennis Groves''': Sun (MO), Mon (AD) Tue (AD), Wed (MO),
* '''Dinis Cruz''': Sun (AD), Mon (AD) Tue (AD), Wed (MO), Thu (MO)
* '''Fabio Cerullo''':
* '''Jonathan Marcil''':
* '''Konstantinos Papapanagiotou''': Sun (AD), Mon (AD) Tue (AD), Wed (AD), Thu (AF)
* '''Larry Conklin''':
* '''Martin Knobloch''':
* '''Simon Bennetts''': Tue (EV), Wed(MO), Thu (MO)
* '''Samantha Groves''': Sun (AD), Mon (AD) Tue (AD), Wed (AD), Thu (AD), Fri (AD)
* '''Seba Deleersnyder''': Wed (AD), Thu (AD)

{{:Projects_Summit_2013/Navigation}}

GSoC2013 Ideas

2013-04-08T20:45:57Z

Conpap:

==OWASP Project Requests==
===OWASP PHP Security Project===

'''Description:'''
OWASP PHP Security project plans to gather around secure PHP libraries, and provide a full featured framework of libraries for secure web applications in PHP, both as separate de-coupled libraries and as a whole secure web application framework. Many aspects of this project are already handled, and are being added to OWASP.

'''Expected Results: ''' Result of this project is much more security among PHP applications. Most PHP applications are vulnerable and there's no central approach to secure them (due to open source nature). Many people look at OWASP for such information.

'''Knowledge prerequisite:''' Anyone with adequate PHP programming language experience (possibly web application development in PHP). There are hard and easy parts of this project. For tougher parts, familiarity with security concepts, advanced SQL, and advanced PHP and web server configuration is required.

'''Mentor:''' [[User:Abbas Naderi|Abbas Naderi]]

===OWASP RBAC Project===
'''Description:''' ''For the last 6 years, improper access control has been the issue behind two of the Top Ten lists''.

RBAC stands for Role Based Access Control and is the de-facto access control and authorization standard. It simplifies access control and its maintenance for small and enterprise systems alike. NIST RBAC standard has four levels, the second level hierarchical RBAC is intended for this project.

Unfortunately because of many performance and development problems, no suitable RBAC implementation was available until recently, so developers and admins mostly used ACLs and other forms of simple access control methods, which leads to broken and unmaintainable access control over the time.

OWASP provides the RBAC project, as a stand-alone library with very fast access control checks and standard mature code-base. Currently [[PHPRBAC]] which is the PHP version of the RBAC project is released.

'''Expected Results:''' Standard NIST level 2 hierarchical RBAC libraries for different programming languages, specially web-based ones such as C/C++/Java/ASP/ASPX/Python/Perl/etc.

'''Knowledge prerequisite:''' Good SQL knowledge, library development schemes, familiarity with one of the programming languages.

'''Mentor:''' [[User:Abbas Naderi|Abbas Naderi]]

'''Skill Level:''' Advanced

For more info, visit [http://phprbac.net phprbac.net]

===OWASP XSSer Project===

XSSer has a correct engine implementation to search/exploit XSS vulnerabilities, but it is necessary to work on some different fields to obtain better results. Some of them are: to fight against "false positive" results, to implemenet a better human-readable output results and to develop some new features (like; CSSer, Code checks user inputs, etc...). Also, it will be nice to update the tool with more valid XSS vectors (DOM, DCP, reflected, etc...) and some "anti-anti-XSS" systems for more common browsers.

There is a roadmap on a pdf file with all tasks required to advance to next release of 'XSSer' (v1.7b - Total Swarm!)

Download: http://xsser.sourceforge.net/xsser/xsser-roadmap.pdf

'''Brief explanation:'''

Below is shown a structure of phases and milestones code areas.

Milestones:
• Phase 1: Core:
+ Bugfixing:
- False positives
- Fix “swarm” results
- Fix 'maximize' screen (bug reported)
- Add auto-update revision
- Fix multithreading (review)
- Research 'glibc' corruption

+ Add crawlering for POST+GET (auto test 'whole' page forms)
+ Update XSS payloads (vectors.py / DOM.py / DCP.py / etc...)
+ Advance Statistics results (show more detailed outputs)
+ Advance Exporting methods (create 'whitehat' reports (xml/json))
+ Advance “WebSockets” technology on XSSer 'fortune' option
+ Update Interface (GTK+)

• Phase 2: New features:
+ Add 'code pre-check' option: Users can set which code will return target's website, to try to evade false positive results.
+ Add 'CSSer' option: Payloads for CSS injections.
+ Research/Search anti-IDS/NIDS/IPS... codes to evade XSS filters.
+ BurpXSSer: Create a Burp plugin (with Jython libs)
+ ZAPXSSer: Create a ZAP plugin (with Jython libs)

'''Expected results:'''

* To deploy a new stable version of XSSer with GTk+/Web/Shell main features working propertly,

The code should be:

* Clean and easy to follow
* Include a full set of unit tests
* Include good documentation

'''Knowledge Prerequisite:'''

XSSer is written in Python, so a good knowledge of this language is recommended, as is knowledge of HTML and Javascript. Also, is necessary to have some knowledge of application security and more in concret about XSS techniques.

'''Skill Level:''' Medium

'''Mentor: epsylon (psy) - OWASP XSSer Project Leader'''

===OWASP ZAP: Dynamically Configurable actions===

ZAP provides various mechanisms which allow HTTP requests and responses to be changed dynamically. So (for example) a string in an HTTP request can automatically be changed to another string.

It also supports a scripting interface, which is very powerful but at the moment difficult to use.

This project would introduce something inbetween thess 2 options - a powerful way of defining (potentially) complex rules using a wizard based interface.

The challenge will be to make it as usable as possible while still providing a wide range of functionality.

'''Brief explanation:'''

This component would provide a set of highly configurable 'actions' which the user would see up via a wizard.

So they would initially define when the action applies, based on things like regex matching on request elements. And they should be able to define multiple criteria with ANDs and ORs.

Then they would define the actions, which could include:

* Changing the request (adding, removing or replacing strings)
* Raising alerts
* Breaking (to replace existing break points)
* Running custom scripts (which could do pretty much anything)

They would then be able to switch the actions on and off from the full list of defined actions using checkboxes

'''Expected results:'''

* A new ZAP add-on providing the above functionality
The code should be:
* Clean and easy to follow
* Include a full set of unit tests
* Include good documentation

'''Knowledge Prerequisite:'''

ZAP is written in Java, so a good knowledge of this language is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.

'''Mentor: Simon Bennetts - OWASP ZAP Project Leader'''

===OWASP ZAP: Enhanced HTTP Session Handling===

'''Brief explanation:'''

ZAP can currently manage multiple sessions. This development would allow ZAP to better handle HTTP Sessions to provide different views of a given target depending on the different user's permissions that the targeted site supports.

This implementation such provide a set of methods to answer questions such as: 1)What nodes(pages) are available to a group of users and not to other groups of users 2)What nodes are available to different users but these contain significant differences in the HTTP headers and/or in the body content.

This will allow ZAP to be used to detect access control issues which would otherwise require manual testing.
Expected results:

* ZAP will have an understanding of both users and roles and be able to associate them with HTTP sessions.
* The user will be able to associate credentials with different roles allowing ZAP to automatically authenticate as any user / role.
* ZAP will be able to spider an application using a given user/role.
* ZAP will be able to report the differences between different HTTP sessions.
* ZAP will be able to show different views of the site in the site's tree tab with the pages visible for each session.
* ZAP will be able to attack one session based on the URLs accessed in another session and report which appear to work.

'''Expected results:'''

Users will be able to:
* specify exactly which alerts are included, by context, site or on an individual alert basis
* specify what information is included and how it is layed out
* specify a range of output formats, at least including HTML and PDF
* include details of what testing has been performed (automatically generated where possible)
* apply their own branding
* save report templates, and apply templates downloaded from the ZAP marketplace
The code should be:
* Clean and easy to follow
* Include a full set of unit tests
* Include good documentation

'''Knowledge Prerequisite:'''

ZAP is written in Java, so a good knowledge of this language is recommended, as is knowledge of HTML and the HTTP protocol specification. Some knowledge of application security would be useful, but not essential.

'''Mentor: Guifre Ruiz - OWASP ZAP Dev Team'''

===OWASP ZAP: Advanced reporting===

'''Brief explanation:'''

The reports that ZAP generates are in a fixed format which is not particularly useful or attractive. This development would provide the user with a fine grained control over the contents, layout and branding of the reports.

'''Expected results:'''

A new user interface for genrating reports which is easy to use and provides the user with a wide range of options.
The code should be:
* Clean and easy to follow
* Include a full set of unit tests
* Include good documentation

'''Knowledge Prerequisite:'''

ZAP is written in Java, so a good knowledge of this language is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.

'''Mentor: Simon Bennetts - OWASP ZAP Project Leader'''

===OWASP ZAP - SAML 2.0 Support===

'''Brief explanation:'''

SAML 2.0 is an XML-based federated single sign-on (FSSO) protocol that uses security tokens containing assertions to pass information about a principal (usually an end user) between a SAML authority, that is an identity provider, and a SAML consumer, that is a service provider. SAML 2.0 enables web-based authentication and authorization scenarios including cross-domain single sign-on (SSO). SAML specifications support many ways, called profiles and bindings, to generate and transport assertions between trusted entities The Web Browser SSO profile is of particular interest here since it enables web applications from 2 separate domains to leverage SSO easily by exchanging assertions via a web browser session.

ZAP provides various mechanisms which allow HTTP requests and responses to be changed dynamically. This project will enhance those capabilities to be able to detect and fuzz various elements and attributes of a SAML Assertion.

The scope of this project is limited to the following SAML bindings, profiles and protocols:

Profiles :
* Web Browser SSO

Bindings:
* HTTP POST
* HTTP Redirect

Protocols:
* Authentication Request Protocol

'''Expected results:'''

This component would enable ZAP to:
* Detect SAML Assertions in HTTP requests and responses
* Decode SAML Assertions
* Fuzz various entities and attributes within a SAML assertion
* Re-encode the assertion and send it forward
The code should be:
* Clean and easy to follow
* Include a full set of unit tests
* Include good documentation

Users would have a choice either to fuzz the attributes within an assertion or just add/remove arbitrary attribute (to check for XML and SAML Schema Conformance).

'''Knowledge Prerequisite:'''

ZAP is written in Java, so a good knowledge of this language is recommended, as is knowledge of HTML and SAML 2.0 Protocol. Some knowledge of application security would be useful, but not essential. Understanding of SSO and Federated SSO is preferred.

'''Mentor: Prasad N. Shenoy'''

===OWASP Security Research and Development Framework ===

'''Brief explanation:'''

This is a free open source Development Framework created to support writing security tools and malware analysis tools. And to convert the security researches and ideas from the theoretical approach to the practical implementation.

This development framework created mainly to support the malware field to create malware analysis tools and anti-virus tools easily without reinventing the wheel and inspire the innovative minds to write their researches on this field and implement them using SRDF.

Targeted Applications:

* Packet Analysis Tools (Personal Firewalls, HIDS/HIPS, WAF, Network Analysis, Network Capture)
* Malware Analysis Tools (Static, Dynamic, Behavioral)
* Antivirus and Virus Removal Tools (Signature-based, Behavioral-based)

'''Expected results:'''

* Implement XRAY Tool, Recursive Disassembler Tool (based on our disassembler)
* Improve Pokas Emulator and its disassembler engine
* Improve The Kernel-Mode Part and more beta-testing
* Integrate SRDF in python using SWIG

'''Knowledge Prerequisite:'''

We need variety of skills in different languages and platforms. We need a good knowledge in C++ in windows. We need a python developer for integrating SRDF in python. We need C++ developers have a good knowledge in Assembly (for working in disassembling part) and we need C++ developers have a knowledge in Kernel-Mode(for Kernel-Mode improvement and beta-testing)

'''Mentor: Amr Thabet - OWASP Security Research and Development Framework Project Leader'''

=== OWASP ModSecurity CRS - Create "Sniffer-Mode" ===

'''Brief explanation:'''

The ModSecurity code includes a "standalone" version that wraps a light weight Apache/APR around the ModSecurity code. This is used as the basis for the ports to the IIS/Nginx web server platforms. The goal for this project task is to extend this standalone version so that it can accept a data feed of network traffic (e.g. libpcap) data as input and apply the ModSecurity CRS rules. One possible solution would be create a ModSecurity "plugin" for the Snort IDS.

'''Expected results:'''

This new sniffer mode would allow organizations to run ModSecurity/OWASP ModSecurity CRS in an out of line mode as they do IDS systems.

'''Knowledge Prerequisite:'''

C programming and ModSecurity Development Guidelines - http://www.modsecurity.org/developers/.

'''Mentor: Ryan Barnett - OWASP ModSecurity Core Rule Set Project Leader'''

=== OWASP ModSecurity CRS - Port to Java ===

'''Brief explanation:'''

The goal is to have a ModSecurity version that can be used within Java servers (e.g. Tomcat). There may be methods to use JNI to call the standalone code from a filter in Tomcat.

'''Expected results:'''

This new version allow organizations to run ModSecurity/OWASP ModSecurity CRS in Java web servers.

'''Knowledge Prerequisite:'''

C programming and ModSecurity Development Guidelines - http://www.modsecurity.org/developers/.

'''Mentor: Ryan Barnett - OWASP ModSecurity Core Rule Set Project Leader'''

=== OWASP ModSecurity CRS - Implement libinjection Code ===

'''Brief explanation:''' https://www.modsecurity.org/tracker/browse/MODSEC-327

libinjection (https://github.com/client9/libinjection) is a C library that detects SQLi attacks in user input. It is designed to be embedded in existing or new applications:

*Fast > 100k inspections per second
*No memory allocation
*No threads
*Stable memory usage (approximately 500 bytes on stack)
*500 lines of C code (plus a few kiobytes of data)

It is based on lexical analysis of SQL and SQLi attempts and does not use regular expressions.

'''Expected results:'''

The new C code in ModSecurity will allow us to add new SQL Injection detection methods to the OWASP ModSecurity CRS.

'''Knowledge Prerequisite:'''

C programming and ModSecurity Development Guidelines - http://www.modsecurity.org/developers/.

'''Mentor: Ryan Barnett - OWASP ModSecurity Core Rule Set Project Leader'''

=== OWASP ModSecurity CRS - Implement DoS Prevention Code ===

'''Brief explanation:''' https://www.modsecurity.org/tracker/browse/MODSEC-265

Implement a request velocity learning engine to identify dynamic DoS thresholds for both the site and for the particular URL.

'''Expected results:'''

The new C code in ModSecurity will allow us to add new DoS Protection methods to the OWASP ModSecurity CRS.

'''Knowledge Prerequisite:'''

C programming and ModSecurity Development Guidelines - http://www.modsecurity.org/developers/.

'''Mentor: Ryan Barnett - OWASP ModSecurity Core Rule Set Project Leader'''

=== OWASP ModSecurity CRS - Create a Positive Learning/Profile Engine ===

'''Brief explanation:''' https://www.modsecurity.org/tracker/browse/MODSEC-193

ModSecurity needs a profiling engine that implements the various AppSensor Detection Points - http://blog.spiderlabs.com/2011/08/implementing-appsensor-detection-points-in-modsecurity.html.

'''Expected results:'''

The new engine will implement more detection points to detect abnormal request attributes.

'''Knowledge Prerequisite:'''

C programming and ModSecurity Development Guidelines - http://www.modsecurity.org/developers/.

'''Mentor: Ryan Barnett - OWASP ModSecurity Core Rule Set Project Leader'''

=== OWASP ModSecurity CRS - Create an Engine to Detect Application Flow Anomalies ===

'''Brief explanation:'''

Need an engine that can track normal application flow paths (click-flows) for business logic transactions - such as transferring money from accounts. After profiling normal application path flows, we want to then be able to alert to anomalies. This type of logic can help to prevent Banking Trojan attacks.

'''Expected results:'''

The engine will be able to alert on anomalous application flows.

'''Knowledge Prerequisite:'''

C programming and ModSecurity Development Guidelines - http://www.modsecurity.org/developers/.

'''Mentor: Ryan Barnett - OWASP ModSecurity Core Rule Set Project Leader'''

=== OWASP OWTF - Reporting ===

'''Brief explanation:'''

A common complaint about OWASP OWTF so far has been that the report is not very shiny. The intention here is to:
* Move as much of the HTML away from python files into template files: This will facilitate web designer's work in the future.
* Apply some nice web design to the report so that it is more nice and comfortable to work with: Clear the HTML, CSS, etc
* Identify and fix areas of improvement in click flow: For example, try to reduce the distance to move the mouse

'''Expected results:'''

* The first reaction when an OWASP OWTF users opens the report is now "wow"
* The report is reliable and easy to work with, even when more than 30 URLs have been assessed (i.e. a lot of data in the report does not crash or make the browser slow)
* The improved design is lightweight and keeps the browser responsive at all times

'''Knowledge Prerequisite:'''

HTML, JavaScript, CSS and a bit of Python. Web Designer background or experience would be beneficial for this.

'''Mentor: Abraham Aranguren - OWASP OWTF Project Leader'''

=== OWASP OWTF - Multiprocessing ===

'''Brief explanation:'''

OWASP OWTF can be quite slow when scanning multiple URLs simultanously due to not scanning several hosts in parallel. We would like to use the multiprocessing python library over the threading one to take full advantage of multi-core processors without the global interpreter lock (GIL) issues associated with the threading libary :)
* We would like to scan in parallel several websites when on a different IP:
* We would like to monitor the host machine resources to avoid crashing it before spawning new processes :)
* We would like to run plugins in parallel as much as possible but without compromising integrity: Using file locks where appropriate and so on

'''Expected results:'''

* Reliability
* Test cases
* Good documentation

'''Knowledge Prerequisite:'''

Python, multiprocessing experience would be beneficial for this

'''Mentor: Abraham Aranguren - OWASP OWTF Project Leader'''

=== OWASP OWTF - SQL database ===

'''Brief explanation:'''

OWASP OWTF scans may take a large amount of disk space due to saving information in text files, we would like to add an option to use a SQL database, probably using the sqlalchemy python library.
* Keep the current text file format as an option
* Add a database storage option using the sqlalchemy library

'''Expected results:'''

* Reliability: Both with the sql database option and the text file options.
* Test cases
* Good documentation

'''Knowledge Prerequisite:'''

Python, sqlalchemy experience would be beneficial for this

'''Mentor: Abraham Aranguren - OWASP OWTF Project Leader'''

=== OWASP Hackademic Challenges - New challenges ===

''''Brief Explanation:'''

The challenges that have been implemented so far include: web application challenges covering several vulnerabilities included in the OWASP Top 10, cryptographic challenges, entire virtual machines including several vulnerabilities. New challenges need to be created in order to cover a broader set of vulnerabilities.
Also existing challenges can be modified to accept a broader set of valid answers, e.g. by using regular expressions.

'''Expected Results:'''

New challenges

'''Knowledge Prerequisites:'''

Comfortable in PHP, HTML and possibly Java. Good understanding of Application Security and related vulnerabilities.

'''Mentor:''' Konstantinos Papapanagiotou - Hackademic Challenges Project Leader

=== OWASP Hackademic Challenges - Source Code testing environment ===

''''Brief Explanation:'''

Existing challenges are based on a dynamic application testing concept. We would like to work on a project that will give the capability to the attacker to review a vulnerable piece of source code, make corrections and see the result in a realistic (but yet safe) runtime environment. The code can either be run if needed or tested for correctness and security. The implementation challenges of such a project can be numerous, including creating a realistic but also secure environment, testing submitted solutions and grading them in an automatic manner. At the same time there are now numerous sites that support submitting code and then simulate or implement a compiler's functionality.

'''Expected Results:'''

A source code testing and improvement environment where a user will be able to review, improve and test the result of a piece of source code.

'''Knowledge Prerequisites:'''

Comfortable in PHP, HTML and possibly Java. Good understanding of Application Security, source code analysis and related vulnerabilities.

'''Mentor:''' Konstantinos Papapanagiotou - Hackademic Challenges Project Leader

=== OWASP Hackademic Challenges - CMS improvements ===

''''Brief Explanation:'''

The new CMS was created during last year's GSOC. We have received feedback from users that suggest various improvements regarding functionality e.g. better user, teacher and challenges management. There are also some security improvements that are needed and in general any functionality that adds up to the educational nature of the project is more than welcome.

'''Expected Results:'''

User experience, new features and security improvements on the CMS part of the project.

'''Knowledge Prerequisites:'''

Comfortable in PHP, HTML and possibly Java. Good understanding of Application Security and related vulnerabilities.

'''Mentor:''' Konstantinos Papapanagiotou - Hackademic Challenges Project Leader

Greece

2013-04-02T07:10:21Z

Conpap:

[[Image:Greekchapterlogo.gif]]

==== Welcome ====

{{Chapter Template|chaptername=Greece|extra=The chapter leader is [mailto:konstantinos@owasp.org Konstantinos Papapanagiotou]|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-greece|emailarchives=http://lists.owasp.org/pipermail/owasp-greece}}

<paypal>Greece</paypal>

== OWASP Greek Chapter Committee ==

Chapter Leader: [mailto:conpapATowasp.gr Konstantinos Papapanagiotou]

Committee Members: [mailto:manosATowasp.gr Emmanouel Kellinis], [mailto:steliosATowasp.gr Stelios Tigkas], [mailto:vsvlachosATowasp.gr Vasileios Vlachos]

 

== Τι είναι το OWASP ==

Το ΟWASP (Open Web Application Security Project – http://www.owasp.org) αποτελεί μία πρωτοβουλία που αποσκοπεί στον εντοπισμό και στην καταπολέμηση των τρωτών σημείων του λογισμικού τέτοιων εφαρμογών. Όντας ένας μη κερδοσκοπικός οργανισμός, ακολουθεί την ιδεολογία του Ελεύθερου/Ανοικτού λογισμικού, παρέχοντας δωρεάν αλλά επαγγελματικής ποιότητας έγγραφα, εργαλεία και πρότυπα. Παράλληλα, ενισχύει τη διοργάνωση συνεδρίων και τοπικών ομάδων εργασίας (local chapters), τη δημοσίευση άρθρων και συγγραμμάτων, καθώς και την ανταλλαγή απόψεων μέσα από forums και mailing lists. Το OWASP απαριθμεί μέλη σε όλο τον πλανήτη, συμπεριλαμβανομένων μεγάλων οργανισμών και εταιριών του χώρου όπως VISA, Deloitte, Unisys, Foundstone, και άλλες.

== Η Ελληνική Κοινότητα ==

Η ελληνική ομάδα εργασίας του OWASP δημιουργήθηκε το 2005, με κύριο στόχο την ενημέρωση και την αφύπνιση της ελληνικής κοινότητας αναφορικά με τους κινδύνους ασφαλείας στις διαδικτυακές εφαρμογές. Αφορμή για τη δημιουργία της αποτέλεσαν ουσιαστικά τα ολοένα αυξανόμενα περιστατικά ασφαλείας στο διαδίκτυο, όπως τα κρούσματα phishing σε ελληνικές τράπεζες.

Σήμερα, η ελληνική ομάδα του OWASP δραστηριοποιείται σε προγράμματα Ελεύθερου/Ανοικτού λογισμικού καθώς και μεταφράσεις κειμένων του OWASP στα ελληνικά, προωθώντας την ιδέα του OWASP σε τοπικό επίπεδο. Παράλληλα, μέσα από τη mailing list της ενημερώνει και προκαλεί συζητήσεις σχετικά με επίκαιρα θέματα ασφάλειας στο διαδίκτυο, ενώ εκδίδει και μηνιαίο newsletter.

== Συμμετοχή ==

Η ελληνική κοινότητα του OWASP επιθυμεί να φέρει σε επαφή όλους όσους ενδιαφέρονται και προβληματίζονται για την ασφάλεια των διαδικτυακών εφαρμογών. Ταυτόχρονα, ευπρόσδεκτοι είναι και εθελοντές που προτίθενται να δουλέψουν σε προγράμματα Ελεύθερου/Ανοιχτού λογισμικού που συντονίζει το OWASP. Σας προσκαλούμε να μοιραστείτε μαζί μας ιδέες, σκέψεις και προβληματισμούς σχετικά με επιθέσεις, μεθόδους άμυνας και αντιμετώπισης, εργαλεία και βέλτιστες πρακτικές ασφάλειας στο διαδίκτυο. Ανεξάρτητα από το τεχνικό επίπεδο, το βάθος της προσέγγισης και τις χρησιμοποιούμενες μεθόδους, θα χαρούμε ιδιαίτερα αν έρθετε σε επαφή μαζί μας.

Για να εγγραφείτε στη '''mailing list''' της ελληνικής ομάδας εργασίας επισκεφθείτε [http://lists.owasp.org/mailman/listinfo/owasp-greece αυτή τη σελίδα].

== Ευχαριστίες ==

Θα θέλαμε να ευχαριστήσουμε το [http://www.di.uoa.gr Τμήμα Πληροφορικής και Τηλεπικοινωνιών] του Πανεπιστημίου Αθηνών για τη βοήθεια που παρέχει στην ελληνική ομάδα εργασίας.

[[Image:Universityofathenslogo.gif]]

Επίσης θα θέλαμε να ευχαριστήσουμε θερμά το περιοδικό [http://www.linuxinside.gr/ Linux Inside] για την υποστήριξη και την προβολή καθώς και το [http://www.zero.gr zero.gr].

[[Image:Linuxinside-logo.png]] [[Image:zerologo.png]]

==== News ====

== Ομάδες Εργασίας ==

Αυτήν την περίοδο ψάχνουμε για νέες project ιδέες. Εάν έχεις καινούρια ίδεα για κάποιο εργαλείο, στατιστικά στοιχεία για το πόσο σοβαρά λαμβάνουν στην Ελλάδα το application security οι προγραμματιστές, εταιρίες λογισμικού κτλ ή αν έχεις οποιάδηποτε άλλη ιδέα με κεντρικό θέμα το application security επικοινωνήστε μαζί μας.

== Νέα ==

'''16/3/2011''' - Η πρώτη συνάντηση θα πραγματοποιηθεί στο [http://www.colabworkspace.com/ CoLab Athens Workspace]. Περισσότερες πληφορορίες και εγγραφές [http://owaspgr01.eventbrite.com/ εδώ].

'''20/9/2009''' - Ο [mailto:vsvlachosATowasp.gr Βασίλης Βλάχος], μέλος της ομάδας συντονισμού του OWASP στην Ελλάδα, θα συντονίσει στις 26/9/2009 τη συνεδρία με θέμα Web Application Security που συνδιοργανώνει το OWASP.gr στα πλάισια του συνεδρίου 4th Mediterranean Conference on Information Systems ([http://www.mcis2009.org MCIS 2009]). Η συνεδρία θα πραγματοποιηθεί στις 26 Σεπτεμβρίου 2009 και ώρα 15:30 στο Οικονομικό Πανεπιστήμιο Αθηνών.

'''5/3/2009''' - Ο [mailto:conpapATowasp.gr Κωνσταντίνος Παπαπαναγιώτου], μέλος της ομάδας συντονισμού του OWASP στην Ελλάδα, θα συντονίσει στις 18 Μαρτίου την ενότητα "Πρότυπα και Νομικές Απαιτήσεις" στα πλαίσια της [http://www.tsomokos.gr/projects2.php EXPOSEC 2009], που διεξάγεται στις 17 και 18 Μαρτίου στο Ζάππειο Μέγαρο.

'''3/2/2009''' - Ο [mailto:conpapATowasp.gr Κωνσταντίνος Παπαπαναγιώτου], μέλος της ομάδας συντονισμού του OWASP στην Ελλάδα, έδωσε ζωντανή συνέντευξη στην εκπομπή Ατζέντα+ της ψηφιακής πλατφόρμας της ΕΡΤ (κανάλι Σπορ+/Info+), όπου μίλησε για τις δραστηριότητες του OWASP στην Ελλάδα και έδωσε απλές συμβουλές για την ασφάλεια στο Internet. Μπορείτε να παρακολουθήσετε το βίντεο της συνέντευξης [http://www.youtube.com/watch?v=q0RPKaPGICI εδώ].

'''10/10/2008''' - Το OWASP.gr συμμετέχει στο Athens Digital Week που πραγματοποιείται από τις 13 ως τις 19 Οκτωβρίου στη Τεχνόπολη στο Γκάζι (http://conf.ellak.gr).

'''30/9/2008''' - Το OWASP.gr παρουσιάζει το πρώτο Ελληνικό blog με θέμα την ασφάλεια των διαδικτυακών εφαρμογών αλλά και των υπολογιστικών συστημάτων γενικότερα. Επισκεφθείτε το επίσημο blog της Ελληνικής ομάδας εργασίας του OWASP στο: http://blog.owasp.gr.

'''5/6/2008''' - Η παρουσίαση του OWASP.gr στο 3ο Συνέδριο ΕΛ/ΛΑΚ είναι διαθέσιμη μέσα από την ενότητα [https://www.owasp.org/index.php/OWASP_Education_Presentation#Chapter_Presentations Chapter Presentations] και συγκεκριμένα [http://www.owasp.org/images/e/e5/OWASP_ellak-Greece.ppt εδώ]. Επίσης, βίντεο της παρουσίασης μπορείτε να βρείτε [http://conf.ellak.gr/2008/index.php?option=com_eventlist&Itemid=119&func=details&did=19 εδώ].

'''26/5/2008''' - Το OWASP.gr αναπτύσσει έναν Web Vulnerability Scanner. Μπορείτε να κατεβάσετε την beta έκδοσή του από [https://www.owasp.org/images/6/65/WVS_beta-0.2.1.zip εδώ].

'''15/5/2008''' - Το OWASP.gr συμμετέχει στο 3ο Συνέδριο ΕΛ/ΛΑΚ που πραγματοποιείται στις 27 και 28 Μαΐου στο Εθνικό Μετσόβιο Πολυτεχνείο (http://conf.ellak.gr).

'''20/2/2008''' - Το OWASP.gr συμμετέχει στο 1ο Συνέδριο Κοινοτήτων Ελεύθερου Λογισμικού/Λογισμικού Ανοιχτού Κώδικα που διοργανώνεται στις 21 και 22 Μαρτίου στο Εθνικό Μετσόβειο Πολυτεχνείο (http://www.fosscomm.gr/).

'''2/2/2008''' - Το OWASP.gr συμμετέχει στην παρουσίαση της ομάδας IA4 του E-Business Forum (Προπαρασκευαστικές δράσεις για τη δημιουργία Ελληνικού Κέντρου Επείγουσας Αντιμετώπισης Ψηφιακών Απειλών GR-CERT) στα πλαίσια του Money Show 2008 στις 2/2/2008 στην Αίγλη Ζαππείου.

'''18/4/2007''' - Το E-Βusiness Forum (http://www.ebusinessforum.gr/) έχει δημιουργήσει μία ομάδα εργασίας η οποία έχει αναλάβει τις "'''Προπαρασκευαστικές δράσεις για τη δημιουργία Ελληνικού Κέντρου Επείγουσας Αντιμετώπισης Ψηφιακών Απειλών (GR-CERT)'''". Πληροφορίες σχετικά με τους στόχους και τις δραστηριότητες της ομάδας υπάρχουν [http://www.ebusinessforum.gr/teams/teamsall/view/index.php?ctn=102&language=el εδώ] αλλά και [http://sense.dmst.aueb.gr/ia4/index.php/Main_Page εδώ]. Όποιος ενδιαφέρεται και μπορεί να βοηθήσει να δηλώσει συμμετοχή στις παραπάνω σελίδες ή να απευθυνθεί στο κ. Βασίλειο Βλάχο (στοιχεία επικοινωνίας υπάρχουν στα παραπάνω site).

Καταχωρήθηκε το [http://www.owasp.gr OWASP.gr]!

Με τη βοήθεια του Αναστάσιου Καζακώνη μετέφράστηκαν το "OWASP Top Ten Vulnerabilties in Web Application Security" και το OWASP AppSec FAQ στα Ελληνικά. Έτσι είναι πλέον διαθέσιμες οι ελληνικές εκδόσεις του [http://www.owasp.org/images/8/8b/OWASP_Top_Ten_2004_Greek.pdf OWASP Top Ten] και του [http://www.owasp.org/images/e/ed/OWASP_faq_Greek.pdf OWASP AppSec FAQ].

 

==== Meetings ====

== Call for Presentations ==
Anything related to '''Application''' or '''Information Security'''
*Secure Coding Practices
*Secure Application Development Lifecycle
*Penetration Testing and Exploitation
*Code Reviewing
*Projects and Tools
*Methodologies
*Best Practices

Send:
*Title
*Abstract
*Name and affiliation
*Short Bio
To: [mailto:konstantinos@owasp.org konstantinos@owasp.org]

== Meetings ==

=== 19/4/2013 ===
Χώρος: PWC / Κηφισίας 260, Χαλάνδρι

Περιγραφή: [https://www.owasp.org/images/e/e0/Training_19.04.13_ISACA_OWASP.pdf https://www.owasp.org/images/e/e0/Training_19.04.13_ISACA_OWASP.pdf]

* '''Being a spammer for 40 minutes: how spam works, why it's slowly going away and why it won't disappear''' - '''Martijn Grooten''' (Virus Bulletin)

=== 5/5/2011 ===
Χώρος: [http://www.di.uoa.gr/ Τμήμα Πληροφορικής και Τηλεπικοινωνιών/ΕΚΠΑ]

Περιγραφή: [http://owaspgr02.eventbrite.com/ http://owaspgr02.eventbrite.com/]

* '''Welcome and OWASP News''' - '''Konstantinos Papapanagiotou''' (OWASP Greek Chapter Leader/Syntax IT Inc) '''([[Media:OWASP_gr_meeting_2011_02.pdf‎|PDF]])'''
* '''Protecting the Core: Kernel Exploitation Mitigations''' - '''Patroklos Argyroudis and Dimitris Glynos''' (Census) '''([http://census.gr/media/bheu-2011-slides.pdf PDF])'''

=== 16/3/2011 ===
Χώρος: [http://www.colabworkspace.com/ coLab Athens Workspace]

Περιγραφή: [http://owaspgr01.eventbrite.com/ http://owaspgr01.eventbrite.com/]

* '''Welcome and Intro to OWASP Meetings''' '''([[Media:OWASP_gr_meeting_2011_01_intro.pdf‎‎|PDF]])'''
* '''Application Security for the Masses''' - '''Konstantinos Papapanagiotou''' (OWASP Greek Chapter Leader/Syntax IT Inc) '''([[Media:OWASP_gr_meeting_2011_01_appsec_masses.pdf|PDF]])'''
* '''Cyberdefense and the Kobayashi Maru''' - '''Yiorgos Adamopoulos''' (TEE) '''([[Media:Adamopoulos_Cyberdefense_and_the_Kobayashi_Maru.pdf‎|PDF]])'''

 

==== Events ====

'''26/9/2009''' - Το OWASP.gr συνδιοργανώνει ένα session με θέμα Web Application Security στα πλαίσια του 4th Mediterranean Conference on Information Systems ([http://www.mcis2009.org MCIS 2009]) στις 26 Σεπτεμβρίου 2009 και ώρα 15:30 στο Οικονομικό Πανεπιστήμιο Αθηνών. Το αναλυτικό πρόγραμμα του συνεδρίου καθώς και περισσότερες πληροφορίες υπάρχουν [http://www.mcis2009.org εδώ]. Το session θα συντονίζει ο [mailto:vsvlachosATowasp.gr Βασίλης Βλάχος], μέλος της ομάδας συντονισμού του OWASP στην Ελλάδα.

'''18/3/2009''' - Συμμετοχή του OWASP.gr στην [http://www.tsomokos.gr/projects2.php EXPOSEC 2009] που θα πραγματοποιηθεί στις 17 και 18 Μαρτίου στο Ζάππειο Μέγαρο. Ο [mailto:conpapATowasp.gr Κωνσταντίνος Παπαπαναγιώτου], μέλος της ομάδας συντονισμού του OWASP στην Ελλάδα, θα συντονίσει στις 18 Μαρτίου την ενότητα "Πρότυπα και Νομικές Απαιτήσεις".

'''17 και 18/10/2008''' - Παρουσίαση του OWASP.gr στα πλαίσια του '''Athens Digital Week''' που πραγματοποιείται από τις 13 ως τις 19 Οκτωβρίου στην Τεχνόπολη στο Γκάζι (http://www.athensdigitalweek.gr). Σύμφωνα με το [http://www.athensdigitalweek.gr/el/the-core/talk-zone πρόγραμμα], η παρουσίαση θα γίνει την Παρασκευή, 17 Οκτωβρίου 2008 και ώρα 16:30 καθώς και το Σάββατο, 18 Οκτωβρίου 2008 και ώρα 18:00.

'''27/5/2008''' - Παρουσίαση του OWASP.gr στα πλαίσια του '''3ου Συνεδρίου Ελεύθερου Λογισμικού / Λογισμικού Ανοιχτού Κώδικα''' που πραγματοποιείται στις 27 και 28 Μαΐου στο Εθνικό Μετσόβειο Πολυτεχνείο (http://conf.ellak.gr). Σύμφωνα με το [http://conf.ellak.gr/2008/index.php?option=com_jcalpro&Itemid=138&extmode=week&date=2008-05-25 πρόγραμμα] του συνεδρίου, η παρουσίαση θα γίνει την Τρίτη, 27 Μαΐου 2008 και ώρα 11:15.

'''22/3/2008''' - Παρουσίαση του OWASP.gr στα πλαίσια του '''1ου Συνέδριο Κοινοτήτων Ελεύθερου Λογισμικού/Λογισμικού Ανοιχτού Κώδικα''' που διοργανώνεται στις 21 και 22 Μαρτίου στο Εθνικό Μετσόβειο Πολυτεχνείο (http://www.fosscomm.gr/). Σύμφωνα με το [http://www.fosscomm.gr/xoops20171/htdocs/uploads/programma_synedriou.html πρόγραμμα], η παρουσίαση θα γίνει στις 17:50.

'''2/2/2008''' - Παρουσίαση της ομάδας IA4 του E-Business Forum (Προπαρασκευαστικές δράσεις για τη δημιουργία Ελληνικού Κέντρου Επείγουσας Αντιμετώπισης Ψηφιακών Απειλών GR-CERT) στα πλαίσια του '''Money Show 2008'''.

==== Archive ====

== Μηνιαίο Ενημερωτικό Δελτίο ==

Καλώς ήλθατε στο μηνιαίο ενημερωτικό δελτίο της Ελληνικής ομάδας εργασίας του OWASP. Στόχος μας είναι η ενημέρωση γύρω από τα θέματα της ελληνικής επικαιρότητας που αφορούν στην ασφάλεια των εφαρμογών διαδικτύου αλλά και στην ασφάλεια γενικότερα. Αν και στο Internet υπάρχουν ήδη πολλές πηγές ενημέρωσης γύρω από θέματα ασφάλειας (π.χ. securityfocus, cryptogram, blogs, κλπ), αυτές επικεντρώνονται συνήθως στη διεθνή επικαιρότητα. Έτσι, μοιραία η ενημέρωση για τα security θέματα που αφορούν στην Ελλάδα προέρχεται από τα τοπικά ειδησεογραφικά site και μέσα.

Με το μηνιαίο αυτό newsletter στοχεύουμε στην αποτύπωση των κυριότερων θεμάτων ασφάλειας που απασχολούν την Ελληνική επικαιρότητα κάθε μήνα, αλλά και σημαντικών νέων από τη διεθνή infosec επικαιρότητα που κρίνουμε πως πρέπει να σχολιάσουμε. Παράλληλα, θα υπάρχουν ενδιαφέροντα επιστημονικά θέματα αλλά και ενημέρωση γύρω από τη δραστηριότητα του OWASP. Το newsletter θα διαμοιράζεται μέσω της mailing list του OWASP.gr, ενώ ταυτόχρονα θα δημοσιεύεται και εδώ σε μορφή pdf. Υπεύθυνος για την έκδοσή του είναι ο συνεργάτης του OWASP.gr Γιάννης Αναστασόπουλος.

Ελπίζουμε πως θα βρείτε το newsletter αυτό ενδιαφέρον και χρήσιμο. Φυσικά, βρίσκεται σε… εμβρυικό στάδιο. Για το λόγο αυτό κάθε συνεισφορά σας στη δημιουργία του θα ήταν ιδιαίτερα σημαντική, για να γίνει το newsletter πιο χρήσιμο για όλους. Έτσι, για οποιαδήποτε σχόλια, προσθήκες, προτάσεις, παρατηρήσεις ή συζητήσεις μπορείτε να απευθύνεστε στη mailing list του OWASP.gr ([mailto:owasp-greece@lists.owasp.org owasp-greece@lists.owasp.org]).

 [http://www.owasp.org/images/2/21/OWASP_gr_newsletter_1.pdf Ενημερωτικό Δελτίο νο1 - Δεκέμβριος 2006]

[http://www.owasp.org/images/0/0a/OWASP_gr_newsletter_2.pdf Ενημερωτικό Δελτίο νο2 - Ιανουάριος 2007]

[http://www.owasp.org/images/4/4e/OWASP_gr_newsletter_3.pdf Ενημερωτικό Δελτίο νο3 - Φεβρουάριος 2007]

[http://www.owasp.org/images/b/b1/OWASP_gr_newsletter_4.pdf Ενημερωτικό Δελτίο νο4 - Μάρτιος-Απρίλιος 2007]

[https://www.owasp.org/images/1/11/OWASP_gr_newsletter_5.pdf Ενημερωτικό Δελτίο νο5 - Ιανουάριος 2008]

[https://www.owasp.org/images/3/3f/OWASP_gr_newsletter_6.pdf Ενημερωτικό Δελτίο νο6 - Φεβρουάριος 2008]

__NOTOC__ <headertabs />

[[Category:OWASP_Chapter]]
[[Category:Europe]]

File:Training 19.04.13 ISACA OWASP.pdf

2013-04-02T06:59:44Z

Conpap: OWASP Greek Chapter meeting 1/2013

OWASP Greek Chapter meeting 1/2013

Greece

2012-11-13T20:44:41Z

Conpap:

[[Image:Greekchapterlogo.gif]]
[[File:2ndISACAConf.JPG|border|center|x149px|link=http://www.isaca.gr/images/stories/isaca/2ndISACAConference/2ndISACAAthens.pdf]]

==== Welcome ====

{{Chapter Template|chaptername=Greece|extra=The chapter leader is [mailto:konstantinos@owasp.org Konstantinos Papapanagiotou]|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-greece|emailarchives=http://lists.owasp.org/pipermail/owasp-greece}}

<paypal>Greece</paypal>

== OWASP Greek Chapter Committee ==

Chapter Leader: [mailto:conpapATowasp.gr Konstantinos Papapanagiotou]

Committee Members: [mailto:manosATowasp.gr Emmanouel Kellinis], [mailto:steliosATowasp.gr Stelios Tigkas], [mailto:vsvlachosATowasp.gr Vasileios Vlachos]

 

== Τι είναι το OWASP ==

Το ΟWASP (Open Web Application Security Project – http://www.owasp.org) αποτελεί μία πρωτοβουλία που αποσκοπεί στον εντοπισμό και στην καταπολέμηση των τρωτών σημείων του λογισμικού τέτοιων εφαρμογών. Όντας ένας μη κερδοσκοπικός οργανισμός, ακολουθεί την ιδεολογία του Ελεύθερου/Ανοικτού λογισμικού, παρέχοντας δωρεάν αλλά επαγγελματικής ποιότητας έγγραφα, εργαλεία και πρότυπα. Παράλληλα, ενισχύει τη διοργάνωση συνεδρίων και τοπικών ομάδων εργασίας (local chapters), τη δημοσίευση άρθρων και συγγραμμάτων, καθώς και την ανταλλαγή απόψεων μέσα από forums και mailing lists. Το OWASP απαριθμεί μέλη σε όλο τον πλανήτη, συμπεριλαμβανομένων μεγάλων οργανισμών και εταιριών του χώρου όπως VISA, Deloitte, Unisys, Foundstone, και άλλες.

== Η Ελληνική Κοινότητα ==

Η ελληνική ομάδα εργασίας του OWASP δημιουργήθηκε το 2005, με κύριο στόχο την ενημέρωση και την αφύπνιση της ελληνικής κοινότητας αναφορικά με τους κινδύνους ασφαλείας στις διαδικτυακές εφαρμογές. Αφορμή για τη δημιουργία της αποτέλεσαν ουσιαστικά τα ολοένα αυξανόμενα περιστατικά ασφαλείας στο διαδίκτυο, όπως τα κρούσματα phishing σε ελληνικές τράπεζες.

Σήμερα, η ελληνική ομάδα του OWASP δραστηριοποιείται σε προγράμματα Ελεύθερου/Ανοικτού λογισμικού καθώς και μεταφράσεις κειμένων του OWASP στα ελληνικά, προωθώντας την ιδέα του OWASP σε τοπικό επίπεδο. Παράλληλα, μέσα από τη mailing list της ενημερώνει και προκαλεί συζητήσεις σχετικά με επίκαιρα θέματα ασφάλειας στο διαδίκτυο, ενώ εκδίδει και μηνιαίο newsletter.

== Συμμετοχή ==

Η ελληνική κοινότητα του OWASP επιθυμεί να φέρει σε επαφή όλους όσους ενδιαφέρονται και προβληματίζονται για την ασφάλεια των διαδικτυακών εφαρμογών. Ταυτόχρονα, ευπρόσδεκτοι είναι και εθελοντές που προτίθενται να δουλέψουν σε προγράμματα Ελεύθερου/Ανοιχτού λογισμικού που συντονίζει το OWASP. Σας προσκαλούμε να μοιραστείτε μαζί μας ιδέες, σκέψεις και προβληματισμούς σχετικά με επιθέσεις, μεθόδους άμυνας και αντιμετώπισης, εργαλεία και βέλτιστες πρακτικές ασφάλειας στο διαδίκτυο. Ανεξάρτητα από το τεχνικό επίπεδο, το βάθος της προσέγγισης και τις χρησιμοποιούμενες μεθόδους, θα χαρούμε ιδιαίτερα αν έρθετε σε επαφή μαζί μας.

Για να εγγραφείτε στη '''mailing list''' της ελληνικής ομάδας εργασίας επισκεφθείτε [http://lists.owasp.org/mailman/listinfo/owasp-greece αυτή τη σελίδα].

== Ευχαριστίες ==

Θα θέλαμε να ευχαριστήσουμε το [http://www.di.uoa.gr Τμήμα Πληροφορικής και Τηλεπικοινωνιών] του Πανεπιστημίου Αθηνών για τη βοήθεια που παρέχει στην ελληνική ομάδα εργασίας.

[[Image:Universityofathenslogo.gif]]

Επίσης θα θέλαμε να ευχαριστήσουμε θερμά το περιοδικό [http://www.linuxinside.gr/ Linux Inside] για την υποστήριξη και την προβολή καθώς και το [http://www.zero.gr zero.gr].

[[Image:Linuxinside-logo.png]] [[Image:zerologo.png]]

==== News ====

== Ομάδες Εργασίας ==

Αυτήν την περίοδο ψάχνουμε για νέες project ιδέες. Εάν έχεις καινούρια ίδεα για κάποιο εργαλείο, στατιστικά στοιχεία για το πόσο σοβαρά λαμβάνουν στην Ελλάδα το application security οι προγραμματιστές, εταιρίες λογισμικού κτλ ή αν έχεις οποιάδηποτε άλλη ιδέα με κεντρικό θέμα το application security επικοινωνήστε μαζί μας.

== Νέα ==

'''16/3/2011''' - Η πρώτη συνάντηση θα πραγματοποιηθεί στο [http://www.colabworkspace.com/ CoLab Athens Workspace]. Περισσότερες πληφορορίες και εγγραφές [http://owaspgr01.eventbrite.com/ εδώ].

'''20/9/2009''' - Ο [mailto:vsvlachosATowasp.gr Βασίλης Βλάχος], μέλος της ομάδας συντονισμού του OWASP στην Ελλάδα, θα συντονίσει στις 26/9/2009 τη συνεδρία με θέμα Web Application Security που συνδιοργανώνει το OWASP.gr στα πλάισια του συνεδρίου 4th Mediterranean Conference on Information Systems ([http://www.mcis2009.org MCIS 2009]). Η συνεδρία θα πραγματοποιηθεί στις 26 Σεπτεμβρίου 2009 και ώρα 15:30 στο Οικονομικό Πανεπιστήμιο Αθηνών.

'''5/3/2009''' - Ο [mailto:conpapATowasp.gr Κωνσταντίνος Παπαπαναγιώτου], μέλος της ομάδας συντονισμού του OWASP στην Ελλάδα, θα συντονίσει στις 18 Μαρτίου την ενότητα "Πρότυπα και Νομικές Απαιτήσεις" στα πλαίσια της [http://www.tsomokos.gr/projects2.php EXPOSEC 2009], που διεξάγεται στις 17 και 18 Μαρτίου στο Ζάππειο Μέγαρο.

'''3/2/2009''' - Ο [mailto:conpapATowasp.gr Κωνσταντίνος Παπαπαναγιώτου], μέλος της ομάδας συντονισμού του OWASP στην Ελλάδα, έδωσε ζωντανή συνέντευξη στην εκπομπή Ατζέντα+ της ψηφιακής πλατφόρμας της ΕΡΤ (κανάλι Σπορ+/Info+), όπου μίλησε για τις δραστηριότητες του OWASP στην Ελλάδα και έδωσε απλές συμβουλές για την ασφάλεια στο Internet. Μπορείτε να παρακολουθήσετε το βίντεο της συνέντευξης [http://www.youtube.com/watch?v=q0RPKaPGICI εδώ].

'''10/10/2008''' - Το OWASP.gr συμμετέχει στο Athens Digital Week που πραγματοποιείται από τις 13 ως τις 19 Οκτωβρίου στη Τεχνόπολη στο Γκάζι (http://conf.ellak.gr).

'''30/9/2008''' - Το OWASP.gr παρουσιάζει το πρώτο Ελληνικό blog με θέμα την ασφάλεια των διαδικτυακών εφαρμογών αλλά και των υπολογιστικών συστημάτων γενικότερα. Επισκεφθείτε το επίσημο blog της Ελληνικής ομάδας εργασίας του OWASP στο: http://blog.owasp.gr.

'''5/6/2008''' - Η παρουσίαση του OWASP.gr στο 3ο Συνέδριο ΕΛ/ΛΑΚ είναι διαθέσιμη μέσα από την ενότητα [https://www.owasp.org/index.php/OWASP_Education_Presentation#Chapter_Presentations Chapter Presentations] και συγκεκριμένα [http://www.owasp.org/images/e/e5/OWASP_ellak-Greece.ppt εδώ]. Επίσης, βίντεο της παρουσίασης μπορείτε να βρείτε [http://conf.ellak.gr/2008/index.php?option=com_eventlist&Itemid=119&func=details&did=19 εδώ].

'''26/5/2008''' - Το OWASP.gr αναπτύσσει έναν Web Vulnerability Scanner. Μπορείτε να κατεβάσετε την beta έκδοσή του από [https://www.owasp.org/images/6/65/WVS_beta-0.2.1.zip εδώ].

'''15/5/2008''' - Το OWASP.gr συμμετέχει στο 3ο Συνέδριο ΕΛ/ΛΑΚ που πραγματοποιείται στις 27 και 28 Μαΐου στο Εθνικό Μετσόβιο Πολυτεχνείο (http://conf.ellak.gr).

'''20/2/2008''' - Το OWASP.gr συμμετέχει στο 1ο Συνέδριο Κοινοτήτων Ελεύθερου Λογισμικού/Λογισμικού Ανοιχτού Κώδικα που διοργανώνεται στις 21 και 22 Μαρτίου στο Εθνικό Μετσόβειο Πολυτεχνείο (http://www.fosscomm.gr/).

'''2/2/2008''' - Το OWASP.gr συμμετέχει στην παρουσίαση της ομάδας IA4 του E-Business Forum (Προπαρασκευαστικές δράσεις για τη δημιουργία Ελληνικού Κέντρου Επείγουσας Αντιμετώπισης Ψηφιακών Απειλών GR-CERT) στα πλαίσια του Money Show 2008 στις 2/2/2008 στην Αίγλη Ζαππείου.

'''18/4/2007''' - Το E-Βusiness Forum (http://www.ebusinessforum.gr/) έχει δημιουργήσει μία ομάδα εργασίας η οποία έχει αναλάβει τις "'''Προπαρασκευαστικές δράσεις για τη δημιουργία Ελληνικού Κέντρου Επείγουσας Αντιμετώπισης Ψηφιακών Απειλών (GR-CERT)'''". Πληροφορίες σχετικά με τους στόχους και τις δραστηριότητες της ομάδας υπάρχουν [http://www.ebusinessforum.gr/teams/teamsall/view/index.php?ctn=102&language=el εδώ] αλλά και [http://sense.dmst.aueb.gr/ia4/index.php/Main_Page εδώ]. Όποιος ενδιαφέρεται και μπορεί να βοηθήσει να δηλώσει συμμετοχή στις παραπάνω σελίδες ή να απευθυνθεί στο κ. Βασίλειο Βλάχο (στοιχεία επικοινωνίας υπάρχουν στα παραπάνω site).

Καταχωρήθηκε το [http://www.owasp.gr OWASP.gr]!

Με τη βοήθεια του Αναστάσιου Καζακώνη μετέφράστηκαν το "OWASP Top Ten Vulnerabilties in Web Application Security" και το OWASP AppSec FAQ στα Ελληνικά. Έτσι είναι πλέον διαθέσιμες οι ελληνικές εκδόσεις του [http://www.owasp.org/images/8/8b/OWASP_Top_Ten_2004_Greek.pdf OWASP Top Ten] και του [http://www.owasp.org/images/e/ed/OWASP_faq_Greek.pdf OWASP AppSec FAQ].

 

==== Meetings ====

== Call for Presentations ==
Anything related to '''Application''' or '''Information Security'''
*Secure Coding Practices
*Secure Application Development Lifecycle
*Penetration Testing and Exploitation
*Code Reviewing
*Projects and Tools
*Methodologies
*Best Practices

Send:
*Title
*Abstract
*Name and affiliation
*Short Bio
To: [mailto:konstantinos@owasp.org konstantinos@owasp.org]

== Meetings ==

=== 5/5/2011 ===
Χώρος: [http://www.di.uoa.gr/ Τμήμα Πληροφορικής και Τηλεπικοινωνιών/ΕΚΠΑ]

Περιγραφή: [http://owaspgr02.eventbrite.com/ http://owaspgr02.eventbrite.com/]

* '''Welcome and OWASP News''' - '''Konstantinos Papapanagiotou''' (OWASP Greek Chapter Leader/Syntax IT Inc) '''([[Media:OWASP_gr_meeting_2011_02.pdf‎|PDF]])'''
* '''Protecting the Core: Kernel Exploitation Mitigations''' - '''Patroklos Argyroudis and Dimitris Glynos''' (Census) '''([http://census.gr/media/bheu-2011-slides.pdf PDF])'''

=== 16/3/2011 ===
Χώρος: [http://www.colabworkspace.com/ coLab Athens Workspace]

Περιγραφή: [http://owaspgr01.eventbrite.com/ http://owaspgr01.eventbrite.com/]

* '''Welcome and Intro to OWASP Meetings''' '''([[Media:OWASP_gr_meeting_2011_01_intro.pdf‎‎|PDF]])'''
* '''Application Security for the Masses''' - '''Konstantinos Papapanagiotou''' (OWASP Greek Chapter Leader/Syntax IT Inc) '''([[Media:OWASP_gr_meeting_2011_01_appsec_masses.pdf|PDF]])'''
* '''Cyberdefense and the Kobayashi Maru''' - '''Yiorgos Adamopoulos''' (TEE) '''([[Media:Adamopoulos_Cyberdefense_and_the_Kobayashi_Maru.pdf‎|PDF]])'''

 

==== Events ====

'''26/9/2009''' - Το OWASP.gr συνδιοργανώνει ένα session με θέμα Web Application Security στα πλαίσια του 4th Mediterranean Conference on Information Systems ([http://www.mcis2009.org MCIS 2009]) στις 26 Σεπτεμβρίου 2009 και ώρα 15:30 στο Οικονομικό Πανεπιστήμιο Αθηνών. Το αναλυτικό πρόγραμμα του συνεδρίου καθώς και περισσότερες πληροφορίες υπάρχουν [http://www.mcis2009.org εδώ]. Το session θα συντονίζει ο [mailto:vsvlachosATowasp.gr Βασίλης Βλάχος], μέλος της ομάδας συντονισμού του OWASP στην Ελλάδα.

'''18/3/2009''' - Συμμετοχή του OWASP.gr στην [http://www.tsomokos.gr/projects2.php EXPOSEC 2009] που θα πραγματοποιηθεί στις 17 και 18 Μαρτίου στο Ζάππειο Μέγαρο. Ο [mailto:conpapATowasp.gr Κωνσταντίνος Παπαπαναγιώτου], μέλος της ομάδας συντονισμού του OWASP στην Ελλάδα, θα συντονίσει στις 18 Μαρτίου την ενότητα "Πρότυπα και Νομικές Απαιτήσεις".

'''17 και 18/10/2008''' - Παρουσίαση του OWASP.gr στα πλαίσια του '''Athens Digital Week''' που πραγματοποιείται από τις 13 ως τις 19 Οκτωβρίου στην Τεχνόπολη στο Γκάζι (http://www.athensdigitalweek.gr). Σύμφωνα με το [http://www.athensdigitalweek.gr/el/the-core/talk-zone πρόγραμμα], η παρουσίαση θα γίνει την Παρασκευή, 17 Οκτωβρίου 2008 και ώρα 16:30 καθώς και το Σάββατο, 18 Οκτωβρίου 2008 και ώρα 18:00.

'''27/5/2008''' - Παρουσίαση του OWASP.gr στα πλαίσια του '''3ου Συνεδρίου Ελεύθερου Λογισμικού / Λογισμικού Ανοιχτού Κώδικα''' που πραγματοποιείται στις 27 και 28 Μαΐου στο Εθνικό Μετσόβειο Πολυτεχνείο (http://conf.ellak.gr). Σύμφωνα με το [http://conf.ellak.gr/2008/index.php?option=com_jcalpro&Itemid=138&extmode=week&date=2008-05-25 πρόγραμμα] του συνεδρίου, η παρουσίαση θα γίνει την Τρίτη, 27 Μαΐου 2008 και ώρα 11:15.

'''22/3/2008''' - Παρουσίαση του OWASP.gr στα πλαίσια του '''1ου Συνέδριο Κοινοτήτων Ελεύθερου Λογισμικού/Λογισμικού Ανοιχτού Κώδικα''' που διοργανώνεται στις 21 και 22 Μαρτίου στο Εθνικό Μετσόβειο Πολυτεχνείο (http://www.fosscomm.gr/). Σύμφωνα με το [http://www.fosscomm.gr/xoops20171/htdocs/uploads/programma_synedriou.html πρόγραμμα], η παρουσίαση θα γίνει στις 17:50.

'''2/2/2008''' - Παρουσίαση της ομάδας IA4 του E-Business Forum (Προπαρασκευαστικές δράσεις για τη δημιουργία Ελληνικού Κέντρου Επείγουσας Αντιμετώπισης Ψηφιακών Απειλών GR-CERT) στα πλαίσια του '''Money Show 2008'''.

==== Archive ====

== Μηνιαίο Ενημερωτικό Δελτίο ==

Καλώς ήλθατε στο μηνιαίο ενημερωτικό δελτίο της Ελληνικής ομάδας εργασίας του OWASP. Στόχος μας είναι η ενημέρωση γύρω από τα θέματα της ελληνικής επικαιρότητας που αφορούν στην ασφάλεια των εφαρμογών διαδικτύου αλλά και στην ασφάλεια γενικότερα. Αν και στο Internet υπάρχουν ήδη πολλές πηγές ενημέρωσης γύρω από θέματα ασφάλειας (π.χ. securityfocus, cryptogram, blogs, κλπ), αυτές επικεντρώνονται συνήθως στη διεθνή επικαιρότητα. Έτσι, μοιραία η ενημέρωση για τα security θέματα που αφορούν στην Ελλάδα προέρχεται από τα τοπικά ειδησεογραφικά site και μέσα.

Με το μηνιαίο αυτό newsletter στοχεύουμε στην αποτύπωση των κυριότερων θεμάτων ασφάλειας που απασχολούν την Ελληνική επικαιρότητα κάθε μήνα, αλλά και σημαντικών νέων από τη διεθνή infosec επικαιρότητα που κρίνουμε πως πρέπει να σχολιάσουμε. Παράλληλα, θα υπάρχουν ενδιαφέροντα επιστημονικά θέματα αλλά και ενημέρωση γύρω από τη δραστηριότητα του OWASP. Το newsletter θα διαμοιράζεται μέσω της mailing list του OWASP.gr, ενώ ταυτόχρονα θα δημοσιεύεται και εδώ σε μορφή pdf. Υπεύθυνος για την έκδοσή του είναι ο συνεργάτης του OWASP.gr Γιάννης Αναστασόπουλος.

Ελπίζουμε πως θα βρείτε το newsletter αυτό ενδιαφέρον και χρήσιμο. Φυσικά, βρίσκεται σε… εμβρυικό στάδιο. Για το λόγο αυτό κάθε συνεισφορά σας στη δημιουργία του θα ήταν ιδιαίτερα σημαντική, για να γίνει το newsletter πιο χρήσιμο για όλους. Έτσι, για οποιαδήποτε σχόλια, προσθήκες, προτάσεις, παρατηρήσεις ή συζητήσεις μπορείτε να απευθύνεστε στη mailing list του OWASP.gr ([mailto:owasp-greece@lists.owasp.org owasp-greece@lists.owasp.org]).

 [http://www.owasp.org/images/2/21/OWASP_gr_newsletter_1.pdf Ενημερωτικό Δελτίο νο1 - Δεκέμβριος 2006]

[http://www.owasp.org/images/0/0a/OWASP_gr_newsletter_2.pdf Ενημερωτικό Δελτίο νο2 - Ιανουάριος 2007]

[http://www.owasp.org/images/4/4e/OWASP_gr_newsletter_3.pdf Ενημερωτικό Δελτίο νο3 - Φεβρουάριος 2007]

[http://www.owasp.org/images/b/b1/OWASP_gr_newsletter_4.pdf Ενημερωτικό Δελτίο νο4 - Μάρτιος-Απρίλιος 2007]

[https://www.owasp.org/images/1/11/OWASP_gr_newsletter_5.pdf Ενημερωτικό Δελτίο νο5 - Ιανουάριος 2008]

[https://www.owasp.org/images/3/3f/OWASP_gr_newsletter_6.pdf Ενημερωτικό Δελτίο νο6 - Φεβρουάριος 2008]

__NOTOC__ <headertabs />

[[Category:OWASP_Chapter]]
[[Category:Europe]]

File:2ndISACAConf.JPG

2012-11-13T20:39:23Z

Conpap:

File:AppSecEU2012 SecuringDevelopmentwithPMD.pdf

2012-09-04T09:05:32Z

Conpap:

File:AppSecEU2012 Wilander.pdf

2012-08-31T07:06:37Z

Conpap:

File:AppSecEU2012 heap.pdf

2012-08-30T12:37:25Z

Conpap:

File:AppSecEU2012 Welcome.pdf

2012-08-30T12:33:00Z

Conpap:

File:AppSecEU2012 Jackpotting.pdf

2012-08-30T12:24:42Z

Conpap:

File:AppSecEU2012 PCI.pdf

2012-08-30T12:20:32Z

Conpap:

File:AppSecEU2012 MitB.pdf

2012-08-30T12:18:09Z

Conpap:

File:AppSecEU2012 Benoist.pdf

2012-08-30T12:17:39Z

Conpap:

File:AppSecEU2012 Oracle.pdf

2012-08-30T12:16:58Z

Conpap:

File:AppSecEU2012 Spaghetti.pdf

2012-08-30T12:15:44Z

Conpap:

File:AppSecEU2012 Livshits.pdf

2012-08-30T12:12:41Z

Conpap:

File:AppSecEU2012 Winckles.pdf

2012-08-30T12:10:35Z

Conpap:

File:AppSecEU2012 zombies decade swsec12.pdf

2012-08-16T21:15:04Z

Conpap:

File:AppSecEU2012 WhatPermissionsDoesYourDatabaseUserREALLYNeed.pdf

2012-08-16T21:14:12Z

Conpap:

File:AppSecEU2012 Top Ten Defenses.pdf

2012-08-16T21:11:17Z

Conpap:

File:AppSecEU2012 SS goes mobile.pdf

2012-08-16T21:09:05Z

Conpap:

File:AppSecEU2012 Screw You.pdf

2012-08-16T21:02:05Z

Conpap:

File:AppSecEU2012 ScannerBenchmarking.pdf

2012-08-16T21:01:16Z

Conpap:

File:AppSecEU2012 PASTA.pdf

2012-08-16T20:59:13Z

Conpap: uploaded a new version of "File:AppSecEU2012 PASTA.pdf"

File:AppSecEU2012 PASTA.pdf

2012-08-16T20:50:26Z

Conpap:

File:AppSecEU2012 Mobile Risks.pdf

2012-08-16T20:49:14Z

Conpap:

File:AppSecEU2012 Everything u know about InjectionAttack.pdf

2012-08-16T20:47:00Z

Conpap: