Owen Pendlebury 2017 Bio & Why Me?

2017-08-09T10:38:18Z

Owen Pendlebury: updated a small bit

Owen Pendlebury

'''About Owen:'''
Owen has been involved in the OWASP Foundation since 2009. He started out attending OWASP Dublin meetings and helping to facilitate chapter meetings and security workshops. Eventually, he took on the role of Dublin board member and then chapter lead a couple of years later. He has been an extremely active member of the security community and has strived to help drive and improve security best practice at a Global level through his commitment to the OWASP foundation. Owen has been an active and dedicated chapter leader, who has organised regular activities for the OWASP Dublin chapter that benefit the local information security community greatly over the past 7 years. Furthermore, Owen has been heavily involved in the OWASP Women in AppSec committee mentoring within the community. Some of the projects that Owen has been involved in include, AppSec EU 2016 Committee/ Training Committee, AppSec EU 2017 co-organisor/ training chair, DaggerCon, Cyber Startup Summit, Source Dublin, Advanced Threat Intelligence Seminars and numerous security workshops. In 2016 Owen received a WASPY award for his contributions to OWASP and the community.

Owen has over 7 years’ penetration testing, working as part of a global attack & penetration team for a number organisations including a “Big 4” professional services company. With in-depth experience of application and network penetration testing Owen has worked with many local and global institutions to improve their security posture. Owen is currently penetration testing lead for Deloitte Ireland.

Owen has also been involved in local education bodies, architecting a masters in cyber security and helping a number of students and experienced individuals find their way in to the security community by making himself available to through all media.

'''Why Me?'''
I am extremely passionate about OWASP and the community. My main goal is to improve Europe’s/ global security capabilities and I feel I achieve this with a real can-do attitude. I would use my position on the board to ensure that Europe has an equal say and are aligned with OWASPs strategic goals. I would relish the opportunity to get involved at a global level.

The main areas in which I feel I can aid in improving within OWASP globally are;

Projects – focus on projects new, immature and mature aiding these projects to progress to flagship OWASP projects. I feel that there are a number of key projects that have been left in incubator status for way too long. We need work with these projects in order for OWASP to grow. Existing projects need to be encouraged to grow.

Governance – Enable chapters and new OWASP members to flourish without the shadow of big names. OWASP is about the community and we need to focus on the community. Chapters need to be empowered to grow. We need to be transparent in all our actions.

Education – I feel that OWASP can reach further in the community. Not only to security professionals but to students. Students both in college and at high school levels should be empowered to join OWASP and learn from our community. We should stimulate enough interest at Community level to cause student volunteers to engage & participate.

Build relationships with industry, government, and educational institutions

Support the overall OWASP community and its various activities

Increasing the awareness of OWASP outside the security community

OWASP Internet of Things Project

2017-07-26T10:00:52Z

Owen Pendlebury: /* Related Projects */ fixing typo

= Main =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |

==OWASP Internet of Things (IoT) Project==

Oxford defines the Internet of Things as: “A proposed development of the Internet in which everyday objects have network connectivity, allowing them to send and receive data.”

''The OWASP Internet of Things Project is designed to help manufacturers, developers, and consumers better understand the security issues associated with the Internet of Things, and to enable users in any context to make better security decisions when building, deploying, or assessing IoT technologies''.

The project looks to define a structure for various IoT sub-projects such as Attack Surface Areas, Testing Guides and Top Vulnerabilities.

[[File:iot-project.png|400px|thumb|center]]

==Licensing==
The OWASP Internet of Things Project is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

{{Social Media Links}}

| style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |

== What is the OWASP Internet of Things Project? ==

The OWASP Internet of Things Project provides information on:

* [https://www.owasp.org/index.php/IoT_Attack_Surface_Areas IoT Attack Surface Areas]
* IoT Vulnerabilities
* Firmware Analysis
* ICS/SCADA Software Weaknesses
* Community Information
* [https://www.owasp.org/index.php/IoT_Testing_Guides IoT Testing Guides]
* [https://www.owasp.org/index.php/IoT_Security_Guidance IoT Security Guidance]
* [https://www.owasp.org/index.php/Principles_of_IoT_Security Principles of IoT Security]
* [https://www.owasp.org/index.php/IoT_Framework_Assessment IoT Framework Assessment]
* Developer, Consumer and Manufacturer Guidance
* Design Principles

== Project Leaders ==

* Daniel Miessler
* Craig Smith

== Contributors ==
* [https://www.owasp.org/index.php/User:Justin_C._Klein_Keane Justin Klein Keane]
* Saša Zdjelar

== Related Projects ==

* [[OWASP_Project|OWASP Project Repository]]
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]
* [[OWASP_.NET_Project|OWASP .NET]]
* [[Java|OWASP Java and JVM]]
* [[C/C++|OWASP C/C++]]

| style="padding-left:25px;width:200px;" valign="top" |

== Collaboration ==
[https://owasp-iot-security.slack.com The Slack Channel]

Hint: If you're new to Slack, [https://lists.owasp.org/pipermail/owasp-community/2015-July/000703.html join OWASP's slack channel first], then join #iot-security within OWASP's channel.


== Quick Download ==
[https://www.owasp.org/images/3/36/IoTTestingMethodology.pdf IoT Attack Surface Mapping DEFCON 23]

[https://www.owasp.org/images/2/2d/Iot_testing_methodology.JPG IoT Testing Guidance Handout]

[https://www.owasp.org/images/7/71/Internet_of_Things_Top_Ten_2014-OWASP.pdf OWASP IoT Top Ten PDF]

[https://www.owasp.org/images/8/8e/Infographic-v1.jpg OWASP IoT Top Ten Infographic]

[https://www.owasp.org/images/0/01/Internet_of_Things_Top_Ten_2014-OWASP-ppt.pptx OWASP IoT Top Ten PPT]

[https://www.owasp.org/images/5/51/RSAC2015-OWASP-IoT-Miessler.pdf OWASP IoT Top Ten-RSA 2015]

[https://www.owasp.org/images/b/bd/OWASP-IoT.pptx OWASP IoT Project Overview]

== News and Events ==
* Added a [https://owasp-iot-security.slack.com/ Slack channel]
* Added a sub-project; [https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project#tab=IoT_Security_Policy_Project IoT Security Policy Project]
* Daniel Miessler gave his [https://www.youtube.com/watch?v=RhxHHD790nw IoT talk at DEFCON 23]
* Migrating the IoT Top Ten to be under the IoT Project
* HP Study Reveals 70 Percent of Internet of Things Devices Vulnerable to Attack

==Classifications==

{| width="200" cellpadding="2"
|-
| rowspan="2" width="50%" valign="top" align="center" | [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
| width="50%" valign="top" align="center" | [[File:Owasp-builders-small.png|link=]]
|-
| width="50%" valign="top" align="center" | [[File:Owasp-defenders-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

= IoT Attack Surface Areas =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |

== IoT Attack Surface Areas Project ==

The OWASP IoT Attack Surface Areas (DRAFT) are as follows:

{| class="wikitable" style="text-align: left" border="1"
! Attack Surface
! Vulnerability
|-
| '''Ecosystem (general)'''
|
* Interoperability standards
* Data governance
* System wide failure
* Individual stakeholder risks
* Implicit trust between components
* Enrollment security
* Decommissioning system
* Lost access procedures
|-
| '''Device Memory'''
|
* Sensitive data
** Cleartext usernames
** Cleartext passwords
** Third-party credentials
** Encryption keys
|-
| '''Device Physical Interfaces'''
|
* Firmware extraction
* User CLI
* Admin CLI
* Privilege escalation
* Reset to insecure state
* Removal of storage media
* Tamper resistance
* Debug port
** UART (Serial)
** JTAG / SWD
* Device ID/Serial number exposure
|-
| '''Device Web Interface'''
|
* Standard set of web application vulnerabilities, see:
** [[:Category:OWASP Top Ten Project|OWASP Web Top 10]]
** [[:Category:OWASP Application Security Verification Standard Project|OWASP ASVS]]
** [[:Category:OWASP Testing Project|OWASP Testing guide]]
* Credential management vulnerabilities:
** Username enumeration
** Weak passwords
** Account lockout
** Known default credentials
** Insecure password recovery mechanism
|-
| '''Device Firmware'''
|
* Sensitive data exposure ([[Top 10 2013-A6-Sensitive Data Exposure|See OWASP Top 10 - A6 Sensitive data exposure]]):
** Backdoor accounts
** Hardcoded credentials
** Encryption keys
** Encryption (Symmetric, Asymmetric)
** Sensitive information
** Sensitive URL disclosure
* Firmware version display and/or last update date
* Vulnerable services (web, ssh, tftp, etc.)
** Verify for old sw versions and possible attacks (Heartbleed, Shellshock, old PHP versions etc)
* Security related function API exposure
* Firmware downgrade possibility
|-
| '''Device Network Services'''
|
* Information disclosure
* User CLI
* Administrative CLI
* Injection
* Denial of Service
* Unencrypted Services
* Poorly implemented encryption
* Test/Development Services
* Buffer Overflow
* UPnP
* Vulnerable UDP Services
* DoS
* Device Firmware OTA update block
* Firmware loaded over insecure channel (no TLS)
* Replay attack
* Lack of payload verification
* Lack of message integrity check
* Credential management vulnerabilities:
** Username enumeration
** Weak passwords
** Account lockout
** Known default credentials
** Insecure password recovery mechanism
|-
| '''Administrative Interface'''
|
* Standard set of web application vulnerabilities, see:
** [[:Category:OWASP Top Ten Project|OWASP Web Top 10]]
** [[:Category:OWASP Application Security Verification Standard Project|OWASP ASVS]]
** [[:Category:OWASP Testing Project|OWASP Testing guide]]
* Credential management vulnerabilities:
** Username enumeration
** Weak passwords
** Account lockout
** Known default credentials
** Insecure password recovery mechanism
* Security/encryption options
* Logging options
* Two-factor authentication
* Check for insecure direct object references
* Inability to wipe device
|-
| '''Local Data Storage'''
|
* Unencrypted data
* Data encrypted with discovered keys
* Lack of data integrity checks
* Use of static same enc/dec key
|-
| '''Cloud Web Interface'''
|

* Standard set of web application vulnerabilities, see:
** [[:Category:OWASP Top Ten Project|OWASP Web Top 10]]
** [[:Category:OWASP Application Security Verification Standard Project|OWASP ASVS]]
** [[:Category:OWASP Testing Project|OWASP Testing guide]]
* Credential management vulnerabilities:
** Username enumeration
** Weak passwords
** Account lockout
** Known default credentials
** Insecure password recovery mechanism
* Transport encryption
* Two-factor authentication
|-
| '''Third-party Backend APIs'''
|
* Unencrypted PII sent
* Encrypted PII sent
* Device information leaked
* Location leaked
|-
| '''Update Mechanism'''
|
* Update sent without encryption
* Updates not signed
* Update location writable
* Update verification
* Update authentication
* Malicious update
* Missing update mechanism
* No manual update mechanism
|-
| '''Mobile Application'''
|
* Implicitly trusted by device or cloud
* Username enumeration
* Account lockout
* Known default credentials
* Weak passwords
* Insecure data storage
* Transport encryption
* Insecure password recovery mechanism
* Two-factor authentication
|-
| '''Vendor Backend APIs'''
|
* Inherent trust of cloud or mobile application
* Weak authentication
* Weak access controls
* Injection attacks
* Hidden services
|-
| '''Ecosystem Communication'''
|
* Health checks
* Heartbeats
* Ecosystem commands
* Deprovisioning
* Pushing updates
|-
| '''Network Traffic'''
|
* LAN
* LAN to Internet
* Short range
* Non-standard
* Wireless (WiFi, Z-wave, XBee, Zigbee, Bluetooth, LoRA)
* Protocol fuzzing
|-
| '''Authentication/Authorization'''
|
* Authentication/Authorization related values (session key, token, cookie, etc.) disclosure
* Reusing of session key, token, etc.
* Device to device authentication
* Device to mobile Application authentication
* Device to cloud system authentication
* Mobile application to cloud system authentication
* Web application to cloud system authentication
* Lack of dynamic authentication
|-
| '''Privacy'''
|
* User data disclosure
* User/device location disclosure
* Differential privacy
|-
| '''Hardware (Sensors)'''
|
* Sensing Environment Manipulation
* Tampering (Physically)
* Damage (Physicall)

|-
|}

{{Social Media Links}}

| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |

== What is the IoT Attack Surface Areas Project? ==

The IoT Attack Surface Areas Project provides a list of attack surfaces that should be understood by manufacturers, developers, security researchers, and those looking to deploy or implement IoT technologies within their organizations.

== Project Leaders ==

* Daniel Miessler
* Craig Smith

== Related Projects ==

* [https://www.owasp.org/index.php/OWASP_Mobile_Security_Project The OWASP Mobile Top 10 Project]
* [https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project The OWASP Web Top 10 Project]

== Collaboration ==
[https://owasp-iot-security.slack.com The Slack Channel]

== Quick Download ==
* Coming Soon

== News and Events ==
* Coming Soon

|}

= IoT Vulnerabilities =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |

== IoT Vulnerabilities Project ==

{| class="wikitable" style="text-align: left" border="1"
! Vulnerability
! Attack Surface
! Summary
|-
| '''Username Enumeration'''
|
* Administrative Interface
* Device Web Interface
* Cloud Interface
* Mobile Application
|
* Ability to collect a set of valid usernames by interacting with the authentication mechanism
|-
| '''Weak Passwords'''
|
* Administrative Interface
* Device Web Interface
* Cloud Interface
* Mobile Application
|
* Ability to set account passwords to '1234' or '123456' for example.
* Usage of pre-programmed default passwords
|-
| '''Account Lockout'''
|
* Administrative Interface
* Device Web Interface
* Cloud Interface
* Mobile Application
|
* Ability to continue sending authentication attempts after 3 - 5 failed login attempts
|-
| '''Unencrypted Services'''
|
* Device Network Services
|
* Network services are not properly encrypted to prevent eavesdropping or tampering by attackers
|-
| '''Two-factor Authentication'''
|
* Administrative Interface
* Cloud Web Interface
* Mobile Application
|
* Lack of two-factor authentication mechanisms such as a security token or fingerprint scanner
|-
| '''Poorly Implemented Encryption'''
|
* Device Network Services
|
* Encryption is implemented however it is improperly configured or is not being properly updated, e.g. using SSL v2
|-
| '''Update Sent Without Encryption'''
|
* Update Mechanism
|
* Updates are transmitted over the network without using TLS or encrypting the update file itself
|-
| '''Update Location Writable'''
|
* Update Mechanism
|
* Storage location for update files is world writable potentially allowing firmware to be modified and distributed to all users
|-
| '''Denial of Service'''
|
* Device Network Services
|
* Service can be attacked in a way that denies service to that service or the entire device
|-
| '''Removal of Storage Media'''
|
* Device Physical Interfaces
|
* Ability to physically remove the storage media from the device
|-
| '''No Manual Update Mechanism'''
|
* Update Mechanism
|
* No ability to manually force an update check for the device
|-
| '''Missing Update Mechanism'''
|
* Update Mechanism
|
* No ability to update device
|-
| '''Firmware Version Display and/or Last Update Date'''
|
* Device Firmware
|
* Current firmware version is not displayed and/or the last update date is not displayed
|-
| '''Firmware and storage extraction'''
|
* JTAG / SWD interface
* [https://www.flashrom.org/Flashrom In-Situ dumping]
* Intercepting a OTA update
* Downloading from the manufacturers web page
* [https://www.exploitee.rs/index.php/Exploitee.rs_Low_Voltage_e-MMC_Adapter eMMC tapping]
* Unsoldering the SPI Flash / eMMC chip and reading it in a adapter
|
* Firmware contains a lot of useful information, like source code and binaries of running services, pre-set passwords, ssh keys etc.
|-
| '''Manipulating the code execution flow of the device'''
|
* JTAG / SWD interface
* [https://wiki.newae.com/Main_Page Side channel attacks like glitching]
|
* With the help of a JTAG adapter and gdb we can modify the execution of firmware in the device and bypass almost all software based security controls.
* Side channel attacks can also modify the execution flow or can be used to leak interesting information from the device
|-
| '''Obtaining console access'''
|
* Serial interfaces (SPI / UART)
|
* By connecting to a serial interface, we will obtain full console access to a device
* Usually security measures include custom bootloaders that prevent the attacker from entering single user mode, but that can also be bypassed.
|-
| '''Insecure 3rd party components'''
|
* Software
|
* Out of date versions of busybox, openssl, ssh, web servers, etc.
|-

|}

{{Social Media Links}}

| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |

== What is the IoT Vulnerabilities Project? ==

The IoT Vulnerabilities Project provides:

* Information on the top IoT vulnerabilities
* The attack surface associated with the vulnerability
* A summary of the vulnerability

== Project Leaders ==

* Daniel Miessler
* Craig Smith

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://owasp-iot-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]

== News and Events ==
* Coming Soon

|}

= Medical Devices =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |

== Medical Device Testing ==

The Medical Device Testing project is intended to provide some basic attack surface considerations that should be evaluated before shipping Medical Device equipment.

{| class="wikitable" style="text-align: left" border="1"
! Attack Surface
! Vulnerability
|-
| '''Ecosystem (general)'''
|
* Interoperability standards
* Data governance
* System wide failure
* Individual stakeholder risks
* Implicit trust between components
* Enrollment security
* Decommissioning system
* Lost access procedures
|-
| '''HL7'''
|
* XML Parsing
** XSS
* Information Disclosure
|-
| '''Device Memory'''
|
* Sensitive data
** Cleartext usernames
** Cleartext passwords
** Third-party credentials
** Encryption keys
|-
| '''Device Physical Interfaces'''
|
* Firmware extraction
* User CLI
* Admin CLI
* Privilege escalation
* Reset to insecure state
* Removal of storage media
* Tamper resistance
* Debug port
* Device ID/Serial number exposure
|-
| '''Device Web Interface'''
|
* Standard set of web vulnerabilities:
** SQL injection
** Cross-site scripting
** Cross-site Request Forgery
** Username enumeration
* Credential management vulnerabilities:
** Username enumeration
** Weak passwords
** Account lockout
** Known default credentials
** Insecure password recovery mechanism
|-
| '''Device Firmware'''
|
* Sensitive data exposure:
** Backdoor accounts
** Hardcoded credentials
** Encryption keys
** Encryption (Symmetric, Asymmetric)
** Sensitive information
** Sensitive URL disclosure
* Firmware version display and/or last update date
* Vulnerable services (web, ssh, tftp, etc.)
* Security related function API exposure
* Firmware downgrade
|-
| '''Device Network Services'''
|
* Information disclosure
* User CLI
* Administrative CLI
* Injection
* Denial of Service
* Unencrypted Services
* Poorly implemented encryption
* Test/Development Services
* Buffer Overflow
* UPnP
* Vulnerable UDP Services
* DoS
* Device Firmware OTA update block
* Replay attack
* Lack of payload verification
* Lack of message integrity check
* Credential management vulnerabilities:
** Username enumeration
** Weak passwords
** Account lockout
** Known default credentials
** Insecure password recovery mechanism
|-
| '''Administrative Interface'''
|
* Standard web vulnerabilities:
** SQL injection
** Cross-site scripting
** Cross-site Request Forgery
** Username enumeration
* Credential management vulnerabilities:
** Username enumeration
** Weak passwords
** Account lockout
** Known default credentials
** Insecure password recovery mechanism
* Security/encryption options
* Logging options
* Two-factor authentication
* Inability to wipe device
|-
| '''Local Data Storage'''
|
* Unencrypted data
* Data encrypted with discovered keys
* Lack of data integrity checks
* Use of static same enc/dec key
|-
| '''Cloud Web Interface'''
|
* Standard set of web vulnerabilities:
** SQL injection
** Cross-site scripting
** Cross-site Request Forgery
* Credential management vulnerabilities:
** Username enumeration
** Weak passwords
** Account lockout
** Known default credentials
** Insecure password recovery mechanism
* Transport encryption
* Two-factor authentication
|-
| '''Third-party Backend APIs'''
|
* Unencrypted PII sent
* Encrypted PII sent
* Device information leaked
* Location leaked
|-
| '''Update Mechanism'''
|
* Update sent without encryption
* Updates not signed
* Update location writable
* Update verification
* Update authentication
* Malicious update
* Missing update mechanism
* No manual update mechanism
|-
| '''Mobile Application'''
|
* Implicitly trusted by device or cloud
* Username enumeration
* Account lockout
* Known default credentials
* Weak passwords
* Insecure data storage
* Transport encryption
* Insecure password recovery mechanism
* Two-factor authentication
|-
| '''Vendor Backend APIs'''
|
* Inherent trust of cloud or mobile application
* Weak authentication
* Weak access controls
* Injection attacks
* Hidden services
|-
| '''Ecosystem Communication'''
|
* Health checks
* Heartbeats
* Ecosystem commands
* Deprovisioning
* Pushing updates
|-
| '''Network Traffic'''
|
* LAN
* LAN to Internet
* Short range
* Non-standard
* Wireless (WiFi, Z-wave, XBee, Zigbee, Bluetooth, LoRA)
* Protocol fuzzing
|-
| '''Authentication/Authorization'''
|
* Authentication/Authorization related values (session key, token, cookie, etc.) disclosure
* Reusing of session key, token, etc.
* Device to device authentication
* Device to mobile Application authentication
* Device to cloud system authentication
* Mobile application to cloud system authentication
* Web application to cloud system authentication
* Lack of dynamic authentication
|-
| '''Data Flow'''
|
* What data is being captured?
* How does it move within the ecosystem?
* How is it protected in transit?
* How is it protected at rest?
* Who is that data shared with?
|-
| '''Hardware (Sensors)'''
|
* Sensing Environment Manipulation
* Tampering (Physically)
* Damaging (Physically)
* Failure state analysis
|-
|}

{{Social Media Links}}

| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |

== What is the Medical Attack Surfaces project? ==

The Medical Attack Surfaces project provides:

* A simple way for testers, manufacturers, developers, and users to get an understanding of the complexity of a modern medical environment
* Allows people to visualize the numerous attack surfaces that need to be defended within medical equipment ecosystems

== Project Leaders ==

* Daniel Miessler

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://owasp-iot-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/IoT_Firmware_Analysis IoT Firmware Analysis Primer]
* [https://otalliance.org/initiatives/internet-things Online Trust Alliance - Internet of Things]
* [https://people.debian.org/~aurel32/qemu/ Pre-compiled QEMU images]
* [https://code.google.com/archive/p/firmware-mod-kit/ Firmware Modification Kit]
* [https://craigsmith.net/episode-11-1-firmware-extraction/ Short Firmware Extraction Video]
* [https://craigsmith.net/episode-12-1-firmware-emulation-with-qemu/ Firmware Emulation with QEMU]
* [https://craigsmith.net/episode-18-1-file-extraction-from-network-capture/ File Extraction from Network Capture]

== News and Events ==
* Daniel Miessler presented on using Adaptive Testing Methodologies to evaluate the security of medical devices at RSA 2017.

|}

= Firmware Analysis =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |

== Firmware Analysis Project ==

The Firmware Analysis Project is intended to provide security testing guidance for the IoT Attack Surface "Device Firmware":

{| class="wikitable" style="text-align: left" border="1"
! Section
!
|-
|
Device Firmware Vulnerabilities
|
* Out-of-date core components
* Unsupported core components
* Expired and/or self-signed certificates
* Same certificate used on multiple devices
* Admin web interface concerns
* Hardcoded or easy to guess credentials
* Sensitive information disclosure
* Sensitive URL disclosure
* Encryption key exposure
* Backdoor accounts
* Vulnerable services (web, ssh, tftp, etc.)
|-
|
Manufacturer Recommendations
|
* Ensure that supported and up-to-date software is used by developers
* Ensure that robust update mechanisms are in place for devices
* Ensure that certificates are not duplicated across devices and product lines.
* Ensure supported and up-to-date software is used by developers
* Develop a mechanism to ensure a new certificate is installed when old ones expire
* Disable deprecated SSL versions
* Ensure developers do not code in easy to guess or common admin passwords
* Ensure services such as SSH have a secure password created
* Develop a mechanism that requires the user to create a secure admin password during initial device setup
* Ensure developers do not hard code passwords or hashes
* Have source code reviewed by a third party before releasing device to production
* Ensure industry standard encryption or strong hashing is used
|-
|
Device Firmware Guidance and Instruction
|
* Firmware file analysis
* Firmware extraction
* Dynamic binary analysis
* Static binary analysis
* Static code analysis
* Firmware emulation
* File system analysis
|-
|
Device Firmware Tools
|
* [https://github.com/craigz28/firmwalker Firmwalker]
* [https://code.google.com/archive/p/firmware-mod-kit/ Firmware Modification Kit]
* [https://github.com/angr/angr Angr binary analysis framework]
* [http://binwalk.org/ Binwalk firmware analysis tool]
* [http://www.binaryanalysis.org/en/home Binary Analysis Tool]
* [https://github.com/firmadyne/firmadyne Firmadyne]
|-
|
Vulnerable Firmware
|
* [https://github.com/praetorian-inc/DVRF Damn Vulnerable Router Firmware]
|-
|}

{{Social Media Links}}

| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |

== What is the Firmware Analysis Project? ==

The Firmware Analysis Project provides:

* Security testing guidance for vulnerabilities in the "Device Firmware" attack surface
* Steps for extracting file systems from various firmware files
* Guidance on searching a file systems for sensitive of interesting data
* Information on static analysis of firmware contents
* Information on dynamic analysis of emulated services (e.g. web admin interface)
* Testing tool links
* A site for pulling together existing information on firmware analysis

== Project Leaders ==

* Craig Smith

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://owasp-iot-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/IoT_Firmware_Analysis IoT Firmware Analysis Primer]
* [https://otalliance.org/initiatives/internet-things Online Trust Alliance - Internet of Things]
* [https://people.debian.org/~aurel32/qemu/ Pre-compiled QEMU images]
* [https://code.google.com/archive/p/firmware-mod-kit/ Firmware Modification Kit]
* [https://craigsmith.net/episode-11-1-firmware-extraction/ Short Firmware Extraction Video]
* [https://craigsmith.net/episode-12-1-firmware-emulation-with-qemu/ Firmware Emulation with QEMU]
* [https://craigsmith.net/episode-18-1-file-extraction-from-network-capture/ File Extraction from Network Capture]

== News and Events ==
* Coming Soon

|}

= IoT Event Logging Project=

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File: OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |

== IoT Logging Events==

This is a working draft of the recommended minimum IoT Device logging events. This includes many different types of devices, including consumer IoT, enterprise IoT, and ICS/SCADA type devices.

{| class="wikitable" style="text-align: left" border="1"
! Event Category
! Events
|-
| '''Request Exceptions'''
|
* Attempt to Invoke Unsupported HTTP Method
* Unexpected Quantity of Characters in Parameter
* Unexpected Type of Characters in Parameter
|-
| '''Authentication Exceptions'''
|
* Multiple Failed Passwords
* High Rate of Login Attempts
* Additional POST Variable
* Deviation from Normal GEO Location
|-
| '''Session Exceptions'''
|
* Modifying the Existing Cookie
* Substituting Another User's Valid SessionID or Cookie
* Source Location Changes During Session
|-
| '''Access Control Exceptions'''
|
* Modifying URL Argument Within a GET for Direct Object Access Attempt
* Modifying Parameter Within a POST for Direct Object Access Attempt
* Forced Browsing Attempt
|-
| '''Ecosystem Membership Exceptions'''
|
* Traffic Seen from Disenrolled System
* Traffic Seen from Unenrolled System
* Failed Attempt to Enroll in Ecosystem
* Multiple Attempts to Enroll in Ecosystem
|-
| '''Device Access Events'''
|
* Device Case Tampering Detected
* Device Logic Board Tampering Detected
|-
| '''Administrative Mode Events'''
|
* Device Entered Administrative Mode
* Device Accessed Using Default Administrative Credentials
|-
| '''Input Exceptions'''
|
* Double Encoded Character
* Unexpected Encoding Used
|-
| '''Command Injection Exceptions'''
|
* Blacklist Inspection for Common SQL Injection Values
* Abnormal Quantity of Returned Records
|-
| '''Honey Trap Exceptions'''
|
* Honey Trap Resource Requested
* Honey Trap Data Used
|-
| '''Reputation Exceptions'''
|
* Suspicious or Disallowed User Source Location

|-
|}

{{Social Media Links}}

| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right: 25px;" valign="top" |

== What is the IoT Security Logging Project? ==

The IoT Secure Logging Project provides a list of core events that should be logged in any IoT-related system. The project exists because IoT systems in general are not logging nearly enough events to constitute input for a solid detection and response program around IoT devices, and for companies that want to do this there are not many good resources for what should be logged.

== Project Leaders ==

* Daniel Miessler

== Related Projects ==

* [https://www.owasp.org/index.php/OWASP_AppSensor_Project The OWASP AppSensor Project]

== Collaboration ==
[https://owasp-iot-security.slack.com The Slack Channel]

== Quick Download ==
* Coming Soon

== News and Events ==
* Coming Soon

|}

= ICS/SCADA =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |

== ICS/SCADA Project ==

The OWASP ICS/SCADA Top 10 software weaknesses are as follows:

{| class="wikitable" style="text-align: left" border="1"
! Rank and ID
! Title
|-
| '''1 - CWE-119'''
|
* Improper Restriction of Operations within the Bounds of a Memory Buffer
|-
| '''2 - CWE-20'''
|
* Improper Input Validation
|-
| '''3 - CWE-22'''
|
* Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
|-
| '''4 - CWE-264'''
|
* Permissions, Privileges, and Access Controls
|-
| '''5 - CWE-200'''
|
* Information Exposure
|-
| '''6 - CWE-255'''
|
* Credentials Management
|-
| '''7 - CWE-287'''
|
* Improper Authentication
|-
| '''8 - CWE-399'''
|
* Resource Management Errors
|-
| '''9 - CWE-79'''
|
* Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
|-
| '''10 - CWE-189'''
|
* Numeric Errors
|-
|}

{{Social Media Links}}

| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |

== What is the ICS/SCADA Project? ==

The ICS/SCADA Project provides:

* A list of the Top 10 most dangerous software weaknesses

== Project Leaders ==

* NJ Ouchn

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://owasp-iot-security.slack.com The Slack Channel]

== Quick Download ==
* Coming Soon

== News and Events ==
* Coming Soon

|}

= IoT Security Policy Project =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |

== IoT Security Policy Project ==

The OWASP IoT Security Policy Project provides:

{{Social Media Links}}

| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |

== What is the IoT Security Policies Project? ==

The IoT Security Policy Project provides:

== Project Leaders ==

* Saša Zdjelar

== Related Projects ==

== Collaboration ==
[https://owasp-iot-security.slack.com The Slack Channel]

== Quick Download ==
* Coming Soon

== News and Events ==
* Coming Soon

|}

= Community =

[https://www.iamthecavalry.org/ I Am The Cavalry]

A global grassroots organization that is focused on issues where computer security intersects public safety and human life.

Their areas of focus include:
* Medical devices
* Automobiles
* Home Electronics
* Public Infrastructure

[https://otalliance.org Online Trust Alliance]

Formed as an informal industry working group in 2005, today OTA is an Internal Revenue Service (IRS) approved 501c3 charitable organization with the mission to enhance online trust and empower users, while promoting innovation and the vitality of the internet. OTA is global organization supported by over 100 organizations headquartered in Bellevue, Washington with offices in Washington DC.

Addressing the mounting concerns, in January 2015 the Online Trust Alliance, established the [https://otalliance.org/initiatives/internet-things IoT Trustworthy Working Group (ITWG)], a multi-stakeholder initiative. The group recognizes “security and privacy by design” must be a priority from the onset of product development and be addressed holistically. The framework focuses on privacy, security sustainability. The sustainability pillar is critical as it looks at the life-cycle issues related to long- term supportability and transfers of ownership of devices and the data collected.

[https://allseenalliance.org/framework AllSeen Alliance]

The AllSeen Alliance is a Linux Foundation collaborative project. They're a cross-industry consortium dedicated to enabling the interoperability of billions of devices, services and apps that comprise the Internet of Things. The Alliance supports the AllJoyn Framework, an open source software framework that makes it easy for devices and apps to discover and communicate with each other. Developers can write applications for interoperability regardless of transport layer, manufacturer, and without the need for Internet access. The software has been and will continue to be openly available for developers to download, and runs on popular platforms such as Linux and Linux-based Android, iOS, and Windows, including many other lightweight real-time operating systems.

[http://www.iiconsortium.org/ The Industrial Internet Consortium (IIC)]

The Industrial Internet Consortium is the open membership, international not-for-profit consortium that is setting the architectural framework and direction for the Industrial Internet. Founded by AT&T, Cisco, GE, IBM and Intel in March 2014, the consortium’s mission is to coordinate vast ecosystem initiatives to connect and integrate objects with people, processes and data using common architectures, interoperability and open standards.

[http://securingsmartcities.org/ Securing Smart Cities]

Securing Smart Cities is a not-for-profit global initiative that aims to solve the existing and future cybersecurity problems of smart cities through collaboration between companies, governments, media outlets, other not-for-profit initiatives and individuals across the world.

===Talks===

RSA Conference San Francisco 
[https://www.owasp.org/images/5/51/RSAC2015-OWASP-IoT-Miessler.pdf Securing the Internet of Things: Mapping IoT Attack Surface Areas with the OWASP IoT Top 10 Project] 
Daniel Miessler, Practice Principal 
April 21, 2015 
--- 
Defcon 23 
[https://www.owasp.org/images/3/36/IoTTestingMethodology.pdf IoT Attack Surface Mapping] 
Daniel Miessler 
August 6-9, 2015

===Podcasts===

* [http://iotpodcast.com/ The Internet of Things Podcast]
* [http://www.iot-inc.com/ IoT Inc]
* [https://craigsmith.net/iot-this-week/ IoT This Week]
* [http://farstuff.com/ Farstuff: The Internet of Things Podcast]

===IoT Conferences===

* [http://www.iotevents.org Internet of Things Events]

Conference Call for Papers
* [http://www.wikicfp.com/cfp/servlet/tool.search?q=internet+of+things&year=t WikiCFP - Internet of Things]
* [http://www.wikicfp.com/cfp/servlet/tool.search?q=iot&year=t WikiCFP - IoT]

=Project About=

{{Template:Project About
| project_name =OWASP Internet of Things Project
| project_description =
| project_license =CC-BY 3.0 for documentation and GPLv3 for code.
| leader_name1 = Daniel Miessler
| leader_email1 =
| leader_username1 =
| leader_name2 =Craig Smith
| leader_email2 =
| leader_username2 =
| contributor_name1 = Justin Klein Keane]
| contributor_email1 =
| contributor_username1 = Justin_C._Klein_Keane
| contributor_name2 = Yunsoul
| contributor_email2 =
| contributor_username2 = Yunsoul
| mailing_list_name =
| links_url1 =
| links_name1 =
}}

__NOTOC__ <headertabs></headertabs>

[[Category:OWASP_Project]]
[[Category:OWASP_Document]]
[[Category:OWASP_Download]]
[[Category:OWASP_Release_Quality_Document]]

WASPY Awards 2017

2017-07-06T09:17:26Z

Owen Pendlebury: adding my profile

[[File:WASPY 2017 Banner.jpg]]

==Purpose of the Awards==

Each year there are many individuals who do amazing work, dedicating countless hours to share, improve, and strengthen the OWASP mission. Some of these individuals are well known to the community while others are not.

'''The purpose of these awards is to bring recognition to those who "FLY UNDER THE RADAR". These are the individuals who are passionate about OWASP, who contribute hours of their own free time to the organization to help improve the cyber-security world, yet seem to go unrecognized.'''

==Timeline==
Call for Nominees Opens June 7, 2017

Call for Nominees Closes June 30, 2017 - CLOSED

Announcement of Nominees per Category July 5, 2017 - DONE

Deadline for Nominee Profile Picture and Bio to be created and added to the Nominees section July 10, 2017

Voting for Board & Staff Members Opens July 17, 2017

Voting for Board & Staff Members Closes July 24, 2017

Winners are Notified July 25, 2017

Announcement of Winners to the Community July 25, 2017

Award Ceremony at AppSecUSA 2017 in Orlando, FL September 21-22, 2017

==Categories==
The WASPYs celebrate the actors in our community who grow OWASP and drive innovation to the safety and security of the world’s software. This year we are excited to offer three categories.
 

'''Best Community Supporter''' - The WASPY for COMMUNITY honors members who create dynamic INTERACTION and LEARNING opportunities for the OWASP Community. Nominees to the Community WASPY Award create collaborative and inclusive environments and grow the OWASP Community. WASPYs focus on the unsung heros of the OWASP community. Chapter Leaders and Community Members should especially consider leaders and volunteers who bring something extra to the environment, help the chapter reach out to new attendees, or carry out the tedious and repetitive tasks that make growing an OWASP Chapter possible.
 

'''Best Mission Outreach''' - The WASPY for Mission Outreach honors community members who help the community GROW. Growth can happen inside the larger OWASP community or outside it in the broader AppSec and development communities. Leaders and Members should especially consider volunteers who pushed the boundaries of the audience and reach of OWASP to provide new exposure for OWASP’s projects and chapters. New leaders and volunteers who help bring more people to your chapter, project, or actively represent OWASP at non-OWASP events, gatherings, and activities to build an active OWASP community are ideal candidates for the Mission Outreach WASPY award.
 

'''Best Innovator''' - The WASPY for Innovation is given to a community member who has contributed to the TECHNICAL advancement of OWASP in the past year. This advancement is usually through an [[:Category:OWASP Project|OWASP Project]] and can be in the form of code, an application, or anything that materially makes the AppSec community better in a unique way. WASPYs focus on the unsung heros of the OWASP community who quietly go about making the world a bit better for their work. Project Leaders and Community Members should especially consider nominating new projects, projects that have recently graduated, and project contributors for this WASPY.

==Rules==
'''Remember the purpose of these awards is to recognize the UNSUNG HEROS out there, that are barely recognized for their contributions to the OWASP Foundation.'''

1. [https://www.owasp.org/index.php/About_OWASP#2015_Global_Board_Members Board members] may not be nominated

2. [https://www.owasp.org/index.php/About_OWASP#Employees_and_Contractors_of_the_OWASP_Foundation Employees & Contractors] may not be nominated

3. All nominees will remain anonymous until July 3, 2017

4. Anyone can nominate an "unsung hero" who has contributed in some way to OWASP who they feel best fits each category

5. You may only nominate one person per category

=='''And the Nominees Are...'''==
{| border="1" cellpadding="2"
! scope="col" align="center" width="150" |Name
! scope="col" align="center" width="800" |Category & Citation
|-
| align="center" |Aatral Arasu
|'''''Best Community Supporter'''''
"A great leader always there to help responds to emails quickly loves his work works very hard every day very supportive never loses focus strong willed very technical and willing to do things himself to get the job done when asked for something he will get it to you ASAP constant learner open to suggestions and ideas on how to be better respectful honest caring and I am certain HRC will make it big very soon :)"
|-
|Sean Auriti
|'''''Best Community Supporter'''''
"Sean has not only worked as a volunteer in the local chapter building community, his code projects are useful to the mission and his outreach efforts have included funding requests for OWASP Foundation to grow its mission. Sean is a great example of a community member."
|-
|Nicole Becher
|<nowiki/>'''''Best Community Supporter'''''

"Nicole has been an amazing chapter leader. She brings knowledge and experience teaching cybersecurity to the Mentor Initiative, WIA Committee, and projects."
|-
|Ken Belva
|<nowiki/>'''''Best Community Supporter'''''

"Ken is a long time chapter leader of the NYC chapter and a former chapter leader of the Brooklyn Chapter. Ken is always willing to step in and volunteer to help with OWASP initiatives and is a frequent participant in OWASP events as both a volunteer and speaker. Ken has spoken at AppSec USA on XSS techniques (<nowiki>https://www.youtube.com/watch?v=G539NwvpL3I</nowiki>) and is the project lead for the Basic Expression and Lexicon Variation Algorithms project (<nowiki>https://www.owasp.org/index.php/OWASP_Basic_Expression_%26_Lexicon_Variation_Algorithms_(BELVA)_Project)</nowiki>."
|-
|Tony Clarke
|<nowiki/>'''''Best Community Supporter'''''
"Tony has selflessly brought the OWASP dublin chapter to great nights. He has nurtured the chapter to be inclusive and open whilst growing the average attendee count to hundreds. He has spread the word across both security industry and developer industry and has also managed to get various organisations to work together such as ISACA, IISF, ISSA and ISC2. He is a great leader and despite detractors has built the chapter and awareness of software security issues in a strong vendor neutral manner to a great place. Tony is a great example of OWASP and industry leadership."
|-
|Dinis Cruz
|<nowiki/>'''''Best Community Supporter'''''
"Diniz is a fantastic innovator and motivator. As the mastermind and organizer behind the OWASP Summit he has managed to re-energize the OWASP community - many interesting projects would not have happened (or at least, not been that successful) without his passionate work. Besides organizing the event, he also consistently supported project leaders with his experience and ideas."

'''2nd Citation:''' Dinis put ridiculous effort (<nowiki>https://github.com/OWASP/owasp-summit-2017/commits?author=DinisCruz</nowiki>) into the OWASP Summit 2017 and didn't tire promoting this event!
|-
|Christian Folini
|'''''Best Community Supporter'''''

"Christian Folini is very active in the Core Rule Set project community. He responds to a ton of questions submitted by newcomers when they are stuck and he answers expert level questions with stunning detail. He joined Chaim and Walter when they revived the project in 2016 and I heard he had the idea for the famous CRS3 release poster <nowiki>https://modsecurity.org/crs/poster</nowiki> that was shared all over the net. I think it's people like him that give OWASP a human face."
|-
|Joaquin Fuentes
|'''''Best Community Supporter'''''
"In 2015, Joaquin took it upon himself to revive the OWASP Phoenix Chapter. He created a meet-up group to gain broader visibility. Since 2015, the meeting attendance has grown from an average of 15 attendees to over 60! Joaquin dedicates a lot of time and effort into scheduling an impressive variety of presentation topics including safe hacking, vulnerability scanner deep dives, hands on web exploitation CTF, video game hacking and more. I learn something new and cool at every event.

More importantly, Joaquin works hard to foster a friendly, inclusive environment. During our hands-on web exploitation session, Joaquin recruited co-works to assist participants with the Security Shephard challenges so no one felt overwhelmed or impossibly stuck. He always takes the time meet and welcome new members. For example, my 17-year-old son attends meetings with me. He looks up to Joaquin as a mentor for a future information security career because Joaquin encourages his learning and offers career guidance.

I highly recommend Joaquin for a WASPY award!! He is a kind, soft spoken person with a passion for sharing information security and helping others!"

'''2nd Citation:''' "He resurrected the Phoenix chapter and has kept it going with great content."

'''3rd Citation:''' "For all he has done to build up the Phoenix OWASP community. Prior to Joaquin taking point the community in Phoenix was dead. Meetings weren't happening on a regular basis. The prior leaders had done a great job but I think they had burnt out. Joaquin started the community back up and got corporate support from his employer to facilitate not only regular meetings but great meetings with great content. He also implemented MeetUp. I'm not a consistent attendee because of my work/life schedule but I always know when the meetings are happening and what the subject matter will be because of Joaquin utilizing MeetUp."

'''4th Citation:''' "Put simply, due to the efforts of Joaquin Fuentes, the Phoenix chapter has risen from the ashes (some pun intended). Before Joaquin took over the chapter there were consistently between 5-10 persons in attendance, Joaquin himself being one of them, and the chapter only met about every 3 months or so. Since Joaquin took over the chapter, we have had fantastic presenters each month, paid for dinners, along with a collaborative, comfortable, and engaging environment to meet in. Even more impressive the attendance has grown to 60+ consistently. Joaquin isn't even done yet! He is more great ideas and plans for the chapter that will undoubtedly contribute to the continued growth and over all quality of this once fallen chapter. When he speaks of where this chapter has come from and his plans for the future, it is undeniable to all that he does so with the passion that a leader must possess to accomplish that which Joaquin has."

'''5th Citation:''' "I am sure someone else will write in with Joaquin's email, but I felt the need to second his name on the list. The events he puts together are top notch, have excellent speakers, always have things to eat, and are generally excellent. I almost never miss them. He is actually so gracious about the entire chapter that I am sure he does not get the credit he deserves... the whole show is put on by just him, I think. Yay Joaquin!"

'''6th Citation:''' "A few years ago, the Phoenix (AZ) OWASP group was basically defunct. As the leader of the Phoenix OWASP group, not only has Joaquin helped to resurrect the group, but we've had great presentations on reverse engineering, secure coding, a hands-on CTF contest with Security Shepherd, etc. Joaquin is a very visible member of the security community being an employee at Early Warning, which not only hosts the OWASP meetings, but also is a sponsor and makes a strong showing at CactusCon every year, the biggest security conference in Arizona.

Our local OWASP group is not strong, going from being non-existent a few years ago to now getting a regular attendance of 40-80 people. I've gotten to know Joaquin through OWASP meetings and other security events in the area I have crossed paths with him, and he is a fine representative and evangelist for the OWASP organization."

'''7th Citation:''' "Joaquin is the Phoenix OWASP Chapter leader and regularly plans amazing talks with great speakers for the Phoenix Community. Frequently, the Phoenix OWASP talks will have over 50 attendees which Joaquin manages without a problem! Joaquin also pushes for candidates he is interviewing to be familiar with OWASP before their interview."

'''8th Citation:''' "Joaquin is the leader for the Phoenix OWASP, and it is clear that through his leadership the Phoenix OWASP thrives. Joaquin organizes all the meetings, and is constantly working with folks to create an excellent sense of community in the Phoenix area."

'''9th Citation:''' "Joaquin has taken the Phoenix OWASP chapter that had not been managed for years and brought it back to life. We consistently see 50+ members coming to our Meetups to talk about AppSec related topics. Joaquin is well connected to the InfoSec groups and has had great success in pulling in new speakers, we have already had a few speakers who are prepping their BlackHat and DefCon talks by giving their presentations to our local chapter. Finally Joaquin does a great job by reaching out to the local colleges and supporting CTF activities to garner interest in pen-testing and the OWASP community. He is a true community supporter and fully deserves a WASPY for his efforts..."

'''10th Citation:''' "Joaquin has been leading the OWASP Phoenix chapter and due to his initiative, has placed Phoenix on the map as a hub for application security. I would like to nominate him because he is always bringing in new and interesting speakers that provide great content. The most recent OWASP chapter meeting had over 60 attendees!"

'''11th Citation:''' "As a leader of Phoenix OWASP chapter, Joaquin strives to organize talks and trainings to make people in the valley learn InfoSec and AppSec from experienced individuals. He has always gone a step ahead to conduct OWASP meetings that are informative and hands on. Right from giving Arizona State University (ASU) students an overview of basic InfoSec and career opportunities to organizing a hands on hacking workshop for people in the community, Joaquin has always demonstrated passion and determination to take Phoenix to a better place in the field of Cyber Security."

'''12th Citation:''' "I've attended and participated in three OWASP meetings lead by Joaquin. They are always well organized, offer a great learning experience and considerably contribute to the community. His continuous interest and dedication to the Phoenix chapter do not go unnoticed and are appreciated by all who attend."

'''13th Citation:''' "Joaquin restarted the OWASP chapter in Phoenix/Scottsdale. Chapter meetings have grown significantly to where there were about 65 attendees at the most recent meeting with hundreds more on the mailing list (I was at the meeting, but I've only heard about the mailing list). As someone who works with him, I know how dedicated he is to the work of IT security and he's been able to attract top-notch speakers for OWASP meetings.'

'''14th Citation:''' "Joaquin had successfully revived the Phoenix OWASP Chapter. Since, the chapter has excelled from zero to filled audience bringing security talent from all around to speak and educate to security professionals on the many facets of security domains.

Additionally, this has provided a great forum to network with the many security professionals around the community and share their knowledge and strengthen the security community.

Joaquin has provided his unselfish time as an OWASP Chapter leader, and has breathed new life into the Chapter."

'''15th Citation:''' "Joaquin does a bang up job of running the Phoenix OWASP chapter. He does a great job of raising awareness and bringing folks from the infosec community into the fold."

'''16th Citation:''' "Joaquin Fuentes has had a big impact in raising attendance at the Phoenix meetings to more than 100 people monthly. The quality has gotten significantly better under his leadership. He has organized many speakers, including recruiting speakers from out of the area that have significantly developed the knowledge base of the community. Joaquin is a pen testing manager at Early Warning and he shares his professional knowledge to help us all become better in the practice of information security."

'''17th Citation:''' No citation was submitted
|-
|Brendan Gormley
|'''''Best Community Supporter'''''
"Throughout the Brendan has not only assisted in making the dublin chapter events happen but taken a lead role. Brendan has organised venues and speakers for these events often going above and beyond to ensure success. Brendan has also been involved in some of the outreach programs the Dublin chapter had been involved in. No task is too big or too small for Brendan and without him I don't believe the Dublin chapter would be what it is."
|-
|Tanya Janca
|'''''Best Community Supporter'''''
"Tanya Janca has been performing “outreach” and “recruitment of women” as her main chapter leader responsibilities for the Ottawa chapter since 2015. The chapter has not only grown by over 500% in that time, but female membership has grown from 2 female members to over 70 (the chapter has grown for many reasons, some of which are her promotional efforts). Activities include starting a mentoring program that matches senior AppSec members of the community with juniors or people who are hoping to get into Application Security; attending all sorts of technology meetups (but especially female-centric ones) to talk about OWASP and personally invite them to attend; bringing OWASP products, concepts and resources to the Canadian Government (and is currently attempting to sway policy to be more application security focused as we speak); as well as performing over 40 public speaking engagements that describe OWASP as “Your new BFF” as part of the application security lesson she has taught. She has also begun speaking at conferences semi-regularly, singing OWASP’s praises as part of every presentation. She also forms female groups to attend events together, to make them more accessible, such as her all-female team for the Ottawa iHack CTP and “Learn by Breaking things” event in June 2017 and her all female CTF team for OWASP Ottawa’s first CTF in 2015. Her claim of being an “application security evangelist” certainly seems fitting."
|-
|Jeremy Long
|'''''Best Community Supporter'''''
"Jeremy is a dedicated security engineer who contributes to the community as a developer, mentor, contributor and leader. He's one of the smartest people I know - and one of the few who has patience with "the rest of us". He is generous with his time and knowledge, helping not only to contribute apps and resources, but to build up the community itself."
|-
|Akash Mahajan
|'''''Best Community Supporter'''''
"Akash has been backbone of OWASP bangalore chapter he has done lot of work for evangelizing OWASP. For more than 7 years now he has been working with the chapter and mentored lot of folks. No wonder he is called "the web app security guy"."
|-
|Dhiraj Mishra
|'''''Best Community Supporter'''''
"Dhiraj Mishra - has been contributed and volunteered to, OWASP Mumbai Student chapter and Mumbai local chapter.

He has endorse students to be part of multiple open community, however been an Sudent Chapter leader for OWASP he has discussed and shared multiple Information Security topics start from the scratch and spreading the idea's and awareness via chapter Meets, he has taken multiple session in NULL as well which runs with OWASP local chapter Mumbai, recently he invited Mozilla Club Mumbai to student chapter so that students can go to their area of interest, he always pushup/boost women in infosec. Apart from this he has taken various sessions in different colleges and have shared knowledge about Cyber Security."
|-
|Denise Murtagh-Dunne
|'''''Best Community Supporter'''''
"Denise has been a hugely active member of the Dublin chapter and has been involved in all chapter meeting throughout the year and is ever keen to role up her sleeves and get stuck into work that others shy away from. This includes everything from setting up the meeting tools, organising venues, working with sponsors, getting speakers and assisting speakers in the run up and during events. She's been a very positively influence on the community and chapter and has encouraged other people to get involved. She's constantly updating and posting content on our social media accounts and making sure our members get relevant and interesting content. While in full time employment, Denise gives up family time to contribute to the chapter and ensure OWASP Dublin remains a vibrant and relevant group that engages the developer and security community locally."
|-
|[[User:Owen_Pendlebury|Owen Pendlebury]]
|'''''Best Community Supporter'''''
"Owen Pendlebury has been a key local OWASP volunteer over the last number of years. From being on the local Dublin chapter board to leading the Dublin chapter he regularly hosted and spoke at numerous collaborative and insightful security meetups.

He has also been involved in organising AppSec EU in Rome and more recently co-organised the Belfast conference which was the biggest ever EU conference. As part of organising the conference in Belfast he negotiated that all chapters within Ireland would benefit financially getting a percentage of the conference profits to allow the chapters to bring bigger, better and more collaborative meetings to the Irish OWASP community and grow the communities across the country.

I don’t know where he has found the time but has also been part of the Women in AppSec committee mentoring a number of individuals throughout the year. He took part in the Women in AppSec events in Belfast giving some insightful opinions into how improve attendees career. Owen is an asset that helps to improve Ireland's security community’s capabilities with a real can-do attitude."
|-
|Mick Ryan
|'''''Best Community Supporter'''''
"Mick always assists with chapter meetings and works to ensure we give the community good quality sessions. Mick assists will all areas including reaching out to potential speakers, getting info and bios from them, arranging dates and venues, posting on social media and the logistics of the meetings and ensuring speakers have the right cables, meetings run to time, that speakers are happy with everything, taking photos to promote the chapter on social media, encouraging people to speak, printing the chapter and getting people to events! Thanks Mick for your contribution in 2017!"
|-
|[https://www.owasp.org/index.php/Sriram Sriram]
|'''''Best Community Supporter'''''
"[https://www.owasp.org/index.php/Sriram Sriram] has been conducting awareness program to the college students. Sriram has created awareness among 12000 Students without the support of anyone. Sriram has been tremendously supporting the OWASP Chapter by giving trainings to various college student, corporates and various chapters.."
|-
|Michelle Simpson
|'''''Best Community Supporter'''''
"Michelle has done an amazing job with the Belfast chapter and works tirelessly to improve the OWASP community and advocate strong app sec practices. This is very evident from the people attending the chapter events, organisations participating and the very successful AppSecEU conference that was held in Belfast in 2017. Michelle put a huge amount of work and effort into planning and preparation for AppSecEU to ensure the conference was of a high calibre. This was a sustained commitment over the majority of 2017 on top of local chapter commitments. I'd like to nominate Michelle for all the hard work and effort she puts into the chapter. Thanks Michelle!"
|-
|Steve Springett
|'''''Best Community Supporter'''''

"Steve has been a tremendous supporter of the OWASP dependency-check project and leader on the related dependency-track platform. He is quick to respond to community question, answering with insightful and accurate responses assisting the community in their use of the dependency-check suite of tools."
|-
|John Vargas
|'''''Best Community Supporter'''''

"During the last 9 years John, together with a very small group of volunteers, has been making efforts to keep the chapter of Lima, Peru. Performing activities such as monthly meetings, internal trainings and participating actively in the OWASP Latam Tour. For the chapters in Latin America to keep afloat these activities with few resources is something very complicated and deserves recognition."
|-
|Tara Williams
|'''''Best Community Supporter'''''

"Tara cares about integrity, inclusion and transparency, she is passionate about making OWASP a better place for all members of the community. With her talents in communications, she is getting the word out about OWASP's benefits to community members and attracting new members to chapter meetings, especially identifying successful pathways to transition meetup members to full members."
|-
|Aatral Arasu
|'''''Best Mission Outreach'''''
'''"'''A great leader always there to help responds to emails quickly loves his work works very hard every day very supportive never loses focus strong willed very technical and willing to do things himself to get the job done when asked for something he will get it to you ASAP constant learner open to suggestions and ideas on how to be better respectful honest caring and I am certain HRC will make it big very soon :)"
|-
|Sean Auriti
|'''''Best Mission Outreach'''''
"Sean mentors, is a speaker, leads projects, is an active chapter leader and chapter Treasurer, participating in meetup events and a great representative at global, regional and external events."
|-
|Tony Clarke
|'''''Best Mission Outreach'''''
"Tony has grown the chapter over the last year to a point where hundreds of people are attending meetings. The meetings are organised in advance now and have a theme. There were some really interesting people speaking at the chapter meetings including Simon Singh, James Lyne, Brian Honan and Jane Franklin. He has also engaged support from local companies with a lot more attending and sponsoring the chapter. There is a real buzz at chapter meetings and they're not just death by PowerPoint which they had been in the past."
|-
|Christopher Frenz
|'''''Best Mission Outreach'''''

'''"'''Christopher Frenz should be nominated for the Best Mission Outreach WASPY for his work as the Project Lead for the OWASP Anti-Ransomware Guide Project and the OWASP Secure Medical Device Deployment Standard Project. In the wake of WannaCry, anti-ransomware guidance has become more pertinent than ever and the project is regularly updated to keep abreast of the latest ransomware adaptations. Chris regularly shares his anti-ransomware knowledge with the security and healthcare communities and is an advocate for organizations conducting mock ransomware incidents. Chris has shared his knowledge of ransomware protections and of pertinent OWASP resources in numerous venues including articles (<nowiki>https://iapp.org/news/a/why-the-wannacry-outbreak-should-be-a-wake-up-call/</nowiki>) and conference presentations at both the local and international level (<nowiki>https://iapp.org/conference/iapp-canada-privacy-symposium/sessions/?id=a191a000000zrqPAAQ</nowiki>). A Spanish version of the guidance is also available. In addition, he has worked to call attention to the need for healthcare facilities to improve the security of their medical device implementations and is responsible for authoring version 1 of the OWASP Secure Medical Device Deployment Standard. The project has really worked to raise awareness of these issues and has been covered by CSO magazine (<nowiki>http://www.csoonline.com/article/3188230/security/how-to-securely-deploy-medical-devices.html</nowiki>) and other news sources. Chris has given interviews on medical device security for the Cloud Security Alliance and others and will be speaking on medical device security at the Defcon BioHacking Village. Chris is always willing to share his knowledge with all who ask and is an active member of the NYC and Brooklyn OWASP chapters."
|-
|Joaquin Fuentes
|'''''Best Mission Outreach'''''
"For all he has done to build up the Phoenix OWASP community. Prior to Joaquin taking point the community in Phoenix was dead. Meetings weren't happening on a regular basis. The prior leaders had done a great job but I think they had burnt out. Joaquin started the community back up and got corporate support from his employer to facilitate not only regular meetings but great meetings with great content. He also implemented MeetUp. I'm not a consistent attendee because of my work/life schedule but I always know when the meetings are happening and what the subject matter will be because of Joaquin utilizing MeetUp."

'''2nd Citation:''' "Joaquin has been leading the OWASP Phoenix chapter and due to his initiative, has placed Phoenix on the map as a hub for application security. I would like to nominate him because he is always bringing in new and interesting speakers that provide great content. The most recent OWASP chapter meeting had over 60 attendees!"

'''3rd Citation''': "Joaquin Fuentes has had a big impact in raising attendance at the Phoenix meetings to more than 100 people monthly. The quality has gotten significantly better under his leadership. He has organized many speakers, including recruiting speakers from out of the area that have significantly developed the knowledge base of the community. Joaquin is a pen testing manager at Early Warning and he shares his professional knowledge to help us all become better in the practice of information security."

'''4th Citation''': "My job takes me to many different OWASP Chapters, along with ISSA, CSA, ISACA, etc.
The Phoenix OWASP Chapter was DEAD before Joaquin volunteered to lead the Chapter a few years ago.
It is now consistently one of the BEST ITSec community gatherings, and I go out of my way to be in Phoenix for their meetings.
To put it a different way, at my first Phoenix OWASP meeting there were less than 12 attendees, including myself and the speaker. Last week it was standing room only (75+) *and* there would have been more if Interstate 17 hadn't been closed in both directions at the start of rush-hour.
Part of the reason Joaquin deserves this award is that he is EXTREMELY knowledgeable about AppSec and many other aspects of data security and he is ALWAYS friendly and willing to share. His day-job is no picnic, but he finds the time to put together great meetings and do it in a way that everybody has a good time."
|-
|Tanya Janca
|'''''Best Mission Outreach'''''
"Tanya has been instrumental in outreach in the Ottawa Ontario Canada region building membership and participation in the local OWASP chapter, as well as building bridges with other local organizations (Python user group, Ruby Rails user group, WIA, etc.). Tanya has also been a driver in getting a mentoring program setup via the Ottawa chapter. She has also encouraged participation in local CTF events, presented at local conferences (BSides, etc). Tanya's enthusiasm, support, and interaction is often contagious (in a good way :) ). Lastly, Tanya is a strong advocate or evangelist for OWASP projects, promoting such as appropriate per audience/presentation (including, but not limited to: ZAP, Top 10, SKF)."

'''2nd Citation:''' "Tanya Janca is an excellent ambassador for OWASP. Since her entry into the lead team of the OWASP Ottawa chapter, she has doubled the size of the chapter and developed the chapter into a meeting place for dozens of women interested in Application Security.
Tanya Janca is an energetic speaker who held a fantastic presentation at AppSecEU in Belfast. <nowiki>https://www.youtube.com/watch?v=mPTmuaC2lOI</nowiki> She was subsequently invited to the Swiss Cyberstorm Conference where her addition to the rooster was explained in an admiring blogpost <nowiki>https://swisscyberstorm.com/2017/05/23/Introducing_Tany_Janca.html</nowiki>
Tanya Janca has the ability to talk security to techies and management alike. She is pushing for the adoption of OWASP practices and project by the government of Canada her employer. Having received the Government of Canada’s CIO Award for “Excellent in Security” in 2016 she refused to move into the private sector, but continues to support the security community inside the public sector, where her excellent know-how is very important."

'''3rd Citation:''' "Tanya Janca has been performing “outreach” and “recruitment of women” as her main chapter leader responsibilities for the Ottawa chapter since 2015. The chapter has not only grown by over 500% in that time, but female membership has grown from 2 female members to over 70 (the chapter has grown for many reasons, some of which are her promotional efforts). Activities include starting a mentoring program that matches senior AppSec members of the community with juniors or people who are hoping to get into Application Security; attending all sorts of technology meetups (but especially female-centric ones) to talk about OWASP and personally invite them to attend; bringing OWASP products, concepts and resources to the Canadian Government (and is currently attempting to sway policy to be more application security focused as we speak); as well as performing over 40 public speaking engagements that describe OWASP as “Your new BFF” as part of the application security lesson she has taught. She has also begun speaking at conferences semi-regularly, singing OWASP’s praises as part of every presentation. She also forms female groups to attend events together, to make them more accessible, such as her all-female team for the Ottawa iHack CTP and “Learn by Breaking things” event in June 2017 and her all female CTF team for OWASP Ottawa’s first CTF in 2015. Her claim of being an “application security evangelist” certainly seems fitting."
|-
|Kitisak Jirawannakool
|'''''Best Mission Outreach'''''

"Web security is notoriously bad in Thailand, so an actives security community is sorely needed. Kitisak is a central figure in that community. He has worked on establishing the OWASP Bangkok chapter for the past six years, organizing meetups, community outreach and engaging with security experts internationally. His work has played a pivotal role in creating IT security awareness in the fast-growing South-East-Asian country."
|-
|James Manico
|'''''Best Mission Outreach'''''
"Jim's influence on OWASP materials (and therefore on application security) is amazing - he's cited on nearly every cheat sheet on OWASP Top 10 document. His name is synonymous with application security."

'''2nd Citation: "'''While Jim may not be the "unsung hero" - he is the first and foremost cheerleader/champion of OWASP. His efforts and contributions are innumerable. As anyone who knows Jim - he is not a reserved individual when touting the resources available via OWASP. He has likely done more then anyone else working with OWASP to bring together, motivate, and get individuals to contribute to OWASP. From the immensely popular checklists to motivating individuals to contribute. OWASP would not be nearly as successful as it has been without Jim."
|-
|Mateo Martinez
|'''''Best Mission Outreach'''''
"Mateo is one of the leaders in Latin America more recognized, during the last years his efforts to join the chapters chapter along with other leaders of Latam made that the community grew and that today the Latam Tour 2017 has more than 15 participating countries. He also managed to spread the spirit of owasp and help establish new chapters in the region.
The effort to maintain more communication between OWASP GLobal and local communities is reflected in each activity that encourages other leaders to ensure that they strive every day to spread Owasp projects and to grow the community."
|-
|Mark Miller
|'''''Best Mission Outreach'''''

"The OWASP Podcast is a effort that is in line with the mission of OWASP raising visability for software security. This is a VERY powerful voice in the community globally and Mark Miller should be applauded for his efforts on this
<nowiki>https://www.owasp.org/index.php/OWASP_Podcast</nowiki>"
|-
|Dhiraj Mishra
|'''''Best Mission Outreach'''''

"Dhiraj was nominated for WASPY 2016, his contribution to the community is from past one 'n half year in various areas, start from the projects, local volunteering and what not, he was also listed in OWASP Hall Of Fame."
|-
|[[User:Owen_Pendlebury|Owen Pendlebury]]
|'''''Best Mission Outreach'''''
"Owen is an active participator in OWASP meetings and has been a great inspiration to me.
He has shown himself to be a great leader and OWASP advocate.
Owen has recommended other AppSec communities in which I have become involved in since moving to Dublin. He is an evangelist for women in technology and I have witnessed this first hand.
I don't hesitate to recommend Owen for this award."

'''2nd Citation:''' "Owen has introduced me to the OWASP Community in Ireland and EU. Help me to get involve with Women in AppSec and participate in the AppSec EU event in Belfast. He is a great leader, who enjoys talking about OWASP and the great community behind it.
I've moved to Ireland a couple of months ago, and getting to know Owen and the OWASP community has completely changed my life, both professionally and personally.
So, yes, I would like to nominate Owen Pendlebury because he the proof that Women in AppSec is not just a women matter. :)"
|-
|[https://www.owasp.org/index.php/Sriram Sriram Shyam]
|'''''Best Mission Outreach'''''
"Sriram has been conducting awareness program to the college students. Sriram has created awareness among 12000 Students without the support of anyone."
|-
|Noreen Whysell
|'''''Best Mission Outreach'''''

"Noreen is helping each day to improve OWASP members' experiences bringing her expertise and knowledge as a mentor and projects as a Chapter Leader, one member at a time. She understands what members want, how to improve member benefits and is applying that knowledge to improving local and global member experiences from the ground up. Her efforts are multiplied by her sharing of knowledge and grassroots approach creating a membership groundswell."
|-
|Aatral Arasu
|'''''Best Innovator'''''
"A great leader always there to help responds to emails quickly loves his work works very hard every day very supportive never loses focus strong willed very technical and willing to do things himself to get the job done when asked for something he will get it to you ASAP constant learner open to suggestions and ideas on how to be better respectful honest caring and I am certain HRC will make it big very soon :)"
|-
|Sean Auriti
|'''''Best Innovator'''''
"Sean leads the BLT Project and is a Team Leader for the Learning Gateway project. He has helped improve the quality of web experiences, including OWASP.org ."
|-
|Glenn & Riccardo ten Cate
|'''''Best Innovator'''''
"I am hereby nominating the brothers Glenn & Riccardo ten Cate from the Netherlands for the WASPY award in this category. They are known for their work on the open-source project SKF (Security Knowledge Framework). These are two guys who are dedicated to spreading security knowledge trough the means OWASP has to offer. You might have encountered them talking at seminars, promoting their project and OWASP, or different companies where they teach development teams how to integrate the OWASP core principles in their workflow using their project. Not only professional development teams but also students of security can only be amazed at the sheer knowledge they gathered and contribute to the global OWASP community trough open source. The sheer effort they put in this project teaches, guides, structures and shows by example how to test and write secure applications by design. There is no other software out there that does this. And that is why they deserve this nomination for best innovator 2017."
|-
|Mark Deenihan
|'''''Best Innovator'''''
"Mark for his constant devotion and work on the OWASP security shepherd project and continuing to develop it and teach people globally about app sec."
|-
|Seba Deleersnyder
|'''''Best Innovator'''''
"One of the main projects to date is SAMM. Seba with the support of project colliders has made this a flagship project of OWASP. The level of maturity and the number of improvements obtained indicates that this project is one of the most mature and a great projection to the future."
|-
|Christopher Frenz
|'''''Best Innovator'''''
"Chris' projects are opening doors for OWASP in the standards development and getting the word out about important IoT with his Medical Device Deployment Standard: <nowiki>https://www.owasp.org/index.php/OWASP_Secure_Medical_Device_Deployment_Standard</nowiki> which already has a Turkish translation and attracted attention from the Turkish public health department. He has delivered presentations at meetups, and presenting to the IDESG, www.idesg.org in July. He has a "soup label" tool that gives simple guidance for the implementation of the OSMDDS. This is not Chris' first project but it is surely one of the best OWASP innovations of the year."
|-
|Joaquin Fuentes
|'''''Best Innovator'''''
"Joaquin has been leading the OWASP Phoenix chapter and due to his initiative, has placed Phoenix on the map as a hub for application security. I would like to nominate him because he is always bringing in new and interesting speakers that provide great content. The most recent OWASP chapter meeting had over 60 attendees!"

'''2nd Citation:''' "Joaquin Fuentes has had a big impact in raising attendance at the Phoenix meetings to more than 100 people monthly. The quality has gotten significantly better under his leadership. He has organized many speakers, including recruiting speakers from out of the area that have significantly developed the knowledge base of the community. Joaquin is a pen testing manager at Early Warning and he shares his professional knowledge to help us all become better in the practice of information security."
|-
|Brian Glas
|'''''Best Innovator'''''
"Brian has been paramount in 2 very strategic initiatives for OWASP. He is not only a Project Leader for the OWASP SAMM project but he has been instrumental in revamping the call for data and reorganizing the flagship OWASP Top Ten. Brian continues to support and speak about the benefits of supporting OWASP especially projects and participating in the Summit. Please consider Brian Glas as the Best Community Supporter for this year."
|-
|Evin Hernandez
|'''''Best Innovator'''''
"Evins focus on the core of the information security platform with Virtual Village has provided the global community with a place to experiment and leverage for testing... <nowiki>https://www.owasp.org/index.php/OWASP_Virtual_Village_Project</nowiki>"
|-
|Jeremy Long
|'''''Best Innovator'''''
"Considering how often projects have a great start and plateau, we should recognize the ongoing effort and dedication given to one of the Flagship projects in our community.
Jeremy Long has continued to not only maintain the Dependency Check project but develop and improve it each year.
This year he added Improvements in the core dependency-check platform in terms of code quality, achieved 100% for the CII Best Practices for dependency-check, continued to develop the ODC community with several contributors submitting PRs, and over the last several months he's been working on platform maturity and will be releasing 2.0.0 in the first half of July 2017.
After 2.0 is released he has planned work on Python support and expanding the tool by integrating additional data-sources such as Artifactory, Redhat Victim's, OSS-Index, etc."

'''2nd Citation:''' "Jeremy has been an avid contributor/leader for the OWASP dependency-check project. Under his leadership the project has garnered substantial community support in terms of pull requests, improved code quality via Sonarcloud, Coverity, Codacy, and CII Best Practices. While the last six months have been primarily around code quality and bug fixes; these improvements are setting the dependency-check project up for major enhancements over the coming months!"
|-
|Daniel Miessler
|'''''Best Innovator'''''
"Daniel seems to be everywhere at once - despite have a full-time job, he is leading or co-leading several OWASP projects, has created ideas for groups out of thin air, and has performed work in much needed areas.
This year, Daniel has lead or co-lead the Internet of Things security project, completed an IoT: Medical Devices attack surface overview, and created the Game Security project."
|-
|Dhiraj Mishra
|'''''Best Innovator'''''

"Dhiraj is one of the top contributor in OWASP Cheat Sheet Project, which have security guidance in an easy read format, his contribution for SQL Injection WAF Bypass and XSS Evasion - OWASP, was mostly recommended and used by Cyber Security professional, dhiraj has contributed to Benchmark project by contributing SQLi/XSS fuzz vectors as initial contribution towards adding support for WAF/RASP scoring and many such projects."
|-
|Bernhard Mueller
|'''''Best Innovator'''''
"During the last 18 months Bernhard has been spearheading the OWASP Mobile Testing Guide Project. He has invested several man-months of writing, editing, reviewing, rallying authors, and pushing the project into new directions. This also resulted in the novel agile book writing process and book production pipeline which enables OWASP to produce a professional tech book. The project has produced a security standard and early-release ebook, and is on track become one of OWASP's main flagship projects."
|-
|Steve Springett
|'''''Best Innovator'''''
"Steve's work on dependency-track is fantastic - he's moved forward to address the next round of issues, with an innovative solution all companies can leverage."
|-
|thc202
|'''''Best Innovator'''''
"Simon Bennets "wingman" in the ZAP project, by now even the top committer in the project! (<nowiki>https://github.com/zaproxy/zaproxy/graphs/contributors</nowiki>) So "unsung of" that I do not even know his real name!"
|}

==Results==
Coming July 25, 2017

==Sponsorship Opportunities==
The support from our sponsors, is what makes these awards truly successful!

Sponsorships coming soon!

==Communication==
# June 7, 2017 Email to the Leaders & Community list. Posted to the OWASP [https://owasp.blogspot.com/2017/06/nominations-are-now-being-accepted-for.html Blog]
# June 30, 2017 Email to the Leaders & Community list.
# July 5, 2017 Email to the Nominees
# July 5, 2017 Email to the Leaders & Community list, and Blog post announcing the nominees have been announced.

=='''Past WASPY Awards'''==
[https://www.owasp.org/index.php/WASPY_Awards_2016 2016] 
[https://www.owasp.org/index.php/WASPY_Awards_2015 2015] 
[https://www.owasp.org/index.php/WASPY_Awards_2014 2014] 
[https://www.owasp.org/index.php/WASPY_Awards_2013 2013] 
[https://www.owasp.org/index.php/WASPY_Awards_2012 2012]

2016-08-05T16:30:40Z

Owen Pendlebury:

User:Owen Pendlebury

2016-08-05T14:54:29Z

Owen Pendlebury:

User:Owen Pendlebury

2016-08-05T14:41:39Z

Owen Pendlebury:

WASPY Awards 2016

2016-08-03T14:02:23Z

Owen Pendlebury: Updated profile link

[[File:WASPY 2016 Banner.jpg]]
 
'''Web Application Security People of the Year Awards 2016'''

=='''Timeline'''==
June 7, 2016 - Call for Nominees Opens! CLOSED 
June 20, 2016 - [https://www.owasp.org/index.php/2016_Membership_Drive_April_1_-_June_20 Paid Membership] Deadline. Not sure if you are a member? [https://docs.google.com/spreadsheets/d/1iabh7RrMMRQce0cDQsv_GdQtSKz4G9ISan9svfn_6kE/edit?usp=sharing Check Here ] 
July 28, 2016 - Call for Nominees CLOSED 
July 29, 2016 - Announcement of Nominees per Category to the Community 
August 5, 2016 - Deadline for Nominee Profile Picture and Bio to be created and added to the nominees Citation 
August 10, 2016 - Voting Opens 
August 24, 2016 - Voting Closes 
August 25, 2016 - Winners are Notified 
August 25, 2016 - Announcement of Winners to the Community 
October 13/14, 2016 - Award Ceremony at AppSecUSA 2016 in Washington, DC 

=='''Purpose of the Awards'''==
Each year there are many individuals who do amazing work, dedicating countless hours to share, improve, and strengthen the OWASP mission. Some of these individuals are well known to the community while others are not.
 
 
'''The purpose of these awards is to bring recognition to those who "FLY UNDER THE RADAR". These are the individuals who are passionate about OWASP, who contribute hours of their own free time to the organization to help improve the cyber-security world, yet seem to go unrecognized.'''
 
 
Community members are able to nominate 1 individual per category (see Categories below) who they feel best fits these descriptions so that, as a community, we can recognize these people for their contributions. We are tying in the WASPY Awards to help identify and recognize individuals who demonstrate our core values and annual report theme of ''Leading - Learning - Sharing - Growing''. We value your input and consideration for nominations in the categories below.
 

=='''Categories'''==
1. '''Open/Leading''' - Everything at OWASP is radically transparent – from our finances to our code. This award goes to a member of the OWASP community who has supported the OWASP mission of transparency through their influence, management, and leadership in the community. This might be a chapter or project leader or may be someone who has worked within the community.
 

2. '''Integrity/Learning''' - OWASP is an honest and truthful, vendor neutral, global community. This award goes to an individual who recognizes the benefits of the power of the collective community within OWASP, who challenges the status quo, and generates an excitement in the learning community.
 
 
3. '''Innovation/Sharing''' - OWASP encourages and supports innovation and experiments for solutions to software security challenges. This award goes to an individual who has inspired and encouraged others in the arena of software security with innovative and cutting edge solutions to software security challenges.
 
 
4. '''Global/Growing''' - Around the world, OWASP encourages and supports innovation and experiments for solutions to software security challenges. This award goes to an individual who truly represents the OWASP Global scope and recognizes the importance of growth. The nominee reaches out beyond the OWASP circle to raise awareness of software security in locations outside of the OWASP comfort zone.
 
=='''And the Nominees Are...'''==
{| border="1" cellpadding="2"
! scope="col" align="center" width="150" | Name
! scope="col" align="center" width="800" | Category & Citation
|-
|align="center"|Tony Clarke||align="center"|'''Open/Leading Category''' Tony has been nominated 2 times for this category. '''Citation 1'''Tony has recently volunteered in the Dublin (Ireland) chapter and more recently been voted in as chapter leader. From his initial efforts, Tony has completely transformed this stagnant chapter and has already in just a few months re-organised the chapter and opened it up to the many volunteers who want to be involved. Running initiatives such as 'Women in Appsec', Tony has helped increase meeting attendances and the Dublin board now consists of nearly 20 individuals. Tony has embraced the open, transparency and inclusiveness side of owasp and is an inspiration to many. 
'''Citation 2''' I would like to Nominate Tony Clarke for this award. He has been on the OWASP board in Dublin since November 2015 and there have been massive changes within the chapter since then. Tony has transformed the Dublin Chapter and has been recently elected as Dublin Chapter Lead with a landslide victory.I have been attending OWASP events since 2012 and over the past 8 months it is visible of the impact Tony and OWASP are having within the local Dublin security security community.Previously, events were sporadic and occurred every few months. There was never an organised schedule of events. Communication of the events were also poor. With Tony on board, this has changed. Events are now at the end of each month and are organised on a scheduled basis. Communication has improved and with extra social media interaction, OWASP events are now more visible than before.At the end of May the Chapter hosted an event focusing on Women In Security. Keynote speakers such as Jane Frankland, Jacky Fox, local women involved in the security community presented at the event.Everyone left the event feeling motivated. My partner who is a science graduate attended the event with me. She left the event wanting to work in Security and has since begun the enrollment into a Security Conversion Masters in UCD. This is the sort of impact which Tony's work is having on the people of Dublin.The OWASP Dublin chapter previously had 40-50 people MAX at events. It was the same people always. There were 200+ people in attendance at the Women In Security event in May. This sort of attendee never been seen before at a local chapter meeting in Dublin.I believe that this attendance peaked because of Tony's drive to engage the security community in Dublin. Tony organised contacts in universities and large multinational organisations to send email communication to Dublin staff'students. His aim to get more women studying technology or working in technology companies engaging with the security community in Dublin. Tony is leaving no stone un-turned to make OWASP Dublin to success within the community.As a committee member of OWASP Dublin I know that Tony is now reaching out to work with local education bodies such as Smart futures (Science Foundation Ireland) Dublin Institute of Technology, ISACA and Science Gallery. He has brought a plan to our chapter and given us a goal this year to collaborate with education bodies to try sell our security industry to people in education. This is not limited to 3rd level, but also primary and secondary. Tony is leading this initiative and it would not happen without him.I found out about these awards as Tony is trying to improve the open-ness of the Dublin chapter. He is encouraging the community to post this sort of communications to the social media platforms such as facebook, twitter, linked-in.Based on above, Tony has demonstrated that he is not in this for the title or limelight but for the good of the community. He is a leader who is willing to listen and wants to delegate if any OWASP committee member are willing to take on a task. Like any good leader, if he does not have anyone available to do a task, he does it himself.OWASP Dublin Chapter has only been under the leadership of Tony Clarke for two months. We have been enjoying success since Tony first attended a board meeting in 2015. Tony is having major impact within Dublin. I encourage you to strongly consider Tony for this award as he has done great things for us here in Dublin and his leadership is going from strength to strength.
|-
|align="center"|Jeremy Long||align="center"|'''Open/Leading Category''' Jeremy wrote a tool, donated it to OWASP and in 2016 it because on of the OWASP Flagship projects. He is not noisy or gets a lot of attention, but every morning before work - Jeremy works on the OWASP Dependency Check. Dependency-Check is a utility that identifies project dependencies and checks if there are any known, publicly disclosed, vulnerabilities. Currently Java and .NET are supported; additional experimental support has been added for Ruby, Node.js, Python, and limited support for C/C++ build systems (autoconf and cmake). The tool can be part of a solution to the OWASP Top 10 2013 A9 - Using Components with Known Vulnerabilities.
|-
|align="center"|[https://www.owasp.org/index.php/John_Patrick_Lita John Patrick Lita]||align="center"|'''Open/Leading Category''' An outstanding volunteer doing an amazing job in the Asia region to promote OWASP projects and materials, reaching a big audience through his outreach program on universities, government institutions and schools on the Philippines. OWASP is not very well know in this part of the Globe and by promoting it, he is creating awareness about application security
|-
|align="center"|[https://www.owasp.org/index.php/User:Owen_Pendlebury Owen Pendlebury]||align="center"|'''Open/Leading Category''' Owen has been involved in the OWASP Foundation since 2009. He started out attending OWASP Dublin meetings and helping to facilitate chapter meetings and security workshops. Eventually, he took on the role of Dublin board member and then chapter lead a couple of years later. He has been an extremely active member of the security community and has strived to help drive and improve security best practice at a Global level through his commitment to the OWASP foundation. Owen has been an active and dedicated chapter leader, who has organised regular activities for the OWASP Dublin chapter that benefit the local information security community greatly over the past 6.5 years. Some of the projects that Owen has been involved in include, AppSec EU 2016 Committee/ Training Committee, AppSec EU 2017 successful bid, DaggerCon, Cyber Startup Summit, Source Dublin, Advanced Threat Intelligence Seminars and numerous security workshops.Owen has over 6.5 years’ penetration testing, working as part of a global attack & penetration team for a number organisations including a “Big 4” professional services company. With in-depth experience of application and network penetration testing Owen has worked with many local and global institutions to improve their security posture. Owen is currently a manager in Deloitte Ireland. Owen has also been involved in local education bodies, architecting a masters in cyber security and helping a number of students and experienced individuals find their way in to the security community by making himself available to through all media.
|-
|align="center"|Kathy Thaxton||align="center"|'''Open/Leading Category''' Kathy Thaxton has been THE key leader for SnowFROC for many years. As with most regional conferences, everyone involved has a day job and nobody's got a lot of spare time to do what must be done.
Kathy has somehow found time whenever she's been asked, and has done the lion's share of the work required to organize SnowFROC.
For SnowFROC 2016 we had the usual chaotic first planning meeting where several of us gathered at a pub to see which of us would be able to commit time & to identify potential roles. Everybody left that meeting with action-items. Shortly thereafter, Kathy emailed the rest of us to inform us that she had: drafted a budget,drafted a planning schedule,identified primary & alternate venues,identified primary & competing caterers,reached out to some legendary speakers & gotten tentative commitments,reached out to several vendors & gotten tentative sponsorship commitments, and,identified a good source of volunteers for setup, event day, and tear-down. In other words, Kathy Thaxton had done most of the "heavy lifting" within days of the initial planning meeting! Like previous SnowFROC's, SnowFROC 2016 was attended by Coloradans for the most part, but as with most years we had attendees from Arizona, Utah, Wyoming, and New York. SnowFROC had about 200 attendees, with a mix of ITSec operators, QA/testers, Developers, Auditors, & Managers for all of the above. None of this would have happened without Kathy Thaxton's involvement. Her tact, initiative, cheerfulness, and exceptional organizational skills allowed the rest of the planning committee to focus on things like establishing the curriculum, including a day-long hands-on workshop. Kathy's contribution was so profound and her reputation for organizing a FUN, well-planned, LEARNING event is so great that the local Cloud Security Alliance went out of their way to request her participation on their planning committee for a regional event they're hosting later this year. I attended yesterday's Cloud Security Alliance meeting, and whereas AppSec in the Cloud has been an afterthought at most CSA meetings, it was front-and-center yesterday as the Chapter Leaders asked their members what tracks/topics they'd be most interested in for their upcoming event. That is DEFINITELY reach OUTSIDE of the OWASP community, and again would not have happened without Kathy's stellar achievements at SnowFROCs.
|-
|align="center"|[http://owasp.org/index.php/Dhiraj_Mishra Dhiraj Mishra]||align="center"|'''Open/Leading Category''' Core Team Member in [https://www.owasp.org/index.php/Category:India AppSec India 2016]
* The [http://owasp.org/index.php/Mumbai_Student_Chapter Mumbai Student Chapter] Leader making student endorse in Information Security and Spreading Idea and Awareness via Chapter Meets.
* Helping and Speaking Initiatives in [https://www.owasp.org/index.php/Mumbai OWASP Local Chapter Meet Mumbai] with chapter leader Narenda Choyal.
|-
|align="center"|Tom Brennan Honorable Mention||align="center"|Tom was nominated for the '''Open/Leading Category'''. Per the WASPY Award rules, board members are not eligible. Tom is a current board member and therefore he is not eligible for the award.
|-
|align="center"|[http://owasp.org/index.php/Dhiraj_Mishra Dhiraj Mishra]||align="center"|'''Integrity/Learning Category''' [https://www.owasp.org/index.php/OWASP_Trainers_Database Call_For_Trainers] in OWASP Mumbai, India , being in Trainers DB , Dhiraj have taken ton's of free Session's to Mumbai Cop's , Navi Mumbai Cyber Cell , Thane Cyber Cell and many other's.
|-
|align="center"|[https://www.owasp.org/index.php/John_Patrick_Lita John Patrick Lita]||align="center"|'''Open/Leading Categor'''y An outstanding volunteer doing an amazing job in the Asia region to promote OWASP projects and materials, reaching a big audience through his outreach program on universities, government institutions and schools on the Philippines. OWASP is not very well know in this part of the Globe and by promoting it, he is creating awareness about application security
|-
|-
|align="center"|Steve Kosten||align="center"|'''Integrity/Learning Category''' Steve Kosten is the Denver Chapter Leader. For the past year, Steve has built community and fostered AppSec learning within Colorado. Before Steve joined the Denver OWASP Board, the Chapter was averaging 2 meetings per year attended by about 15 people. After 1 year on the board there had been 6 meetings with a high-water mark of 50 attendees. Since Steve has become Chapter Leader, attendance is >75 for the 4+ meetings each year. This is directly attributable to Steve's selection of top-quality speakers and an exceptional partnership with a local vendor who provides venue & catering, all in exchange for a simple "thank you" and round of applause. As a SANS AppSec Instructor, Steve is an AppSec expert who has cheerfully shared his expertise with attendees. Steve is a selfless leader who has profoundly improved the Denver OWASP Chapter and become a highly sought-after resource in this community.
|-
|align="center"|Eoin Keary||align="center"|'''Integrity/Learning Category''' Eoin gives up his free time to run free security training sessions within the community in Dublin. He is dedicated to spreading the OWASP message within Dublin. He is working within the community for the good of OWASP . Eoin is a committee member and does not have any "board" level title. He is giving to the community and is demonstrating that he does not expect anything in return. Eoin is a role model within our Dublin Chapter
|-
|align="center"|[https://www.owasp.org/index.php/User:Owen_Pendlebury Owen Pendlebury]||align="center"|'''Integrity/Learning Category''' Owen has been involved in the OWASP Foundation since 2009. He started out attending OWASP Dublin meetings and helping to facilitate chapter meetings and security workshops. Eventually, he took on the role of Dublin board member and then chapter lead a couple of years later. He has been an extremely active member of the security community and has strived to help drive and improve security best practice at a Global level through his commitment to the OWASP foundation. Owen has been an active and dedicated chapter leader, who has organised regular activities for the OWASP Dublin chapter that benefit the local information security community greatly over the past 6.5 years. Some of the projects that Owen has been involved in include, AppSec EU 2016 Committee/ Training Committee, AppSec EU 2017 successful bid, DaggerCon, Cyber Startup Summit, Source Dublin, Advanced Threat Intelligence Seminars and numerous security workshops. Owen has over 6.5 years’ penetration testing, working as part of a global attack & penetration team for a number organisations including a “Big 4” professional services company. With in-depth experience of application and network penetration testing Owen has worked with many local and global institutions to improve their security posture. Owen is currently a manager in Deloitte Ireland. Owen has also been involved in local education bodies, architecting a masters in cyber security and helping a number of students and experienced individuals find their way in to the security community by making himself available to through all media.
|-
|align="center"|[https://www.owasp.org/index.php/Dhiraj_Mishra Dhiraj Mishra]||align="center"|'''Innovation/Sharing Category''' Past Contributor in [http://owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet The Popular XSS Filter Evasion Cheat Sheet] where as ,This article is focused on providing application security testing professionals with a guide to assist in Cross Site Scripting testing.
* Lead of [https://www.owasp.org/index.php/SQL_Injection_Bypassing_WAF SQLi WAF Bypass] a very helpful cheat sheet which consists of A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete),recommended by many Security Researcher's.
*Contributor in [https://www.owasp.org/index.php/Benchmark OWASP Benchmark],contributed SQLi/XSS fuzz vectors as initial contribution towards adding support for WAF/RASP scoring. Many Thanks to [https://www.owasp.org/index.php/Benchmark#tab=Acknowledgements '''Dave Wichers''']
|-
|align="center"|[https://www.owasp.org/index.php/John_Patrick_Lita John Patrick Lita]||align="center"|'''Open/Leading Category''' An outstanding volunteer doing an amazing job in the Asia region to promote OWASP projects and materials, reaching a big audience through his outreach program on universities, government institutions and schools on the Philippines. OWASP is not very well know in this part of the Globe and by promoting it, he is creating awareness about application security
|-
|align="center"|Mark Major||align="center"|'''Innovation/Sharing Category''' Mark Major did a LOT of HARD work to ensure that AppSecUSA was a success in Denver. He has consulted with his Chapter and worked with OWASP to try to take the Chapter to the next level. Specifically, his research into using some of the proceeds from his efforts at AppSecUSA to establish an AppSec HackerSpace is both innovative and well overdue.
|-
|align="center"|[https://www.owasp.org/index.php/User:Owen_Pendlebury Owen Pendlebury]||align="center"|'''Innovation/Sharing Category''' Owen has been involved in the OWASP Foundation since 2009. He started out attending OWASP Dublin meetings and helping to facilitate chapter meetings and security workshops. Eventually, he took on the role of Dublin board member and then chapter lead a couple of years later. He has been an extremely active member of the security community and has strived to help drive and improve security best practice at a Global level through his commitment to the OWASP foundation. Owen has been an active and dedicated chapter leader, who has organised regular activities for the OWASP Dublin chapter that benefit the local information security community greatly over the past 6.5 years. Some of the projects that Owen has been involved in include, AppSec EU 2016 Committee/ Training Committee, AppSec EU 2017 successful bid, DaggerCon, Cyber Startup Summit, Source Dublin, Advanced Threat Intelligence Seminars and numerous security workshops.Owen has over 6.5 years’ penetration testing, working as part of a global attack & penetration team for a number organisations including a “Big 4” professional services company. With in-depth experience of application and network penetration testing Owen has worked with many local and global institutions to improve their security posture. Owen is currently a manager in Deloitte Ireland. Owen has also been involved in local education bodies, architecting a masters in cyber security and helping a number of students and experienced individuals find their way in to the security community by making himself available to through all media.
|-
|align="center"|[http://owasp.org/index.php/Dhiraj_Mishra Dhiraj Mishra]||align="center"|'''Global/Growing Category''' * [https://www.owasp.org/index.php/About_OWASP/Bug_Bounty/WOF '''OWASP Wall Of Fame''']
|-
|align="center"|[https://www.owasp.org/index.php/John_Patrick_Lita John Patrick Lita]||align="center"|'''Global/Growing Category''' An outstanding volunteer doing an amazing job in the Asia region to promote OWASP projects and materials, reaching a big audience through his outreach program on universities, government institutions and schools on the Philippines. OWASP is not very well know in this part of the Globe and by promoting it, he is creating awareness about application security
|-
|align="center"|Kathy Thazton||align="center"|'''Global/Growing Category''' Kathy Thaxton has been THE key leader for SnowFROC for many years. As with most regional conferences, everyone involved has a day job and nobody's got a lot of spare time to do what must be done.
Kathy has somehow found time whenever she's been asked, and has done the lion's share of the work required to organize SnowFROC.
For SnowFROC 2016 we had the usual chaotic first planning meeting where several of us gathered at a pub to see which of us would be able to commit time & to identify potential roles.Everybody left that meeting with action-items.Shortly thereafter, Kathy emailed the rest of us to inform us that she had: drafted a budget,drafted a planning schedule,identified primary & alternate venues,identified primary & competing caterers,reached out to some legendary speakers & gotten tentative commitments,reached out to several vendors & gotten tentative sponsorship commitments, and,identified a good source of volunteers for setup, event day, and tear-down.In other words, Kathy Thaxton had done most of the "heavy lifting" within days of the initial planning meeting!Like previous SnowFROC's, SnowFROC 2016 was attended by Coloradans for the most part, but as with most years we had attendees from Arizona, Utah, Wyoming, and New York.SnowFROC had about 200 attendees, with a mix of ITSec operators, QA/testers, Developers, Auditors, & Managers for all of the above.None of this would have happened without Kathy Thaxton's involvement. Her tact, initiative, cheerfulness, and exceptional organizational skills allowed the rest of the planning committee to focus on things like establishing the curriculum, including a day-long hands-on workshop.Kathy's contribution was so profound and her reputation for organizing a FUN, well-planned, LEARNING event is so great that the local Cloud Security Alliance went out of their way to request her participation on their planning committee for a regional event they're hosting later this year.I attended yesterday's Cloud Security Alliance meeting, and whereas AppSec in the Cloud has been an afterthought at most CSA meetings, it was front-and-center yesterday as the Chapter Leaders asked their members what tracks/topics they'd be most interested in for their upcoming event.That is DEFINITELY reach OUTSIDE of the OWASP community, and again would not have happened without Kathy's stellar achievements at SnowFROCs.
|-
|align="centre"|[https://www.owasp.org/index.php/User:Owen_Pendlebury Owen Pendlebury]||align="center"|'''Global/Growing Category''' Owen has been involved in the OWASP Foundation since 2009. He started out attending OWASP Dublin meetings and helping to facilitate chapter meetings and security workshops. Eventually, he took on the role of Dublin board member and then chapter lead a couple of years later. He has been an extremely active member of the security community and has strived to help drive and improve security best practice at a Global level through his commitment to the OWASP foundation. Owen has been an active and dedicated chapter leader, who has organised regular activities for the OWASP Dublin chapter that benefit the local information security community greatly over the past 6.5 years. Some of the projects that Owen has been involved in include, AppSec EU 2016 Committee/ Training Committee, AppSec EU 2017 successful bid, DaggerCon, Cyber Startup Summit, Source Dublin, Advanced Threat Intelligence Seminars and numerous security workshops. Owen has over 6.5 years’ penetration testing, working as part of a global attack & penetration team for a number organisations including a “Big 4” professional services company. With in-depth experience of application and network penetration testing Owen has worked with many local and global institutions to improve their security posture. Owen is currently a manager in Deloitte Ireland.Owen has also been involved in local education bodies, architecting a masters in cyber security and helping a number of students and experienced individuals find their way in to the security community by making himself available to through all media.
|}

== '''Rules'''==
'''Remember the purpose of these awards is to recognize the UNSUNG HEROS out there, that are barely recognized for their contributions to the OWASP Foundation.'''
 
1. [https://www.owasp.org/index.php/About_OWASP#2015_Global_Board_Members Board members] may not be nominated
 
2. [https://www.owasp.org/index.php/About_OWASP#Employees_and_Contractors_of_the_OWASP_Foundation Employees & Contractors] may not be nominated
 
3. You MUST be a [https://www.owasp.org/index.php/2016_Membership_Drive_April_1_-_June_20 Paid or Honorary member] to vote and your [https://docs.google.com/spreadsheets/d/1iabh7RrMMRQce0cDQsv_GdQtSKz4G9ISan9svfn_6kE/edit#gid=1961079767 membership] needs to be on file by June 20, 2016
 
4. All nominees will remain anonymous until July 11, 2016
 
5. Anyone can nominate an "unsung hero" who has contributed in some way to OWASP who they feel best fits each category
 
6. You may only nominate one person per category
 

=='''Eligible Voters'''==
Individuals who were members as of June 20, 2016 are eligible and are listed [https://docs.google.com/spreadsheets/d/1iabh7RrMMRQce0cDQsv_GdQtSKz4G9ISan9svfn_6kE/edit#gid=1961079767 here]. Please take a minute to verify your name is on the list. If you are '''NOT''' on the list and believe you should be, then you should '''[https://www.tfaforms.com/308703 contact us immediately]'''

=='''Sponsorship Opportunities'''==
Coming Soon!

The support from our sponsors, is what makes these awards truly successful!

=='''Communication'''==
June 7, 2016 [https://twitter.com/owasp/status/740236956550959104 Twitter], [https://www.facebook.com/groups/owaspfoundation/permalink/1004714156315924/ Facebook], [https://www.linkedin.com/groups/36874/36874-6146003139049906179 LinkedIn], [https://plus.google.com/116933056486234813396/posts/7AktQkr9y5c Google+], [http://owasp.blogspot.com/2016/06/2016-waspy-awards.html OWASP Blog].

=='''Past WASPY Awards'''==
[https://www.owasp.org/index.php/WASPY_Awards_2015 2015] 
[https://www.owasp.org/index.php/WASPY_Awards_2014 2014] 
[https://www.owasp.org/index.php/WASPY_Awards_2013 2013] 
[https://www.owasp.org/index.php/WASPY_Awards_2012 2012]

User:Owen Pendlebury

2016-08-03T13:57:20Z

Owen Pendlebury: Update

2016-04-01T12:16:33Z

Owen Pendlebury: Hugh Jones - OWASP Dublin Chapter Meeting

Hugh Jones - OWASP Dublin Chapter Meeting