OWASP - User contributions [en]

Long Island

2010-04-23T21:59:24Z

Heleng: /* External Links */

{{Chapter Template|chaptername=Long Island | extra= | mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-longisland | emailarchives=http://lists.owasp.org/pipermail/owasp-longisland }}

==== Chapter Meetings ====
Scroll down to see the upcoming Long Island OWASP events

RSVP REQUESTED [http://fs18.formsite.com/owaspli/form995438520/index.html http://www.owasp.org/images/7/7f/Register.gif]

Date: 3/18/10 Thursday 
Time: 6:30 - 8pm 
Place: Adelphi Garden City Campus Ruth S. Harley University Center, room 210 [http://www.adelphi.edu/visitors/campus.php Campus Map]The University Center is in the center of the campus, all the way to the North (marked as UNC) 
Directions: Via the Long Island Expressway (Route 495) 

Traveling east 
Take the L.I.E. to Exit 34 South or the Northern State Parkway to Exit 26 South (New Hyde Park Road). Turn right onto New Hyde Park Road. Continue south on New Hyde Park Road for approximately 3 miles. Turn left onto Stewart Avenue. At the fourth light, turn right onto Nassau Boulevard. Continue approximately for a quarter of a mile. At the first light (as soon as you cross over the railroad tracks), make a left onto South Avenue. The entrance to campus will be on your right. 

Traveling west 
Take the L.I.E. to Exit 39 South or the Northern State Parkway to Exit 31 (Glen Cove Road). Go south. (Note: the road will change from Guinea Woods Road to Glen Cove Road to Clinton Road). Turn right onto Stewart Avenue. Go one mile and at T-junction turn left onto Hilton Avenue. Immediately after crossing the railroad tracks, turn right onto Sixth Street. Continue onto South Avenue. The entrance to campus will be on your left.. 
 
Speakers: (TBD) 

[http://www.linkedin.com/in/blakecornell Blake Cornell], OWASP Board Member NY/NJ/LI

Session Initiation Protocol Bounce Attacks: Enumeration of Networked Addressing and Services With Timing Attacks and Other Vectors

The SIP Bounce Attack is similar in nature to the File Transfer Protocol (FTP) Bounce Attack. SIP allows an attacker the ability to communicate with any Internet Protocol (IP) address or Fully Qualified Domain Name (FQDN) and their respective UDP or TCP port numbers. Utilizing precise timing algorithms it is possible to enumerate the address allocation of private networks (2) and determine the state of their ports. This is possible without authentication.

There is an increasing trend to host SIP services publicly on the internet behind Demilitarized Zones (DMZ), firewalls and Access Control Lists (ACLs). Having the ability to bounce traffic through a protected system and allowing analysis of response data is quite risky.

If a consumer grade VoIP product were reliably vulnerable to SIP bouncing an attacker could have a plethora of possible zombie proxies to choose from.

These and other risks will be discussed.

 
[http://pentest.cryptocity.net/blog/ Dan Guido], OWASP NY/NJ Board Member

Threat Modeling APT: A discussion of tactics behind recent targeted intrusions.

Free pizza and beverage will be provided. After event networking will be held at a local bar. 

<center>Come prepared for an evening of networking with your industry peers.</center>
<center>We invite all attendees to food and libations after the meeting at a local venue TBA.</center>
<center>If you join our [http://lists.owasp.org/mailman/listinfo/owasp-longisland mailing list], then you will receive details of the meeting as soon as they are finalized.</center>
<center>To be a co-sponsor for this or a future meeting consider [http://www.owasp.org/index.php/Membership annual chapter sponsorship]</center>
<center>If you can host an upcoming meeting please contact a LI board member.</center>

==== Chapter Leaders/Contacts ====
<ul>
*[mailto:heleng@owasp.org Helen Gao, CISSP]
*[mailto:ryan.behan@owasp.org Ryan C Behan]
*[mailto:blake@owasp.org Blake Cornell] 212-202-6704
</ul>
__NOTOC__
<headertabs/>

==External Links==
* [http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010.pdf OWASP Top 10 for 2010 was released on April 19, 2010]
* [http://www.qualityit.net/Resources/WhitePapers/IEEEP1074-2005-RoadmapForOptimizingSecurityInTheSystemAndSoftwareLifeCycle.pdf IEEE considers security as a software lifecycle development requirement]
* [http://usa.visa.com/download/business/accepting_visa/ops_risk_management/cisp_PCI_Data_Security_Standard.pdf OWASP is a recommended secure coding guideline in PCI DSS]
* [http://www.ietf.org/rfc/rfc2828.txt Internet Security Glossary]

Long Island

2010-04-23T21:58:53Z

Heleng: /* External Links */

{{Chapter Template|chaptername=Long Island | extra= | mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-longisland | emailarchives=http://lists.owasp.org/pipermail/owasp-longisland }}

==== Chapter Meetings ====
Scroll down to see the upcoming Long Island OWASP events

RSVP REQUESTED [http://fs18.formsite.com/owaspli/form995438520/index.html http://www.owasp.org/images/7/7f/Register.gif]

Date: 3/18/10 Thursday 
Time: 6:30 - 8pm 
Place: Adelphi Garden City Campus Ruth S. Harley University Center, room 210 [http://www.adelphi.edu/visitors/campus.php Campus Map]The University Center is in the center of the campus, all the way to the North (marked as UNC) 
Directions: Via the Long Island Expressway (Route 495) 

Traveling east 
Take the L.I.E. to Exit 34 South or the Northern State Parkway to Exit 26 South (New Hyde Park Road). Turn right onto New Hyde Park Road. Continue south on New Hyde Park Road for approximately 3 miles. Turn left onto Stewart Avenue. At the fourth light, turn right onto Nassau Boulevard. Continue approximately for a quarter of a mile. At the first light (as soon as you cross over the railroad tracks), make a left onto South Avenue. The entrance to campus will be on your right. 

Traveling west 
Take the L.I.E. to Exit 39 South or the Northern State Parkway to Exit 31 (Glen Cove Road). Go south. (Note: the road will change from Guinea Woods Road to Glen Cove Road to Clinton Road). Turn right onto Stewart Avenue. Go one mile and at T-junction turn left onto Hilton Avenue. Immediately after crossing the railroad tracks, turn right onto Sixth Street. Continue onto South Avenue. The entrance to campus will be on your left.. 
 
Speakers: (TBD) 

[http://www.linkedin.com/in/blakecornell Blake Cornell], OWASP Board Member NY/NJ/LI

Session Initiation Protocol Bounce Attacks: Enumeration of Networked Addressing and Services With Timing Attacks and Other Vectors

The SIP Bounce Attack is similar in nature to the File Transfer Protocol (FTP) Bounce Attack. SIP allows an attacker the ability to communicate with any Internet Protocol (IP) address or Fully Qualified Domain Name (FQDN) and their respective UDP or TCP port numbers. Utilizing precise timing algorithms it is possible to enumerate the address allocation of private networks (2) and determine the state of their ports. This is possible without authentication.

There is an increasing trend to host SIP services publicly on the internet behind Demilitarized Zones (DMZ), firewalls and Access Control Lists (ACLs). Having the ability to bounce traffic through a protected system and allowing analysis of response data is quite risky.

If a consumer grade VoIP product were reliably vulnerable to SIP bouncing an attacker could have a plethora of possible zombie proxies to choose from.

These and other risks will be discussed.

 
[http://pentest.cryptocity.net/blog/ Dan Guido], OWASP NY/NJ Board Member

Threat Modeling APT: A discussion of tactics behind recent targeted intrusions.

Free pizza and beverage will be provided. After event networking will be held at a local bar. 

<center>Come prepared for an evening of networking with your industry peers.</center>
<center>We invite all attendees to food and libations after the meeting at a local venue TBA.</center>
<center>If you join our [http://lists.owasp.org/mailman/listinfo/owasp-longisland mailing list], then you will receive details of the meeting as soon as they are finalized.</center>
<center>To be a co-sponsor for this or a future meeting consider [http://www.owasp.org/index.php/Membership annual chapter sponsorship]</center>
<center>If you can host an upcoming meeting please contact a LI board member.</center>

==== Chapter Leaders/Contacts ====
<ul>
*[mailto:heleng@owasp.org Helen Gao, CISSP]
*[mailto:ryan.behan@owasp.org Ryan C Behan]
*[mailto:blake@owasp.org Blake Cornell] 212-202-6704
</ul>
__NOTOC__
<headertabs/>

==External Links==
* [http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010.pdf OWASP Top 10 for 2010]
* [http://www.qualityit.net/Resources/WhitePapers/IEEEP1074-2005-RoadmapForOptimizingSecurityInTheSystemAndSoftwareLifeCycle.pdf IEEE considers security as a software lifecycle development requirement]
* [http://usa.visa.com/download/business/accepting_visa/ops_risk_management/cisp_PCI_Data_Security_Standard.pdf OWASP is a recommended secure coding guideline in PCI DSS]
* [http://www.ietf.org/rfc/rfc2828.txt Internet Security Glossary]

Long Island

2010-02-15T16:11:37Z

Heleng: /* Chapter Meetings */

Long Island

2010-02-15T16:07:47Z

Heleng: /* Chapter Meetings */

Long Island

2010-02-15T15:55:42Z

Heleng: /* Chapter Meetings */

Long Island

2010-02-15T15:33:54Z

Heleng: /* Chapter Meetings */

Long Island

2010-02-12T02:24:25Z

Heleng: /* Chapter Meetings */

Long Island

2010-02-12T02:22:46Z

Heleng: /* Chapter Meetings */

Long Island

2010-02-12T02:21:28Z

Heleng: /* Chapter Meetings */

Long Island

2010-02-12T02:20:17Z

Heleng: /* Chapter Meetings */

Long Island

2010-02-12T02:18:12Z

Heleng: /* Chapter Meetings */

Long Island

2010-02-12T02:13:00Z

Heleng: /* Chapter Meetings */

OWASP Internationalization

2010-01-27T23:07:27Z

Heleng: /* News */

[[:Category:OWASP Project|Click here to return to OWASP Projects page.]] [[:Project Information:template Internationalization Guidelines|Click here to see (& edit, if wanted) the template.]] {{:Project Information:template Internationalization Guidelines}}

=== Why this project? ===

The main goal of OWASP is to spread the word about security (“Our mission is to make application security "visible," so that people and organizations can make informed decisions about application security risks.”) and OWASP has done great work so far. The number of native and secondary speakers in the world for Chinese, Spanish, French, Russian, Arabic and Indi languages are estimated in similar number to English speaking or even more (Some References at [http://en.wikipedia.org/wiki/Ethnologue_list_of_most_spoken_languages Ethnologue], [http://encarta.msn.com/media_701500404/Languages_Spoken_by_More_Than_10_Million_People.html Encarta], [http://en.wikipedia.org/wiki/List_of_languages_by_number_of_native_speakers Wikipedia]). It is a good time for OWASP to reach those that do not speak English to have full access to all the OWASP materials, not just a couple of documents.

=== Objectives ===

This project is the pioneer of an effort to define basic guidelines for the localization of OWASP site and OWASP projects (both documentation and software). Also define a way to do a continuous effort to keep information across the different languages in synchrony. The main objective is to provide a framework for new translation efforts, those effort will have 2 main objectives:

#Make OWASP information currently available, reach the people speaking of a specific language
#Allow non-English speaking people to contribute to OWASP and have internationalization projects transfer that knowledge to English and other languages. So as you can imagine the replication effect will have great benefits to the OWASP community and the world of application security.

=== I want to translate OWASP Materials to [Put your language here], Where should I start? ===

Good for you, we are always happy to have more people to spread the OWASP message. Our suggestion is:

#You Identify the project you like or can translate, you can go to page or contact [[User:Paulo Coimbra|Paulo Coimbra]] for a suggestion (he manages all the OWASP projects). Check [[#Active_Translation_Projects]] to see if there is an existing or ongoing translation to the materials you want to translate, ask the language project mailing list (OWASP-Spanish mailing list) or the material project leader (e.g OWASP Top 10 Leader, Dave Wickers)
#Check if there is an existent Language-specific project, that is look for a [[OWASP_Spanish]] project if you are willing to translate to Spanish, There might be existing guidelines to help you out do the translation smoothly.
#Choose you approach:
#*If you want to translate only a small document or one page, just go and do it, follow the Language guidelines or [[#General_Translation_Guidelines]] below.
#*If you want to translate various documents, consider to [[#Creating a Language Specific OWASP Project | create a Language-Specific Project]] that way there will be a solid baseline for all the translations.
#That's it

=== Creating a Language Specific OWASP Project ===

If you have decided to start a formal project to host all the translations to your native/desired language, here is what you have to do.

#Follow the [[How to Start an OWASP Project|How to Start an OWASP Project]] page instructions, we suggest you call the project as the language not the country, e.g. OWASP-Spanish not OWASP-Spain, as languages use to spread across more than just one country.
#Create a new translation guidelines (for documents, pages and tools) based on the [[#General_Translation_Guidelines]] below. It should include all the knowledge needed to make a quality translation in your native languages. Make sure to provide the necessary resources to at least avoid common pitfalls like false cognates and similar.
#Link your language specific project to this project, add a reference in "Related Projects" section at top template of this page
#Ask OWASP Wiki Admin (Larry Casey in this case) to enable your language in the Wiki Site, in case is not available in the languages list.
#OWASP is open and and you are free to modify or add new content to OWASP Materials, however it is always recommendable to contact project leaders and let them know on your intentions before you start a translation effort, at least as a courtesy.
#Update this page. Please feel free to modify this page, or add new pages if required, for your specific language. But make the content generic to the language family of your language as the idea of this project is to be used as a framework to develop language specific information.

'''Remember Language projects could be more than just translating, the idea is that knowledge in your native language could also be brought to English speaking people, so think on the project as a link between both languages.'''

=== General Translation Guidelines ===

Usually a document translation involves several people in order to facilitate the translation it is necessary to provide general guidelines for the translation. First of all, we strongly support language neutrality, this is especially important when the language is spoken in many different countries or regions.

Translation guidelines should include the following information:

*Glossaries for the target language,
*Basic orthography rules
*Basic grammar rules
*English-Target Language dictionary.
*Enumeration and examples of special cases, for example use of dashes, quotes, etc.
*False cognates
*Remind the translation must remain loyal to the original text, do not add content to the document (at least on this stage)+
*Recommendation to avoid slang language
*Policy for using automated tools
*Rules to handle terms that cannot be translated.
*Recommend to run Spell and Grammar check
*Examples to the rules described
*Include a peer review strategy
*Supportive readings and links

+ Although the objective of the project is to enable people speaking foreign languages to learn from OWASP and enrich OWASP documentation. This process must be done in separated stages, initially it is desirable to have a loyal version of the official release.

We strongly suggest you ask for help of an experienced person to give the document a final look before it is published to OWASP site.

=== Organization ===

The first thing is to have a good communication and coordination strategy, we propose the following organization for a translation effort:

==== Roles ====

Although OWASP is an open project, minimum skills should be procured to ensure the translation has good quality and takes just the needed amount of time. Believe me, you won’t like to fix dozens of small mistakes for common computer world terms just because the translator is a totally outside the computer world with null knowledge on what is a hard disk :).

The proposed skills are:

*'''Translator(s)'''
**Basic computer related knowledge.
**Good English skills
**Fluent in foreign language
**Working knowledge in application security skills
*'''Editor(s)'''
**Strong computer related knowledge
**Strong English skills
**Strong skills in foreign language, participation in translation project of other open source projects is a plus.
**Strong knowledge in application security skills
*'''Translation leader.''' Person in charge of coordinate the translation effort. There are no special requirements, just the ability to manage a team of people and deliver on proposed time.

=== Translating Documents ===

This is the first release of the section, expect changed during the following weeks as we are requesting feedback from people involved in previous translations of OWASP documents, if you know one of these people please ask them to contact [mailto:johnccr@yahoo.com me]

==== Setup ====

Translation Project leader and/or translation leader should create set of basic guidelines for translation as defined in [[#General_Translation_Guidelines]] section If the translation is going to be on a MS Word document is highly recommended to create a document template with web established styles for headers, so consolidating the document is easier The translation leader will distribute the work and set up tentative due dates for the sections based on the translators workload.

==== While Translating ====

It is suggested that once the distributed sections are ready, they are sent to the distribution list and the editor is notified

==== Before Delivering ====

In parallel to translation or after everyone has finished, the editor (or the person designated by the editor) will do the following actions

*Consolidate the whole document
*Do spelling and grammar check
*Ensure document "harmony". This is:
**make sure the same terms are using across the document
**topics sequence is natural.
**Font type, size and style are the same for the same types of text.
*Add the official cover page translated to the foreign language (OWASP logo, title and trademark information)
*Add GNU license (all the OWASP work is done under this license so translation work should also be GNU)
*Add OWASP internationalization project and the specific translation project explanation and references to let readers know where they go in case of interest in the translation project. Add this page after cover page.
*Add translation credit for project leader, editor and translators just after the author name.
*Convert the document to PDF format for portability, but also let the editable version available to the public.

Finally If there is a translation project, you can send the document to the project leader for its publication in the translation project and in the original project page.

=== Translating OWASP pages ===

To make more clear the process of creating a translated page, consider the following assumptions. Our example foreign language code is “es” for Spanish and the page we want to translate is called “TranslationTest”. (Actually this page is there for you to use it ans tes for translation support of the portal on your specific language). So let’s start

You should first classify the page to translate as a main page (project description page, project content page) or support page (roadmap, links, quotes, etc)

==== For Main Pages (project pages only) ====

#Add a new page called “PruebaTraduccion” (“Translation Test” in Spanish)
#At the beginning of the page add the TranslatedPageHeader template by adding ''<nowiki>{{TranslatedPageHeader}}</nowiki>''
#At the end of the page add the TranslationInProgress template by adding ''<nowiki>{{TranslationInProgress}}</nowiki>'' in page code.
#Go to “TranslationTest” page and click on “View Source” tab.
#Copy the source code and start translating it locally. Then paste it in “PruebaTraduccion” page as you progress.
#If there is links to pages that are not translated, let the reader know by adding a “(In English only)” note after the link.
#Just before the end of the page, add a recognition section for the people that helped in the translation. Make sure to mention their role in the translation, their full name and Security certifications, refain to mention companies unless they are OWASP members or you have permission from OWASP Board to mention them.
#Once you are done remove the TranslationInProgress template in “PruebaTraduccion” page.
#Add a new sub-page for “TranslationTest” using your language code. This is, for Spanish, you should create a sub-page called “TranslationTest/es”.
#In “TranslationTest/es” page just enter the following redirect statement ''<nowiki>#REDIRECT [[PruebaTraduccion]]</nowiki>''

==== For Support Pages ====

For support pages, you do not need to add a third page in the foreign language (like PruebaTraduccion in previous example). Rather, you add the translated content directly to the “TranslationTest/es” page. Adding the ''TranslatedPageHeader'' is also not necessary.

==== Translating Links ====

Similar to templates, links are enclosed in special characters, in this case square braces. There are 2 types of links, external links will look like this

<nowiki>[http://www.mediawiki.org/wiki/Help:Templates here]</nowiki>

And should be translated as Links like this

<nowiki>[http://www.mediawiki.org/wiki/Help:Templates aqui]</nowiki>

Internal links, or links that point to pages in the OWASP site will look like this

<nowiki>[[OWASP WebGoat Project Roadmap|Roadmap]]</nowiki>

And should be translated to

<nowiki>[[OWASP WebGoat Project Roadmap|Plan de trabajo]]</nowiki>

For links without the second part (the one after the pipe character) just add it, '''Avoid changing the content if this is case otherwise you will break the link or link to a non existent page'''.

 

==== Translating Templates ====

Templates are an special type of pages that can be included as part of regular pages contents, you can learn more about them [http://www.mediawiki.org/wiki/Help:Templates here], you can identify it in wiki code as text enclosed in curly braces like the following:

<nowiki>{{OWASP Book|1416452}}</nowiki>

To access wiki code of the template above you have to go to http://www.owasp.org/index.php/Template:MainLink. Templates do not support "/es" for translations as regular pages, instead we need to use special tags to support multiple languages in the same page. So edit the template code and change it from:

<nowiki>[[{{{1}}}| Main ({{{1}}})]]</nowiki>

To

<nowiki>
<IfLanguage Is="en">
[[{{{1}}}| Main ({{{1}}})]]
</IfLanguage>
<IfLanguage Is="es">
[[{{{1}}}| Principal ({{{1}}})]]
</IfLanguage>
</nowiki>

The previous code displays the text in the first ''IfLanguage'' tag to people with browsers in English and the second to people with browsers in Spanish language.

That is it. Now visitors with browsers configured in your foreign language will be automatically redirected to the page in that language.

=== Tracking Changes in Pages ===

In order to track changes of pages for a translation project to keep translated pages up to date, you have to track changes doing the following:

#Login to OWASP Portal (register if you haven't, its free!)
#Go to the page you want to track and click on the "watch" tab. After that you will be able to see all the change to that page at the [[Special:Watchlist|Watchlist special page]].
#You can always go back to the [[Special:Watchlist|Watchlist special page]] by clicking on [[Special:Specialpages|Special Pages]] link at the left bottom of the site. and then click on the [[Special:Watchlist|Watchlist special page]].

There is a drawback, you will have to click the watch tab for every single page you want to track. This simple process will be enough to keep track of pages updates.

You can find more information on here: http://www.mediawiki.org/wiki/Help:Tracking_changes http://meta.wikimedia.org/wiki/Help:Contents#For_readers

=== Translating OWASP Software ===

Here you can find a series of basic guidelines document to help you make your OWASP tool project internationalizable.

The guidelines are available for:

*[[OWASP Internationalization Java Software|Java]]

=== Active Translation Projects ===

*[[OWASP Spanish|Spanish]]

===Future Plans ===

*Have people that help us ot enhance the guidelines and develop recommendations for arabic, slavic(Russian, Polish), ideographic (Chinese), Hindi and Japaneese (among others).

=== News ===

'''23rd Jan 2010: OWASP Newsletter has been translated into Chinese by [mailto:heleng(at)owasp.org Helen Gao]''' 
'''24th Nov 2009: Weilin Zong will translate ASVS and create the Chinese guidelines for future translations''' 
'''5th May 2008: First Draft of General Translation Guidelines are published''' RC1 of general recommendations to start a translation of an OWASP document in a foreign language is released. '''5th May 2008: Translating an OWASP document section is added''' Guidelines on how to do a document translation is released. 
'''7th April 2008: The OWASP Internationalization project starts''' Juan Carlos Calderon starts the effort as part of the [[OWASP Summer of Code 2008|SoC 2008]]. 

=== SoC 2008 Road map ===

This information is included just as reference

{| cellspacing="0" cellpadding="3" border="1" style="border: 1px solid black;"
|-
! style="border-left: 1px solid black;" | Objective
! Status
! (Expected) Competition Date
! Evidence
|-
| 1. Team up with Larry Casey to implement Multi language support in OWASP.org Mediawiki.
| Done
| June 20, 2008
| [[PaginaPrincipal]]
|-
| 2. General Guidelines on minimum/recommended requirements to start a new language translation for OWASP Document and Site Pages.
| Done
| May 2nd, 2008
| [[#General_Translation_Guidelines]]
|-
| 3. General Guidelines on minimum/recommended requirements to implement internationalization and localization ([http://www.w3.org/International/ i18n]) on OWASP Software.
| Done
| Sep 4, 2008
| [[OWASP Internationalization Java Software]]
|-
| 4. Create a Communication strategy to help and keep track on new pages or changes in significant pages so all the translations are in sync.
| Done
| Sep 3, 2008
| [[#Tracking_Changes_in_Pages]]
|}

{|
|}

[[Category:OWASP_Project]]

Long Island

2009-10-08T12:56:25Z

Heleng: /* Chapter Meetings */

{{Chapter Template|chaptername=Long Island | extra= | mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-longisland | emailarchives=http://lists.owasp.org/pipermail/owasp-longisland }}

==== Chapter Meetings ====
Scroll down to see the upcoming Long Island OWASP events

RSVP REQUESTED [http://fs18.formsite.com/owaspli/form933354881/index.html http://www.owasp.org/images/7/7f/Register.gif]

Date: 10/24/2009 
Time: 11:00-14:00 
Place: Sunrise Business Center, 3500 Sunrise Hwy, Great River, NY 11730, Building 200 [http://maps.google.com/maps?f=q&source=s_q&hl=en&geocode=&q=3500+Sunrise+Hwy,+NY,+Great+River,+NY,+Building+200&sll=40.748249,-73.163388&sspn=0.009298,0.022745&ie=UTF8&ll=40.748249,-73.163388&spn=0.009298,0.022745&t=h&z=16&iwloc=A MAP] 
Directions: Enter from the service road on the East Bound side of Sunrise Hwy. Turn right after passing the security gate. Attendees can park in front of Building 200 and enter through the Building 200 entrance. We must ask that all attendees do not park in any spot marked as RESERVED. Once you enter building 200, pass through security, turn right and head down the hall, pass through the first set of doors. Our conference room is your first right. There will be signs posted along this path directing attendees to the room. 
 
Agenda: 
;11-00 - Opening Remarks & Welcome to [http://www.owasp.org/images/9/9f/2009-OWASP_KeyNote-V2.pdf OWASP Foundation]
:--'''Helen Gao, OWASP LI Board
;11-20 - Attacking VoIP With The OWASP Top 10
:VoIP systems allow for cheap and easy telephony communication. Current VoIP implementations may be more vulnerable then you believe. How could an attacker own your PBX with the OWASP Top 10? Topics will include Vulnerability Research, Protocol Fuzzing, VoIP and the OWASP Top 10. Proof of concept zero day vectors will be discovered and exploited. This is going to be fun!
:--'''[http://www.linkedin.com/in/blakecornell Blake Cornell] Security Consultant [http://www.net2s-us.com/ Net2S/BT-INS], OWASP NY/NJ/LI Board Member

;12-10 - Lunch
:

;12-20 - Network Version Control
:Leveraging Python, Nmap, Ndiff and Subversion to create baselines of your hosts and services. Together, these form a basic foundation to detect unapproved changes and alert accordingly.
:--'''[http://www.linkedin.com/pub/ryan-behan/9/746/a12 Ryan Behan], OWASP LI Board Member
;13-20 - Passive Web Application Analysis
:Discover ways to leverage the tools you currently use to find potential vulnerabilities in web applications as early as during an initial application walk through. This talk will cover the current state of passive web application analysis as well as discuss how to set up a framework for your own testing needs.
:--'''[http://www.linkedin.com/in/phillipames Phil Ames], Security Consultant

;All Day Event - Capture the Flag
:There will be a day long CTF event. Test your skills, learn new exploitation techniques, hack in a team, get the highest score, win prizes? Hack the day away with your friends and peers.
:--'''[http://pentest.cryptocity.net/blog/ Dan Guido], OWASP NY/NJ Board Member

;AFTER EVENT NETWORKING WILL BE HELD AT '''[http://www.bluepointbrewing.com/ THE BLUE POINT BREWERY]!!
Rides will be provided to the Blue Point Brewery. When you are done with enjoying the best brews on the East Coast, the train station is only '''[http://maps.google.com/maps?saddr=161+River+Ave,+Patchogue,+NY+11772-3304+(Blue+Point+Brewing+Co)&geocode=CcnpYL67h5V6FVfvbQIdy8el-yEHMT9JQF0-7g&dirflg=&daddr=patchogue+train+station,+patchogue,+ny+11772&f=d&dq=blue+point+brewery,+loc:+patchogue,+ny+11772&sll=40.759127,-73.021493&sspn=0.014359,0.014046&ie=UTF8&ll=40.761691,-73.020887&spn=0.02919,0.055876&z=15 a short walk]''' away!

<center>Come prepared for a day of networking with your industry peers.</center>
<center>We invite all attendees to food and libations after the meeting at a local venue TBA.</center>
<center>If you join our [http://lists.owasp.org/mailman/listinfo/owasp-longisland mailing list], then you will receive details of the meeting as soon as they are finalized.</center>
<center>To be a co-sponsor for this or a future meeting consider [http://www.owasp.org/index.php/Membership annual chapter sponsorship]</center>
<center>If you can host an upcoming meeting please contact a LI board member.</center>

==== Chapter Leaders/Contacts ====
<ul>
*[mailto:heleng@owasp.org Helen Gao, CISSP]
*[mailto:ryan.behan@owasp.org Ryan C Behan]
*[mailto:blake@owasp.org Blake Cornell] 212-202-6704
</ul>
__NOTOC__
<headertabs/>

==External Links==
* [http://www.qualityit.net/Resources/WhitePapers/IEEEP1074-2005-RoadmapForOptimizingSecurityInTheSystemAndSoftwareLifeCycle.pdf IEEE considers security as a software lifecycle development requirement]
* [http://usa.visa.com/download/business/accepting_visa/ops_risk_management/cisp_PCI_Data_Security_Standard.pdf OWASP is a recommended secure coding guideline in PCI DSS]
* [http://www.ietf.org/rfc/rfc2828.txt Internet Security Glossary]

Long Island

2009-09-10T12:33:43Z

Heleng: /* Chapter Meetings */

{{Chapter Template|chaptername=Long Island | extra= | mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-longisland | emailarchives=http://lists.owasp.org/pipermail/owasp-longisland }}

==== Chapter Meetings ====
Scroll down to see the upcoming Long Island OWASP events

Date: 10/24/2009 
Time: 11:00-14:00 
Place: Sunrise Business Center, 3500 Sunrise Hwy, Great River, NY 11730, Building 200 [http://maps.google.com/maps?f=q&source=s_q&hl=en&geocode=&q=3500+Sunrise+Hwy,+NY,+Great+River,+NY,+Building+200&sll=40.748249,-73.163388&sspn=0.009298,0.022745&ie=UTF8&ll=40.748249,-73.163388&spn=0.009298,0.022745&t=h&z=16&iwloc=A MAP] 
Directions: Enter from the service road on the East Bound side of Sunrise Hwy. Turn right after passing the security gate. Attendees can park in front of Building 200 and enter through the Building 200 entrance. We must ask that all attendees do not park in any spot marked as RESERVED. Once you enter building 200, pass through security, turn right and head down the hall, pass through the first set of doors. Our conference room is your first right. There will be signs posted along this path directing attendees to the room. 
 
Agenda: 
;11-00 - Opening Remarks & Welcome to [http://www.owasp.org/images/9/9f/2009-OWASP_KeyNote-V2.pdf OWASP Foundation]
:--'''Helen Gao, OWASP LI Board
;11-20 - Attacking VoIP With The OWASP Top 10
:VoIP systems allow for cheap and easy telephony communication. How can an attacker 0wn your PBX with the OWASP Top 10? Proof of concept 0day attacks will be demonstrated and detailed.
:--'''[http://www.linkedin.com/in/blakecornell Blake Cornell] Security Consultant [http://www.net2s-us.com/ Net2S/BT-INS], OWASP NY/NJ/LI Board Member

;12-10 - Lunch
:

;12-20 - Network Version Control
:Leveraging Python, Nmap, Ndiff and Subversion to create baselines of your hosts and services. Together, these form a basic foundation to detect unapproved changes and alert accordingly.
:--'''[http://www.linkedin.com/pub/ryan-behan/9/746/a12 Ryan Behan], OWASP LI Board Member
;13-20 - TBD
:--TBD

AFTER EVENT NETWORKING ON THE WATER!!

'''[http://maps.google.com/maps?f=d&source=s_d&saddr=3500+Sunrise+Hwy,+Great+River,+NY+11739&daddr=445+Vanderbilt+Blvd,+Oakdale,+NY+11769-2009&hl=en&geocode=%3BFTN1bQIdVfuj-w&gl=us&mra=ls&sll=40.727859,-73.139371&sspn=0.011155,0.027938&ie=UTF8&ll=40.737925,-73.149204&spn=0.022307,0.055876&t=h&z=15 THE WHARF]

445 Vanderbilt Blvd, Oakdale, NY 11769

<center>Come prepared for a day of networking with your industry peers.</center>
<center>We invite all attendees to food and libations after the meeting at a local restaurant TBA.</center>
<center>If you join our [http://lists.owasp.org/mailman/listinfo/owasp-longisland mailing list], then you will receive details of the meeting as soon as they are finalized.</center>
<center>To be a co-sponsor for this or a future meeting consider [http://www.owasp.org/index.php/Membership annual chapter sponsorship]</center>

==== Chapter Leaders/Contacts ====
<ul>
*[mailto:heleng@owasp.org Helen Gao, CISSP]
*[mailto:ryan.behan@owasp.org Ryan C Behan]
*[mailto:blake@owasp.org Blake Cornell] 212-202-6704
</ul>
__NOTOC__
<headertabs/>

==External Links==
* [http://www.qualityit.net/Resources/WhitePapers/IEEEP1074-2005-RoadmapForOptimizingSecurityInTheSystemAndSoftwareLifeCycle.pdf IEEE considers security as a software lifecycle development requirement]
* [http://usa.visa.com/download/business/accepting_visa/ops_risk_management/cisp_PCI_Data_Security_Standard.pdf OWASP is a recommended secure coding guideline in PCI DSS]
* [http://www.ietf.org/rfc/rfc2828.txt Internet Security Glossary]

Long Island

2009-06-16T12:43:23Z

Heleng: /* Chapter Meetings */

{{Chapter Template|chaptername=Long Island | extra= | mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-longisland | emailarchives=http://lists.owasp.org/pipermail/owasp-longisland }}

==== Chapter Meetings ====
Scroll down to see the upcoming Long Island OWASP events

Date: Saturday June 27th 2009 
Time: 10:00-14:00 
Place: Sunrise Business Center, 3500 Sunrise Hwy, Great River, NY 11730, Building 200 [http://maps.google.com/maps?f=q&source=s_q&hl=en&geocode=&q=3500+Sunrise+Hwy,+NY,+Great+River,+NY,+Building+200&sll=40.748249,-73.163388&sspn=0.009298,0.022745&ie=UTF8&ll=40.748249,-73.163388&spn=0.009298,0.022745&t=h&z=16&iwloc=A MAP] 
Directions: Enter from the service road on the East Bound side of Sunrise Hwy. Attendees can park in front of Building 200 and enter through the Building 200 entrance. We must ask that all Attendees do not park in any spot marked as RESERVED. 
<center>RSVP REQUIRED [http://fs18.formsite.com/owaspli/form562038653/index.html http://www.owasp.org/images/7/7f/Register.gif] </center>
 
Agenda: 
;10-00 - Opening Remarks & Welcome
:--'''Helen Gao, OWASP LI Board
;10-20 - Who is OWASP and how could we help you?
:--'''[http://www.linkedin.com/in/tombrennan Tom Brennan]
;11-20 - Incident Response - Identify, Contain, Eradicate, Recover, Lessons Learned
:Breaches happen. Proper audit compliance enables an organization the ability to detect and prevent attacks. A case study will be examined.
:--'''[http://www.linkedin.com/pub/ryan-behan/9/746/a12 Ryan Behan] Manager of Network Technologies at [http://www.ntst.com/ Netsmart Technologies]
;12-10 - Lunch TBD
:TBD
;12-25 - Code Blue - The Unhealthy State of Your Medical Records (And What Can Be Done to Save Them)
:Millions of patient records have been disclosed to unauthorized third parties. Some of these records were stolen, some were lost yet all could have been prevented.

:A North Carolina hospital loses a laptop with 14,000 records. The Peninsula Orthopedic Associates lost backup tapes that help 100,000 patient records. The Wallgreens Health Initiative emailed 28,000 records to the state of Kentucky without using encryption. Confiker infects three University of Utah hospitals. Kaiser fires 15 employees for inappropriately accessing medical records. Two Scottish hospitals were infected by a computer worm. Researchers find 20,000 medical records using peer-to-peer software. The Mytob worm infects 4,700 computers at three UK hospitals. Confiker infects 8,000 computers at the Sheffield Teaching Hospitals Trust. Criminals tried to extort Express Scripts with the threat of releasing millions of patient records. SRA International was breached when malicious software allowed an attacker the ability to access patient data maintained by SRA. The list goes on.

:All of these incidents were reported in the news within a five month period of each other. News like this is being reported with an increasing frequency.

:Most of these incidents could have been easily avoided by conducting compliance audits and vulnerability assessments.

We will walk through some recent incidents involving health care facilities around the world and detail how they could have been prevented.
:--'''[http://www.linkedin.com/in/blakecornell Blake Cornell] Security Consultant [http://www.net2s-us.com/ Net2S/BT-INS], OWASP NY/NJ/LI Board Member
;13-25 - Round Table Discussion - Successes, challenges, efforts, hopes and predictions for OWASP Long Island
:--'''[http://www.linkedin.com/in/tombrennan Tom Brennan], Global Board Member, OWASP Foundation
:--'''[http://www.linkedin.com/in/helengao Helen Gao], Board Member, OWASP LI
:--'''[http://www.linkedin.com/pub/ryan-behan/9/746/a12 Ryan Behan], Board Member, OWASP LI
:--'''[http://www.linkedin.com/in/blakecornell Blake Cornell], Board Member, OWASP NYNJ/LI
<center>Come prepared for a day of networking with your industry peers.</center>
<center>We invite all attendees to food and libations after the meeting at a local restaurant TBA.</center>
<center>If you join our [http://lists.owasp.org/mailman/listinfo/owasp-longisland mailing list], then you will receive details of the meeting as soon as they are finalized.</center>
<center>To be a co-sponsor for this or a future meeting consider [http://www.owasp.org/index.php/Membership annual chapter sponsorship]</center>

==== Chapter Leaders/Contacts ====
<ul>
*[mailto:heleng@owasp.org Helen Gao, CISSP]
*[mailto:ryan.behan@owasp.org Ryan C Behan]
*[mailto:blake@owasp.org Blake Cornell] 212-202-6704
</ul>
__NOTOC__
<headertabs/>

==External Links==
* [http://www.qualityit.net/Resources/WhitePapers/IEEEP1074-2005-RoadmapForOptimizingSecurityInTheSystemAndSoftwareLifeCycle.pdf IEEE considers security as a software lifecycle development requirement]
* [http://usa.visa.com/download/business/accepting_visa/ops_risk_management/cisp_PCI_Data_Security_Standard.pdf OWASP is a recommended secure coding guideline in PCI DSS]
* [http://www.ietf.org/rfc/rfc2828.txt Internet Security Glossary]

Long Island

2009-05-27T21:54:35Z

Heleng: /* External Links */

{{Chapter Template|chaptername=Long Island|extra=The chapter leader is [mailto:HelenG@Proginet.com Helen Gao, CISSP]|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-longisland|emailarchives=http://lists.owasp.org/pipermail/owasp-longisland}}

<paypal>Long Island</paypal>

== 2009 Meetings ==

The next chapter meeting will be held at the end of June, 2009. Details will be announced soon. Please check back often for details.

If you join our [http://lists.owasp.org/mailman/listinfo/owasp-longisland mailing list], then you will receive details of the meeting as soon as they are finalized.

==External Links==
* [http://www.qualityit.net/Resources/WhitePapers/IEEEP1074-2005-RoadmapForOptimizingSecurityInTheSystemAndSoftwareLifeCycle.pdf IEEE considers security as a software lifecycle development requirement]
* [http://usa.visa.com/download/business/accepting_visa/ops_risk_management/cisp_PCI_Data_Security_Standard.pdf OWASP is a recommended secure coding guideline in PCI DSS]
* [http://www.ietf.org/rfc/rfc2828.txt Internet Security Glossary]

[[Category:New York]]

Long Island

2009-05-27T21:52:57Z

Heleng: /* 2009 Meetings */

Long Island

2009-05-27T21:50:03Z

Heleng: /* OWASP News */

{{Chapter Template|chaptername=Long Island|extra=The chapter leader is [mailto:HelenG@Proginet.com Helen Gao, CISSP]|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-longisland|emailarchives=http://lists.owasp.org/pipermail/owasp-longisland}}

<paypal>Long Island</paypal>

== 2009 Meetings ==

'''When''':
'''Where''':
'''Speaker''':

==External Links==
* [http://www.qualityit.net/Resources/WhitePapers/IEEEP1074-2005-RoadmapForOptimizingSecurityInTheSystemAndSoftwareLifeCycle.pdf IEEE considers security as a software lifecycle development requirement]
* [http://usa.visa.com/download/business/accepting_visa/ops_risk_management/cisp_PCI_Data_Security_Standard.pdf OWASP is a recommended secure coding guideline in PCI DSS]
* [http://www.ietf.org/rfc/rfc2828.txt Internet Security Glossary]
* [http://www.cio.com/archive/030107/fea_security.html Bad Neighborhood from CIO magazine]

[[Category:New York]]

Long Island

2009-05-27T21:49:46Z

Heleng: /* OWASP News */

{{Chapter Template|chaptername=Long Island|extra=The chapter leader is [mailto:HelenG@Proginet.com Helen Gao, CISSP]|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-longisland|emailarchives=http://lists.owasp.org/pipermail/owasp-longisland}}

<paypal>Long Island</paypal>

== 2009 Meetings ==

'''When''':
'''Where''':
'''Speaker''':

==OWASP News==

==External Links==
* [http://www.qualityit.net/Resources/WhitePapers/IEEEP1074-2005-RoadmapForOptimizingSecurityInTheSystemAndSoftwareLifeCycle.pdf IEEE considers security as a software lifecycle development requirement]
* [http://usa.visa.com/download/business/accepting_visa/ops_risk_management/cisp_PCI_Data_Security_Standard.pdf OWASP is a recommended secure coding guideline in PCI DSS]
* [http://www.ietf.org/rfc/rfc2828.txt Internet Security Glossary]
* [http://www.cio.com/archive/030107/fea_security.html Bad Neighborhood from CIO magazine]

[[Category:New York]]

Long Island

2009-05-27T21:12:51Z

Heleng: /* 2009 Meetings */

{{Chapter Template|chaptername=Long Island|extra=The chapter leader is [mailto:HelenG@Proginet.com Helen Gao, CISSP]|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-longisland|emailarchives=http://lists.owasp.org/pipermail/owasp-longisland}}

<paypal>Long Island</paypal>

== 2009 Meetings ==

'''When''':
'''Where''':
'''Speaker''':

==OWASP News==

* [http://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference OWASP NYC Cyber Security 2008 Conference - Sept 22nd - 25th 2008]
* [http://www.owasp.org/index.php/OWASP_News OWASP News]
* [http://www.owasp.org/index.php/OWASP_News OWASP Application Security News]

==External Links==
* [http://www.qualityit.net/Resources/WhitePapers/IEEEP1074-2005-RoadmapForOptimizingSecurityInTheSystemAndSoftwareLifeCycle.pdf IEEE considers security as a software lifecycle development requirement]
* [http://usa.visa.com/download/business/accepting_visa/ops_risk_management/cisp_PCI_Data_Security_Standard.pdf OWASP is a recommended secure coding guideline in PCI DSS]
* [http://www.ietf.org/rfc/rfc2828.txt Internet Security Glossary]
* [http://www.cio.com/archive/030107/fea_security.html Bad Neighborhood from CIO magazine]

[[Category:New York]]

Long Island

2009-05-27T21:11:03Z

Heleng: /* Sponsors */

{{Chapter Template|chaptername=Long Island|extra=The chapter leader is [mailto:HelenG@Proginet.com Helen Gao, CISSP]|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-longisland|emailarchives=http://lists.owasp.org/pipermail/owasp-longisland}}

<paypal>Long Island</paypal>

== 2008 Meetings ==

'''When''':
'''Where''':
'''Speaker''':

==OWASP News==

* [http://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference OWASP NYC Cyber Security 2008 Conference - Sept 22nd - 25th 2008]
* [http://www.owasp.org/index.php/OWASP_News OWASP News]
* [http://www.owasp.org/index.php/OWASP_News OWASP Application Security News]

==External Links==
* [http://www.qualityit.net/Resources/WhitePapers/IEEEP1074-2005-RoadmapForOptimizingSecurityInTheSystemAndSoftwareLifeCycle.pdf IEEE considers security as a software lifecycle development requirement]
* [http://usa.visa.com/download/business/accepting_visa/ops_risk_management/cisp_PCI_Data_Security_Standard.pdf OWASP is a recommended secure coding guideline in PCI DSS]
* [http://www.ietf.org/rfc/rfc2828.txt Internet Security Glossary]
* [http://www.cio.com/archive/030107/fea_security.html Bad Neighborhood from CIO magazine]

[[Category:New York]]

Reviewing Code for Logging Issues

2007-01-16T17:01:16Z

Heleng:

[[OWASP Code Review Guide Table of Contents]]__TOC__
=== In Brief===
Logging is the recording of information into storage that details who performed what and when they did it (like an audit trail) This can also cover debug messages implemented during development as well as any messages reflecting problems or states within the application. It should be an audit of everything that the business deems important to track about the applications use. Logging provides a detective method to ensure that the other security mechanisms being used are performing correctly. 

There are three categories of logs, application, operation system and security software. While the general principles are similar for all logging needs, the practices stated in this document is specially applicable to application logs. 

A good logging strategy should include log generation, storage, protection, analysis and reporting. 

====Log Generation====
Logging should be at least done at the following events: 

Authentication: Successful & unsuccessful attempts. 
Authorization requests. 
Data manipulation: Any (CUD) Create, Update, Delete actions performed on the application.
Session activity: Termination/Logout events. 

The application should have the ability to detect and record possible malicious use such as events that cause unexpected errors or defy the state model of the application. Users who attempt to get access to data that they shouldn’t, and incoming data that does not meet validation rules or has been tampered with. In general any error condition which could not occur without an attempt by the user to circumvent the application logic. 

Logging should give us the information required to form a proper audit trail of a users actions. 
Leading from this the date/time the actions were performed would be useful. But make sure the application uses a clock that is synched to a common time source.
Logging functionality should not log a any personal or sensitive data pertaining to the user of function at hand that is being recorded; An example of this if your application is accepting HTTP GET the payload is in the URL and the GET shall be loged. This may result in logging sensitive data. 

Logging should follow best practice regarding data validation; maximum length of information, malicious characters…. 
We should ensure that logging functionality only log’s messages of a reasonable length and that this length is enforced. 

====Log Storage====
In order to preserve log entries and keep the sizes of log files manageable, log rotation is recommend. Log rotation means closing a log file and opening a new one when the first file is considered to be either complete or becoming too big. Log rotation is typically performed according to a schedule (e.g. daily) or when a file reaches a certain size. 

====Log Protection====
Because logs contain records of user account and other sensitive information, they need to be protected from breaches of their confidentiality, integrity and availability, the triad of information security. 

====Log Analysis and Reporting====
Log analysis is the studying of log entries to identify events of interest or suppress log entries for insignificant events. Log reporting is the displaying of log analysis.
Although these are normally the responsibilities of the system administrator, an application must generate logs that are consistent and contains info that will allow the administrator to prioritize the records. 

Common open source logging solutions: 

Log4J: http://logging.apache.org/log4j/docs/index.html

Log4net: http://logging.apache.org/log4net/

Commons Logging: http://jakarta.apache.org/commons/logging/index.html
 

In Tomcat(5.5), if no custom logger is defined (log4J) then everything is logged via Commons Logging and ultimately ends up in catalina.out. 
catalina.out grows endlessly and does not recycle/rollover. Log4J provides “Rollover” functionality, which limits the size of the log. Log4J also gives the option to specify “appenders” which can redirect the log data to other destinations such as a port, syslog or even a database or JMS.

The parts of log4J which should be considered apart from the actual data being logged by the application are contained in the log4j.properties file:

#
# Configures Log4j as the Tomcat system logger
#

#
# Configure the logger to output info level messages into a rolling log file.
#
log4j.rootLogger=INFO, R

#
# To continue using the "catalina.out" file (which grows forever),
# comment out the above line and uncomment the next.
#
#log4j.rootLogger=ERROR, A1

#
# Configuration for standard output ("catalina.out").
#
log4j.appender.A1=org.apache.log4j.ConsoleAppender
log4j.appender.A1.layout=org.apache.log4j.PatternLayout
#
# Print the date in ISO 8601 format
#
log4j.appender.A1.layout.ConversionPattern=%d [%t] %-5p %c - %m%n

#
# Configuration for a rolling log file ("tomcat.log").
#
log4j.appender.R=org.apache.log4j.DailyRollingFileAppender
log4j.appender.R.DatePattern='.'yyyy-MM-dd
#
# Edit the next line to point to your logs directory.
# The last part of the name is the log file name.
#
log4j.appender.R.File=/usr/local/tomcat/logs/tomcat.log
log4j.appender.R.layout=org.apache.log4j.PatternLayout
#
# Print the date in ISO 8601 format
#
log4j.appender.R.layout.ConversionPattern=%d [%t] %-5p %c - %m%n

#
# Application logging options
#
#log4j.logger.org.apache=DEBUG
#log4j.logger.org.apache=INFO
#log4j.logger.org.apache.struts=DEBUG
#log4j.logger.org.apache.struts=INFO

=== Vulnerable patterns examples for Logging===

====.NET====
The following are issues one may look out for or question the development team /deployment team.
Logging and auditing are detective methods of fraud prevention. Much overlooked in the industry, which enables attackers to continue to attack/commit fraud without being detected.

They cover Windows and .NET issues:
'''Check that:'''
#Windows native log puts a timestamp on all log entries.
#GMT is set as the default time.
#The Windows operating system can be configured to use network timeservers.
#By default the event log will show: Name of the computer that generated the event; The application in the source field of the viewer. Additional information such as request identifier,username,and destination should be included in the body of the error event.
#No sensitive or business critical information is sent to the application logs.
#Application logs are not located in the web root directory.
#Log policy allows different levels of log severity.

===== Writing to the Event Log=====
In the course of reviewing .NET code ensure that calls the EventLog object do not provide any confidential information.

EventLog.WriteEntry( "<password>",EventLogEntryType.Information);

====JAVA====

[[Category:OWASP Code Review Project]]

Reviewing Code for Logging Issues

2007-01-16T16:57:59Z

Heleng: /* In Brief */

[[OWASP Code Review Guide Table of Contents]]__TOC__
=== In Brief===
Logging is the recording of information into storage that details who performed what and when they did it (like an audit trail) This can also cover debug messages implemented during development as well as any messages reflecting problems or states within the application. It should be an audit of everything that the business deems important to track about the applications use. Logging provides a detective method to ensure that the other security mechanisms being used are performing correctly. 

There are three categories of logs, application, operation system and security software. While the general principles are similar for all logging needs, the practices stated in this document is specially applicable to application logs. 

A good logging strategy should include log generation, storage, protection, analysis and reporting. 

Log Generation 
Logging should be at least done at the following events: 

Authentication: Successful & unsuccessful attempts. 
Authorization requests. 
Data manipulation: Any (CUD) Create, Update, Delete actions performed on the application.
Session activity: Termination/Logout events. 

The application should have the ability to detect and record possible malicious use such as events that cause unexpected errors or defy the state model of the application. Users who attempt to get access to data that they shouldn’t, and incoming data that does not meet validation rules or has been tampered with. In general any error condition which could not occur without an attempt by the user to circumvent the application logic. 

Logging should give us the information required to form a proper audit trail of a users actions. 
Leading from this the date/time the actions were performed would be useful. But make sure the application uses a clock that is synched to a common time source.
Logging functionality should not log a any personal or sensitive data pertaining to the user of function at hand that is being recorded; An example of this if your application is accepting HTTP GET the payload is in the URL and the GET shall be loged. This may result in logging sensitive data. 

Logging should follow best practice regarding data validation; maximum length of information, malicious characters…. 
We should ensure that logging functionality only log’s messages of a reasonable length and that this length is enforced. 

Log Storage[br]
In order to preserve log entries and keep the sizes of log files manageable, log rotation is recommend. Log rotation means closing a log file and opening a new one when the first file is considered to be either complete or becoming too big. Log rotation is typically performed according to a schedule (e.g. daily) or when a file reaches a certain size. 

Log Protection 
Because logs contain records of user account and other sensitive information, they need to be protected from breaches of their confidentiality, integrity and availability, the triad of information security. 

Log Analysis and Reporting 
Log analysis is the studying of log entries to identify events of interest or suppress log entries for insignificant events. Log reporting is the displaying of log analysis.
Although these are normally the responsibilities of the system administrator, an application must generate logs that are consistent and contains info that will allow the administrator to prioritize the records. 

Common open source logging solutions: 

Log4J: http://logging.apache.org/log4j/docs/index.html

Log4net: http://logging.apache.org/log4net/

Commons Logging: http://jakarta.apache.org/commons/logging/index.html
 

In Tomcat(5.5), if no custom logger is defined (log4J) then everything is logged via Commons Logging and ultimately ends up in catalina.out. 
catalina.out grows endlessly and does not recycle/rollover. Log4J provides “Rollover” functionality, which limits the size of the log. Log4J also gives the option to specify “appenders” which can redirect the log data to other destinations such as a port, syslog or even a database or JMS.

The parts of log4J which should be considered apart from the actual data being logged by the application are contained in the log4j.properties file:

#
# Configures Log4j as the Tomcat system logger
#

#
# Configure the logger to output info level messages into a rolling log file.
#
log4j.rootLogger=INFO, R

#
# To continue using the "catalina.out" file (which grows forever),
# comment out the above line and uncomment the next.
#
#log4j.rootLogger=ERROR, A1

#
# Configuration for standard output ("catalina.out").
#
log4j.appender.A1=org.apache.log4j.ConsoleAppender
log4j.appender.A1.layout=org.apache.log4j.PatternLayout
#
# Print the date in ISO 8601 format
#
log4j.appender.A1.layout.ConversionPattern=%d [%t] %-5p %c - %m%n

#
# Configuration for a rolling log file ("tomcat.log").
#
log4j.appender.R=org.apache.log4j.DailyRollingFileAppender
log4j.appender.R.DatePattern='.'yyyy-MM-dd
#
# Edit the next line to point to your logs directory.
# The last part of the name is the log file name.
#
log4j.appender.R.File=/usr/local/tomcat/logs/tomcat.log
log4j.appender.R.layout=org.apache.log4j.PatternLayout
#
# Print the date in ISO 8601 format
#
log4j.appender.R.layout.ConversionPattern=%d [%t] %-5p %c - %m%n

#
# Application logging options
#
#log4j.logger.org.apache=DEBUG
#log4j.logger.org.apache=INFO
#log4j.logger.org.apache.struts=DEBUG
#log4j.logger.org.apache.struts=INFO

=== Vulnerable patterns examples for Logging===

====.NET====
The following are issues one may look out for or question the development team /deployment team.
Logging and auditing are detective methods of fraud prevention. Much overlooked in the industry, which enables attackers to continue to attack/commit fraud without being detected.

They cover Windows and .NET issues:
'''Check that:'''
#Windows native log puts a timestamp on all log entries.
#GMT is set as the default time.
#The Windows operating system can be configured to use network timeservers.
#By default the event log will show: Name of the computer that generated the event; The application in the source field of the viewer. Additional information such as request identifier,username,and destination should be included in the body of the error event.
#No sensitive or business critical information is sent to the application logs.
#Application logs are not located in the web root directory.
#Log policy allows different levels of log severity.

===== Writing to the Event Log=====
In the course of reviewing .NET code ensure that calls the EventLog object do not provide any confidential information.

EventLog.WriteEntry( "<password>",EventLogEntryType.Information);

====JAVA====

[[Category:OWASP Code Review Project]]

Long Island

2006-12-12T14:39:39Z

Heleng: /* External links */

Long Island

2006-12-12T14:12:21Z

Heleng: /* Local News */