https://wiki.owasp.org/api.php?action=feedcontributions&user=Martinknobloch&feedformat=atomOWASP - User contributions [en]2024-03-29T01:48:11ZUser contributionsMediaWiki 1.27.2https://wiki.owasp.org/index.php?title=GEC_Agenda_2010-08-25&diff=88008GEC Agenda 2010-08-252010-08-25T22:20:38Z<p>Martinknobloch: </p>
<hr />
<div>{| style="width:90%" border="0" cellpadding="0" align="center"<br />
|-<br />
| style="width:100%" valign="middle" height="30" bgcolor="white" align="center" colspan="2" | <br />
'''Please see [[:Category:GEC Meetings|GEC Meetings]] for previous GEC Meetings Agenda and the Dial-In details''' <br />
<br />
|}<br />
<br />
{| style="width:90%" border="0" cellpadding="0" align="center"<br />
|-<br />
| style="width:100%" valign="middle" height="30" bgcolor="#7b8abd" align="center" colspan="2" | '''AGENDA - August 25th, 2010'''<br />
|-<br />
| style="width:50%" valign="middle" height="30" bgcolor="#CCCCEE" align="center" colspan="0" | '''Item/Issue''' <br />
| style="width:50%" valign="middle" height="30" bgcolor="#CCCCEE" align="center" colspan="0" | '''Decisions/Comments Made'''<br />
|-<br />
| style="width:100%" valign="middle" height="30" bgcolor="#cccccc" align="center" colspan="2" | '''Current Meeting'''<br />
|-<br />
| valign="middle" bgcolor="#EEEEEE" align="left" colspan="0" | <br />
*Sebastien <br />
**he is busy with a OWASP training day in Paris, scheduled for 2011 Jan/Feb <br />
**There is still a subject about French speakers, material in English should not be a problem<br />
<br />
*Eduardo<br />
**He is busy with Educational material <br />
**in Brazil it's hard to reach the universities therefore he is trying out to reach out via the companies<br />
**his is working on a project about the correlation within the economic growth on the BRICs and the increase of cyber crime based. As a result, a new OWASP Project will be proposed to 2011 in order to allow people on use the Educational Resources to make more secure software and also use software in a more secure fashion<br />
<br />
*Martin <br />
**He is busy with organizing the BeNeLux day, scheduled for december 2010<br />
**the meeting will be two days. First day a training day and the second day as conference<br />
**in the Netherlands, it's hard to reach the universities, too.<br />
**The CTF project (current CTF application) has been used at the OWASP AppSec-Eu 2010 and will be used for the<br />
<br />
| valign="middle" bgcolor="#EEEEEE" align="left" colspan="0" | <br />
&nbsp;Sebastien will ping Paulo in September to setup the Paris Training Pages <br />
<br />
<br> <br />
<br />
<br> <br />
<br />
<br> <br />
<br />
<br> <br />
<br />
<br> <br />
<br />
<br> <br />
<br />
|-<br />
| valign="middle" bgcolor="#EEEEEE" align="left" colspan="0" | <br />
| valign="middle" bgcolor="#EEEEEE" align="left" colspan="0" | <br />
|-<br />
| style="width:100%" valign="left" height="30" bgcolor="#7b8abd" align="center" colspan="2" | '''Meeting Attendance'''<br />
|-<br />
| valign="middle" height="30" bgcolor="#EEEEEE" align="left" colspan="0" | <br />
Attending:<br />
*Dinis Cruz <br />
*Eduardo Neves <br />
*Sebastien Gioria <br />
*Martin Knobloch<br />
<br />
| valign="left" height="30" bgcolor="#EEEEEE" align="left" colspan="0" | <br />
Not Attending:<br />
*Kuai Hinjosa <br />
*Mano Paul<br />
*Cecil Su<br />
*Fabio Cerullo (showed up late ;-) )<br />
*Andrzej Targosz<br />
*Nishi Kumar<br />
|-<br />
| style="width:100%" valign="middle" height="30" bgcolor="#7b8abd" align="center" colspan="2" | '''Meeting Notes'''<br />
|-<br />
| valign="middle" height="30" bgcolor="#EEEEEE" align="left" colspan="2" | <br />
|}<br />
<br />
__NOTOC__ <br />
<br />
[[Category:GEC_Meetings]]</div>Martinknoblochhttps://wiki.owasp.org/index.php?title=GEC_Agenda_2010-08-25&diff=88007GEC Agenda 2010-08-252010-08-25T22:17:20Z<p>Martinknobloch: </p>
<hr />
<div>{| style="width:90%" border="0" cellpadding="0" align="center"<br />
|-<br />
| style="width:100%" valign="middle" height="30" bgcolor="white" align="center" colspan="2" | <br />
'''Please see [[:Category:GEC Meetings|GEC Meetings]] for previous GEC Meetings Agenda and the Dial-In details''' <br />
<br />
|}<br />
<br />
{| style="width:90%" border="0" cellpadding="0" align="center"<br />
|-<br />
| style="width:100%" valign="middle" height="30" bgcolor="#7b8abd" align="center" colspan="2" | '''AGENDA - August 25th, 2010'''<br />
|-<br />
| style="width:50%" valign="middle" height="30" bgcolor="#CCCCEE" align="center" colspan="0" | '''Item/Issue''' <br />
| style="width:50%" valign="middle" height="30" bgcolor="#CCCCEE" align="center" colspan="0" | '''Decisions/Comments Made'''<br />
|-<br />
| style="width:100%" valign="middle" height="30" bgcolor="#cccccc" align="center" colspan="2" | '''Current Meeting'''<br />
|-<br />
| valign="middle" bgcolor="#EEEEEE" align="left" colspan="0" | <br />
*Sebastien <br />
**he is busy with a OWASP training day in Paris, scheduled for 2011 Jan/Feb <br />
**There is still a subject about French speakers, material in English should not be a problem<br />
<br />
*Eduardo<br />
**He is busy with Educational material <br />
**in Brazil it's hard to reach the universities therefore he is trying out to reach out via the companies<br />
**his is working on a project about the correlation within the economic growth on the BRICs and the increase of cyber crime based. As a result, a new OWASP Project will be proposed to 2011 in order to allow people on use the Educational Resources to make more secure software and also use software in a more secure fashion<br />
<br />
*Martin <br />
**He is busy with organizing the BeNeLux day, scheduled for december 2010<br />
**the meeting will be two days. First day a training day and the second day as conference<br />
**in the Netherlands, it's hard to reach the universities, too.<br />
**The CTF project (current CTF application) has been used at the OWASP AppSec-Eu 2010 and will be used for the<br />
<br />
| valign="middle" bgcolor="#EEEEEE" align="left" colspan="0" | <br />
&nbsp;Sebastien will ping Paulo in September to setup the Paris Training Pages <br />
<br />
<br> <br />
<br />
<br> <br />
<br />
<br> <br />
<br />
<br> <br />
<br />
<br> <br />
<br />
<br> <br />
<br />
|-<br />
| valign="middle" bgcolor="#EEEEEE" align="left" colspan="0" | <br />
| valign="middle" bgcolor="#EEEEEE" align="left" colspan="0" | <br />
|-<br />
| style="width:100%" valign="middle" height="30" bgcolor="#7b8abd" align="center" colspan="2" | '''Meeting Attendance'''<br />
|-<br />
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | <br />
Attending:<br />
*Dinis Cruz <br />
*Eduardo Neves <br />
*Sebastien Gioria <br />
*Martin Knobloch<br />
<br />
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | <br />
Not Attending:<br />
*Kuai Hinjosa <br />
*Mano Paul<br />
*Cecil Su<br />
*Fabio Cerullo<br />
*Andrzej Targosz<br />
*Nishi Kumar<br />
|-<br />
| style="width:100%" valign="middle" height="30" bgcolor="#7b8abd" align="center" colspan="2" | '''Meeting Notes'''<br />
|-<br />
| valign="middle" height="30" bgcolor="#EEEEEE" align="left" colspan="2" | <br />
|}<br />
<br />
__NOTOC__ <br />
<br />
[[Category:GEC_Meetings]]</div>Martinknoblochhttps://wiki.owasp.org/index.php?title=GEC_Agenda_2010-08-25&diff=88006GEC Agenda 2010-08-252010-08-25T22:08:02Z<p>Martinknobloch: </p>
<hr />
<div>{| style="width:90%" border="0" cellpadding="0" align="center"<br />
|-<br />
| style="width:100%" valign="middle" height="30" bgcolor="white" align="center" colspan="2" | <br />
'''Please see [[:Category:GEC Meetings|GEC Meetings]] for previous GEC Meetings Agenda and the Dial-In details''' <br />
<br />
|}<br />
<br />
{| style="width:90%" border="0" cellpadding="0" align="center"<br />
|-<br />
| style="width:100%" valign="middle" height="30" bgcolor="#7b8abd" align="center" colspan="2" | '''AGENDA - August 25th, 2010'''<br />
|-<br />
| style="width:50%" valign="middle" height="30" bgcolor="#CCCCEE" align="center" colspan="0" | '''Item/Issue''' <br />
| style="width:50%" valign="middle" height="30" bgcolor="#CCCCEE" align="center" colspan="0" | '''Decisions/Comments Made'''<br />
|-<br />
| style="width:100%" valign="middle" height="30" bgcolor="#cccccc" align="center" colspan="2" | '''Current Meeting'''<br />
|-<br />
| valign="middle" bgcolor="#EEEEEE" align="left" colspan="0" | <br />
*Sebastien <br />
**he is busy with a OWASP training day in Paris, scheduled for 2011 Jan/Feb <br />
**There is still a subject about French speakers, material in English should not be a problem<br />
<br />
*Eduardo<br />
**He is busy with Educational material <br />
**in Brazil it's hard to reach the universities therefore he is trying out to reach out via the companies<br />
**his is working on a project about the correlation within the economic growth on the BRICs and the increase of cyber crime based. As a result, a new OWASP Project will be proposed to 2011 in order to allow people on use the Educational Resources to make more secure software and also use software in a more secure fashion<br />
<br />
*Martin <br />
**He is busy with organizing the BeNeLux day, scheduled for december 2010<br />
**the meeting will be two days. First day a training day and the second day as conference<br />
**in the Netherlands, it's hard to reach the universities, too.<br />
**The CTF project (current CTF application) has been used at the OWASP AppSec-Eu 2010 and will be used for the<br />
<br />
| valign="middle" bgcolor="#EEEEEE" align="left" colspan="0" | <br />
&nbsp;Sebastien will ping Paulo in September to setup the Paris Training Pages <br />
<br />
<br> <br />
<br />
<br> <br />
<br />
<br> <br />
<br />
<br> <br />
<br />
<br> <br />
<br />
<br> <br />
<br />
|-<br />
| valign="middle" bgcolor="#EEEEEE" align="left" colspan="0" | <br />
| valign="middle" bgcolor="#EEEEEE" align="left" colspan="0" | <br />
|-<br />
| style="width:100%" valign="middle" height="30" bgcolor="#7b8abd" align="center" colspan="2" | '''Meeting Attendance'''<br />
|-<br />
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | <br />
Dinis Cruz Eduardo Neves Sebastien Gioria <br />
<br />
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | <br />
Kuai Hinjosa <br />
<br />
|-<br />
| style="width:100%" valign="middle" height="30" bgcolor="#7b8abd" align="center" colspan="2" | '''Meeting Notes'''<br />
|-<br />
| valign="middle" height="30" bgcolor="#EEEEEE" align="left" colspan="2" | <br />
|}<br />
<br />
__NOTOC__ <br />
<br />
[[Category:GEC_Meetings]]</div>Martinknoblochhttps://wiki.owasp.org/index.php?title=GEC_Agenda_2010-08-25&diff=88005GEC Agenda 2010-08-252010-08-25T22:06:38Z<p>Martinknobloch: </p>
<hr />
<div>{| style="width:90%" border="0" cellpadding="0" align="center"<br />
|-<br />
| style="width:100%" valign="middle" height="30" bgcolor="white" align="center" colspan="2" | <br />
'''Please see [[:Category:GEC Meetings|GEC Meetings]] for previous GEC Meetings Agenda and the Dial-In details''' <br />
<br />
|}<br />
<br />
{| style="width:90%" border="0" cellpadding="0" align="center"<br />
|-<br />
| style="width:100%" valign="middle" height="30" bgcolor="#7b8abd" align="center" colspan="2" | '''AGENDA - August 25th, 2010'''<br />
|-<br />
| style="width:50%" valign="middle" height="30" bgcolor="#CCCCEE" align="center" colspan="0" | '''Item/Issue''' <br />
| style="width:50%" valign="middle" height="30" bgcolor="#CCCCEE" align="center" colspan="0" | '''Decisions/Comments Made'''<br />
|-<br />
| style="width:100%" valign="middle" height="30" bgcolor="#cccccc" align="center" colspan="2" | '''Current Meeting'''<br />
|-<br />
| valign="middle" bgcolor="#EEEEEE" align="left" colspan="0" | <br />
Sebastien <br />
**he is busy with a OWASP training day in Paris, scheduled for 2011 Jan/Feb <br />
**There is still a subject about French speakers, material in English should not be a problem<br />
<br />
Eduardo<br />
**He is busy with Educational material <br />
**in Brazil it's hard to reach the universities therefore he is trying out to reach out via the companies<br />
**his is working on a project about the correlation within the economic growth on the BRICs and the increase of cyber crime based. As a result, a new OWASP Project will be proposed to 2011 in order to allow people on use the Educational Resources to make more secure software and also use software in a more secure fashion<br />
<br />
Martin <br />
**He is busy with organizing the BeNeLux day, scheduled for december 2010<br />
**the meeting will be two days. First day a training day and the second day as conference<br />
**in the Netherlands, it's hard to reach the universities, too.<br />
**The CTF project (current CTF application) has been used at the OWASP AppSec-Eu 2010 and will be used for the<br />
<br />
| valign="middle" bgcolor="#EEEEEE" align="left" colspan="0" | <br />
&nbsp;Sebastien will ping Paulo in September to setup the Paris Training Pages <br />
<br />
<br> <br />
<br />
<br> <br />
<br />
<br> <br />
<br />
<br> <br />
<br />
<br> <br />
<br />
<br> <br />
<br />
|-<br />
| valign="middle" bgcolor="#EEEEEE" align="left" colspan="0" | <br />
| valign="middle" bgcolor="#EEEEEE" align="left" colspan="0" | <br />
|-<br />
| style="width:100%" valign="middle" height="30" bgcolor="#7b8abd" align="center" colspan="2" | '''Meeting Attendance'''<br />
|-<br />
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | <br />
Dinis Cruz Eduardo Neves Sebastien Gioria <br />
<br />
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | <br />
Kuai Hinjosa <br />
<br />
|-<br />
| style="width:100%" valign="middle" height="30" bgcolor="#7b8abd" align="center" colspan="2" | '''Meeting Notes'''<br />
|-<br />
| valign="middle" height="30" bgcolor="#EEEEEE" align="left" colspan="2" | <br />
|}<br />
<br />
__NOTOC__ <br />
<br />
[[Category:GEC_Meetings]]</div>Martinknoblochhttps://wiki.owasp.org/index.php?title=GEC_Agenda_2010-08-25&diff=88004GEC Agenda 2010-08-252010-08-25T21:52:13Z<p>Martinknobloch: </p>
<hr />
<div>{| style="width:90%" border="0" cellpadding="0" align="center"<br />
|-<br />
| style="width:100%" valign="middle" height="30" bgcolor="white" align="center" colspan="2" | <br />
'''Please see [[:Category:GEC Meetings|GEC Meetings]] for previous GEC Meetings Agenda and the Dial-In details''' <br />
<br />
|}<br />
<br />
{| style="width:90%" border="0" cellpadding="0" align="center"<br />
|-<br />
| style="width:100%" valign="middle" height="30" bgcolor="#7b8abd" align="center" colspan="2" | '''AGENDA - August 25th, 2010'''<br />
|-<br />
| style="width:50%" valign="middle" height="30" bgcolor="#CCCCEE" align="center" colspan="0" | '''Item/Issue''' <br />
| style="width:50%" valign="middle" height="30" bgcolor="#CCCCEE" align="center" colspan="0" | '''Decisions/Comments Made'''<br />
|-<br />
| style="width:100%" valign="middle" height="30" bgcolor="#cccccc" align="center" colspan="2" | '''Current Meeting'''<br />
|-<br />
| valign="middle" bgcolor="#EEEEEE" align="left" colspan="0" | <br />
*Sebastien is busy with a OWASP training day in Paris, scheduled for 2011 Jan/Feb <br />
**There is still a subject about French speakers, material in English should not be a problem<br />
<br />
*Eduardo is busy with Educational material <br />
**in Brazil it's hard to reach the universities therefore he is trying out to reach out via the companies<br />
**His is working on a project about the correlation within the economic growth on the BRICs and the increase of cyber crime based. As a result, a new OWASP Project will be proposed to 2011 in order to allow people on use the Educational Resources to make more secure software and also use software in a more secure fashion<br />
<br />
<br />
<br />
| valign="middle" bgcolor="#EEEEEE" align="left" colspan="0" | <br />
&nbsp;Sebastien will ping Paulo in September to setup the Paris Training Pages <br />
<br />
<br> <br />
<br />
<br> <br />
<br />
<br> <br />
<br />
<br> <br />
<br />
<br> <br />
<br />
<br> <br />
<br />
|-<br />
| valign="middle" bgcolor="#EEEEEE" align="left" colspan="0" | <br />
| valign="middle" bgcolor="#EEEEEE" align="left" colspan="0" | <br />
|-<br />
| style="width:100%" valign="middle" height="30" bgcolor="#7b8abd" align="center" colspan="2" | '''Meeting Attendance'''<br />
|-<br />
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | <br />
Dinis Cruz Eduardo Neves Sebastien Gioria <br />
<br />
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | <br />
Kuai Hinjosa <br />
<br />
|-<br />
| style="width:100%" valign="middle" height="30" bgcolor="#7b8abd" align="center" colspan="2" | '''Meeting Notes'''<br />
|-<br />
| valign="middle" height="30" bgcolor="#EEEEEE" align="left" colspan="2" | <br />
|}<br />
<br />
__NOTOC__ <br />
<br />
[[Category:GEC_Meetings]]</div>Martinknoblochhttps://wiki.owasp.org/index.php?title=GEC_Agenda_2010-08-25&diff=88001GEC Agenda 2010-08-252010-08-25T21:45:24Z<p>Martinknobloch: </p>
<hr />
<div>{| style="width:90%" border="0" cellpadding="0" align="center"<br />
|-<br />
| style="width:100%" valign="middle" height="30" bgcolor="white" align="center" colspan="2" | <br />
'''Please see [[:Category:GEC_Meetings|GEC Meetings]] for previous GEC Meetings Agenda and the Dial-In details'''<br />
|}<br />
{| style="width:90%" border="0" cellpadding="0" align="center"<br />
|-<br />
| style="width:100%" valign="middle" height="30" bgcolor="#7b8abd" align="center" colspan="2" | '''AGENDA - August 25th, 2010'''<br />
|- <br />
| style="width:50%" valign="middle" height="30" bgcolor="#CCCCEE" align="center" colspan="0" | '''Item/Issue'''<br />
| style="width:50%" valign="middle" height="30" bgcolor="#CCCCEE" align="center" colspan="0" | '''Decisions/Comments Made'''<br />
|- <br />
| style="width:100%" valign="middle" height="30" bgcolor="#cccccc" align="center" colspan="2" | '''Current Meeting'''<br />
|-<br />
| valign="middle" bgcolor="#EEEEEE" align="left" colspan="0" |<br />
<br />
* Sebastien is busy with a OWASP training day in Paris, scheduled for 2011 Jan/Feb<br />
** There is still a subject about French speakers, material in English should not be a problem<br />
<br />
* Eduardo is busy with Educational material <br />
** in Brazil it's hard to reach the universities therefore he is trying out to reach out via the companies<br />
<br />
<br />
| valign="middle" bgcolor="#EEEEEE" align="left" colspan="0" |<br />
|-<br />
| valign="middle" bgcolor="#EEEEEE" align="left" colspan="0" |<br />
| valign="middle" bgcolor="#EEEEEE" align="left" colspan="0" |<br />
<br />
|-<br />
| style="width:100%" valign="middle" height="30" bgcolor="#7b8abd" align="center" colspan="2" | '''Meeting Attendance'''<br />
|-<br />
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" |<br />
Dinis Cruz<br />
Eduardo Neves<br />
Sebastien Gioria<br />
<br />
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" |<br />
Kuai Hinjosa<br />
|-<br />
| style="width:100%" valign="middle" height="30" bgcolor="#7b8abd" align="center" colspan="2" | '''Meeting Notes'''<br />
|-<br />
| valign="middle" height="30" bgcolor="#EEEEEE" align="left" colspan="2" |<br />
<br />
|}<br />
__NOTOC__ <br />
<br />
[[Category:GEC_Meetings]]</div>Martinknoblochhttps://wiki.owasp.org/index.php?title=GEC_Agenda_2010-08-25&diff=88000GEC Agenda 2010-08-252010-08-25T21:44:40Z<p>Martinknobloch: </p>
<hr />
<div>{| style="width:90%" border="0" cellpadding="0" align="center"<br />
|-<br />
| style="width:100%" valign="middle" height="30" bgcolor="white" align="center" colspan="2" | <br />
'''Please see [[:Category:GEC_Meetings|GEC Meetings]] for previous GEC Meetings Agenda and the Dial-In details'''<br />
|}<br />
{| style="width:90%" border="0" cellpadding="0" align="center"<br />
|-<br />
| style="width:100%" valign="middle" height="30" bgcolor="#7b8abd" align="center" colspan="2" | '''AGENDA - August 25th, 2010'''<br />
|- <br />
| style="width:50%" valign="middle" height="30" bgcolor="#CCCCEE" align="center" colspan="0" | '''Item/Issue'''<br />
| style="width:50%" valign="middle" height="30" bgcolor="#CCCCEE" align="center" colspan="0" | '''Decisions/Comments Made'''<br />
|- <br />
| style="width:100%" valign="middle" height="30" bgcolor="#cccccc" align="center" colspan="2" | '''Current Meeting'''<br />
|-<br />
| valign="middle" bgcolor="#EEEEEE" align="left" colspan="0" |<br />
<br />
* Sebastien is busy with a OWASP training day in Paris<br />
** Scheduled for 2011 Jan/Feb<br />
** There is still a subject about French speakers<br />
** Material in English should not be a problem<br />
<br />
* Eduardo is busy with Educational material <br />
** in Brazil it's hard to reach the universities therefore he is trying out to reach out via the companies<br />
<br />
<br />
| valign="middle" bgcolor="#EEEEEE" align="left" colspan="0" |<br />
|-<br />
| valign="middle" bgcolor="#EEEEEE" align="left" colspan="0" |<br />
| valign="middle" bgcolor="#EEEEEE" align="left" colspan="0" |<br />
<br />
|-<br />
| style="width:100%" valign="middle" height="30" bgcolor="#7b8abd" align="center" colspan="2" | '''Meeting Attendance'''<br />
|-<br />
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" |<br />
Dinis Cruz<br />
Eduardo Neves<br />
Sebastien Gioria<br />
<br />
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" |<br />
Kuai Hinjosa<br />
|-<br />
| style="width:100%" valign="middle" height="30" bgcolor="#7b8abd" align="center" colspan="2" | '''Meeting Notes'''<br />
|-<br />
| valign="middle" height="30" bgcolor="#EEEEEE" align="left" colspan="2" |<br />
<br />
|}<br />
__NOTOC__ <br />
<br />
[[Category:GEC_Meetings]]</div>Martinknoblochhttps://wiki.owasp.org/index.php?title=GEC_Agenda_2010-08-25&diff=87999GEC Agenda 2010-08-252010-08-25T21:40:06Z<p>Martinknobloch: </p>
<hr />
<div>{| style="width:90%" border="0" cellpadding="0" align="center"<br />
|-<br />
| style="width:100%" valign="middle" height="30" bgcolor="white" align="center" colspan="2" | <br />
'''Please see [[:Category:GEC_Meetings|GEC Meetings]] for previous GEC Meetings Agenda and the Dial-In details'''<br />
|}<br />
{| style="width:90%" border="0" cellpadding="0" align="center"<br />
|-<br />
| style="width:100%" valign="middle" height="30" bgcolor="#7b8abd" align="center" colspan="2" | '''AGENDA - August 25th, 2010'''<br />
|- <br />
| style="width:50%" valign="middle" height="30" bgcolor="#CCCCEE" align="center" colspan="0" | '''Item/Issue'''<br />
| style="width:50%" valign="middle" height="30" bgcolor="#CCCCEE" align="center" colspan="0" | '''Decisions/Comments Made'''<br />
|- <br />
| style="width:100%" valign="middle" height="30" bgcolor="#cccccc" align="center" colspan="2" | '''Current Meeting'''<br />
|-<br />
| valign="middle" bgcolor="#EEEEEE" align="left" colspan="0" |<br />
<br />
Sebastien is busy with a OWASP training day in Paris<br />
** Scheduled for 2011 Jan/Feb<br />
** There is still a subject about French speakers<br />
** Material in English should not be a problem<br />
<br />
<br />
<br />
<br />
<br />
| valign="middle" bgcolor="#EEEEEE" align="left" colspan="0" |<br />
|-<br />
| valign="middle" bgcolor="#EEEEEE" align="left" colspan="0" |<br />
| valign="middle" bgcolor="#EEEEEE" align="left" colspan="0" |<br />
<br />
|-<br />
| style="width:100%" valign="middle" height="30" bgcolor="#7b8abd" align="center" colspan="2" | '''Meeting Attendance'''<br />
|-<br />
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" |<br />
* Dinis Cruz<br />
* Eduardo Neves<br />
* Sebastien Gioria<br />
<br />
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" |<br />
Kuai Hinjosa<br />
|-<br />
| style="width:100%" valign="middle" height="30" bgcolor="#7b8abd" align="center" colspan="2" | '''Meeting Notes'''<br />
|-<br />
| valign="middle" height="30" bgcolor="#EEEEEE" align="left" colspan="2" |<br />
<br />
|}<br />
__NOTOC__ <br />
<br />
[[Category:GEC_Meetings]]</div>Martinknoblochhttps://wiki.owasp.org/index.php?title=GEC_Agenda_2010-08-25&diff=87998GEC Agenda 2010-08-252010-08-25T21:36:37Z<p>Martinknobloch: </p>
<hr />
<div>{| style="width:90%" border="0" cellpadding="0" align="center"<br />
|-<br />
| style="width:100%" valign="middle" height="30" bgcolor="white" align="center" colspan="2" | <br />
'''Please see [[:Category:GEC_Meetings|GEC Meetings]] for previous GEC Meetings Agenda and the Dial-In details'''<br />
|}<br />
{| style="width:90%" border="0" cellpadding="0" align="center"<br />
|-<br />
| style="width:100%" valign="middle" height="30" bgcolor="#7b8abd" align="center" colspan="2" | '''AGENDA - August 25th, 2010'''<br />
|- <br />
| style="width:50%" valign="middle" height="30" bgcolor="#CCCCEE" align="center" colspan="0" | '''Item/Issue'''<br />
| style="width:50%" valign="middle" height="30" bgcolor="#CCCCEE" align="center" colspan="0" | '''Decisions/Comments Made'''<br />
|- <br />
| style="width:100%" valign="middle" height="30" bgcolor="#cccccc" align="center" colspan="2" | '''Current Meeting'''<br />
|-<br />
| valign="middle" bgcolor="#EEEEEE" align="left" colspan="0" |<br />
<br />
'''put your issues in here'''<br />
<br />
<br />
<br />
| valign="middle" bgcolor="#EEEEEE" align="left" colspan="0" |<br />
|-<br />
| valign="middle" bgcolor="#EEEEEE" align="left" colspan="0" |<br />
| valign="middle" bgcolor="#EEEEEE" align="left" colspan="0" |<br />
<br />
|-<br />
| style="width:100%" valign="middle" height="30" bgcolor="#7b8abd" align="center" colspan="2" | '''Meeting Attendance'''<br />
|-<br />
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" |<br />
* Dinis Cruz<br />
* Eduardo Neves<br />
* Sebastien Gioria<br />
<br />
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" |<br />
Kuai Hinjosa<br />
|-<br />
| style="width:100%" valign="middle" height="30" bgcolor="#7b8abd" align="center" colspan="2" | '''Meeting Notes'''<br />
|-<br />
| valign="middle" height="30" bgcolor="#EEEEEE" align="left" colspan="2" |<br />
<br />
|}<br />
__NOTOC__ <br />
<br />
[[Category:GEC_Meetings]]</div>Martinknoblochhttps://wiki.owasp.org/index.php?title=Netherlands&diff=87594Netherlands2010-08-13T11:16:30Z<p>Martinknobloch: </p>
<hr />
<div>{{Chapter Template|chaptername=Netherlands|extra=|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-netherlands|emailarchives=http://lists.owasp.org/pipermail/owasp-netherlands}} <br />
<br />
<br> <br />
<br />
==== Local News ====<br />
=== Workshop Google Hacking ===<br />
We have a special OWASP meeting around HITB!<br />
<br />
Christian Heinrich, from OWASP Australia and project lead of the OWASP Google Hacking project. <br />
Chirstian is speaking at the HITB conference. He is willing to give a Google Hacks and Skipfish workshop:<br><br />
* http://www.owasp.org/index.php/Category:OWASP_Google_Hacking_Project<br />
* http://www.owasp.org/index.php/Testing:_Search_engine_discovery/reconnaissance_%28OWASP-IG-002%29<br />
* http://www.owasp.org/index.php/Testing:_Spiders,_Robots,_and_Crawlers_%28OWASP-IG-001%29<br />
<br />
Please see tab "Chapter Meetings" for more details. <br />
This will take place june 30th:<br />
<br />
Location:<br />
Sogeti Netherland<br />
Wildenborch 3 <br />
1112 xb Diemen<br />
<br />
=== HITB 2010 Amsterdam ===<br />
The FIRST EVER HITBSecConf in Europe, HITBSecConf 2010 - Amsterdam takes place at the NH Grand Krasnapolsky from the 29th of June till the 2nd of July with a QUAD TRACK line up!<br />
<br />
OWASP members get a special offer:<br><br />
OWASP MEMBERS SAVE EUR200 OFF THE CONFERENCE PRICE!!! <br><br />
EUR699 instead of EUR899.This offer is limited to the first 50 registrations.<br><br />
OWASP members are encouraged to register as soon as possible to avoid disappointment.<br><br />
Please supply your OWASP membership ID to the registration!<br><br />
<br />
Conference Website: http://conference.hitb.org/hitbsecconf2010ams/<br><br />
29th & 30th June - Hands on Technical Training Sessions <br />
<br />
==== Chapter Meetings ====<br />
<br />
== 2010 Schedule ==<br />
<br />
*March 11th, 18.00 - 21.30 Topic: Database Security<br />
*May 20th, 18.00 - 21.30 Topic: Web Application Firewalls <br />
*June 30th, 18:00 - 21:00 Workshop Google Hacks & Skipfish<br />
*September 23rd, 18.00 - 21.30 Topic: Security in Content Management Systems <br />
*November 18th, 18.00 - 21.30 Topic &nbsp;: TBD<br />
<br />
<br><br />
<br />
== REGISTRATION ==<br />
<br />
To register for a chapter meeting (first register, first serve)! Please '''send an email''' to: [mailto:netherlands@owasp.org netherlands 'at' owasp.org].<br />
<br />
== Workshop Google Hacks & Skipfish (June 30th 2010)==<br />
<br />
=== WHERE ===<br />
{|<br />
|-<br />
| width="350" | <br />
Sogeti Nederland B.V<br> <br> Sogeti Netherland Wildenborch 3 1112 xb Diemen <br> <br />
| width="650" | <br />
[[Image:Logo_Sogeti.jpg|200px]] <br />
|-<br />
| width="350" | <br> <br />
| width="650" | <br />
<br> <br />
|}<br />
<br />
=== PROGRAM ===<br />
<b>18:00 - 18:30 Check-In (catering included)</b><br><br />
<b>18:30 - 18:45 Opening (OWASP organization, projects, sponsor)</b><br><br />
<b>18:45 - 19:00 Break</b><br><br />
<b>19:00 - 21:00 Workshop Google Hacking & Skipfish</b><br><br />
<b>21:00 - 21:30 Discussion, questions and social networking</b><br />
<br />
===Bios===<br />
<br />
Christian Heinrich is the Project Leader of the OWASP "Google Hacking" Project i.e. "Download Indexed Cache" and has contributed to the "Spiders/Robots/Crawlers" and "Search Engine Reconnaissance" sections of the OWASP Testing Guide v3 and more recently to the development of the OWASP Top Ten and Application Security Verification Standard (ASVS) OWASP Projects.<br />
He has presented at OWASP Conferences in USA, Australia and Europe and OWASP Chapters in London, UK and Sydney and Melbourne, Australia.<br><br />
<br />
<u>Google Hacking:</u><br />
<br />
Google Hacks is a compilation of carefully crafted Google searches that expose novel functionality from Google's search and map services. For example, you can use it to view a timeline of your search results, view a map, search for music, search for books, and perform many other specific kinds of searches. You can also use this program to use google as a proxy.<br><br />
<br />
<u>Skipfish:</u><br />
<br />
A fully automated, active web application security reconnaissance tool.<br />
Key features:<br />
High speed: pure C code, highly optimized HTTP handling, minimal CPU footprint - easily achieving 2000 requests per second with responsive targets.<br />
Ease of use: heuristics to support a variety of quirky web frameworks and mixed-technology sites, with automatic learning capabilities, on-the-fly wordlist creation, and form autocompletion.<br />
Cutting-edge security logic: high quality, low false positive, differential security checks, capable of spotting a range of subtle flaws, including blind injection vectors.<br><br />
<br />
<u> The relevant links: </u><br />
* http://www.owasp.org/index.php/Category:OWASP_Google_Hacking_Project<br />
* http://www.owasp.org/index.php/Testing:_Search_engine_discovery/reconnaissance_%28OWASP-IG-002%29<br />
* http://www.owasp.org/index.php/Testing:_Spiders,_Robots,_and_Crawlers_%28OWASP-IG-001%29<br />
<br />
== Web Application Firewalls (May 20th 2010) ==<br />
=== WHEN ===<br />
May 2010 (18h00pm-21h30pm). <br />
<br />
=== WHERE ===<br />
{|<br />
|-<br />
| width="350" | <br />
Location: http://www.setuputrecht.nl/ <br><br />
SETUP is gevestigd aan het Neude plein in Utrecht (Neude 4) in het nieuwe kantoor van de Dutch Game Garden.<br><br />
(entrance at the back of the ABNamro building on “het Neude”) <br><br />
[[Image:lokatie_setup_google.gif|200px]] <br><br />
| width="650" | <br />
[[Image:Setup_logo.jpg|200px]] <br><br />
<br />
[[Image:itq_logo.jpg|200px]] <br />
|-<br />
| width="350" | <br> <br />
| width="650" | <br />
<br> <br />
|}<br />
<br />
=== PROGRAM ===<br />
<b>18:00 - 18:30 Check-In (catering included)</b><br><br />
<b>18:30 - 18:45 Introduction (OWASP organization, projects, sponsor)</b><br><br />
<b>18.45 - 19.45 Web Application Firewalls in dynamic environments</b>(by Alexander Meisel)<br><br />
Alexander Meisel is the CTO of 'art of defence' (AOD), a German based software vendor. The company specializes in high performance deployments of Web Application Firewalls in very dynamic environments all over the world.<br />
<br />
Abstract:<br />
The current trend towards cloud computing forces everybody to deploy services in a virtual environment. In current dedicated environments WAFs or Web Application Firewalls are mostly deployed as a hardware (black) box which is easy at first but limits them to only low performance web cluster architectures. Moving those systems virtualized into a cloud environment makes almost no sense because of the resource limitations.<br />
The is solution is a redesign which enables WAFs to be part of a true message based cloud system. This talk explains how truly virtualized and distributed web applications are architected, work and scale in high performance environments. <br><br />
<b>19.45 – 20.00 Break</b><br><br />
<b>20.00 - 21:00 Bypassing Web Application Firewalls </b>(by Sandro Gauci)<br><br />
Sandro Gauci is the owner and Founder of EnableSecurity (www.enablesecurity.com) where he performs R&D and security consultancy for mid-sized companies. Sandro has over 9 years experience in the security industry and is focused on analysis of security challenges and providing solutions to such threats. Hispassion is vulnerability research and has previously worked together with various endors such as Microsoft and Sun to fix security holes. Sandro is the author of the free VoIP security scanning suite SIPVicious (sipvicious.org) and VOIPPACK for CANVAS.<br />
<br />
Abstract:<br />
WAFs or Web Application Firewalls are being deployed to fix security issues in your web applications. The question is, are they?<br />
In this presentation we take a look at some of the issues related to making use of this solution and how it may affect the overall security posture of your web application. Finally we will describe tools to automate detection of WAFs, and also tools to help identify ways to bypass WAFs. This presentation will include updates to the open source WAF security testing tools - WAFFIT. <br><br />
([[Media:2010-05-20_WAFs-Detecting, Bypassing, Exploiting Web Application Firewalls_Sandro Gauci.pdf|the slides in pdf format]])<br><br />
<b>21.00 – 21:30 Discussion, questions and social networking</b><br><br />
<br />
The Announcement of this meeting: [[Media:Announcement_OWASP-NL_May_20th_2010.pdf]]<br> <br />
<br />
== Database Security (Mar-11-2010) ==<br />
<br />
=== WHEN ===<br />
<br />
Thurday, March 11th, 2010 (18h00pm-21h30pm). <br />
<br />
=== WHERE ===<br />
{|<br />
|-<br />
| width="350" | <br />
ASR Nederland<br> <br> MD0.60 - Auditorium<br> Smallepad 30<br> 3811MG Amersfoort<br> <br />
<br />
| width="650" | <br />
[[Image:ASR Nederland logo.jpg|200px]] <br />
<br />
|-<br />
| width="350" | <br> <br />
| width="650" | <br />
<br> <br />
<br />
<br> <br />
<br />
|}<br />
<br />
=== PROGRAM ===<br />
<b>18:00 - 18:30 Check-In (catering included)</b><br><br />
<b>18:30 - 18:45 Introduction (OWASP organization, projects, sponsor)</b><br><br />
<b>18.45 - 19.45 SQL Injection - How far does the rabbit hole go?</b> (By Justin Clarke)<br><br />
<b>Justin Clarke</b> is a co-founder and Director at Gotham Digital Science, based in the United Kingdom. He has over twelve years of experience in assessing the security of networks, web applications, and wireless networks for large financial, retail, technology and government clients in the United States, the United Kingdom and New Zealand.<br />
Justin is the the technical editor and lead author of “SQL Injection Attacks and Defense” (Syngress 2009), co-author of "Network Security Tools: Writing, Hacking, and Modifying Security Tools" (O’Reilly 2005), a contributing author to "Network Security Assessment: Know Your Network, 2nd Edition" (O’Reilly 2007), as well as a speaker at a number of conferences and events on security topics, including Black Hat USA, EuSecWest, OSCON, ISACA, RSA, SANS, OWASP, and the British Computer Society. He is the author of the open source SQLBrute blind SQL injection testing tool, and is the Chapter Leader for the London chapter of OWASP.<br />
SQl Injection - How far does the rabbit hole go? SQL Injection has been around for over 10 years, and yet it is still to this day not truly understood by many security professionals and developers. With the recent mass attacks against sites across the world it has again come to the fore of vulnerabilities under the spotlight, however many consider it to only be a data access issue, or parameterized queries to be a panacea.<br><br />
This talk starts from what was demonstrated last year at Black Hat in Las Vegas, where a self propagating SQL Injection worm was demonstrated live on stage. Explore some of the deeper, darker areas of SQL Injection, hybrid attacks, and exploiting obscure database functionality<br><br />
([[Media:OWASP-SQLInjection5nov09.pdf|the slides in pdf format]])<br><br />
<b>19.45 – 20.00 Break</b><br><br />
<b>20. 00 – 20.30 VAC Insecure Direct Object Reference</b> (By Marinus Kuivenhoven)<br><br />
<b>Marinus Kuivenhoven</b> is a Senior Technology Specialist with Sogeti Nederland B.V. specializing in service oriented architectures and secure application development. His experience include developing and administrating Oracle-based systems. At Sogeti Nederland B.V. he is also an active member of the PaSS -Software(Proactive Security Strategy) taskforce focusing on secure application development. Marinus also developed and teaches several application security courses both within and outside Sogeti. In the past years he has written for magazine such as Computable and We Love IT. And he has spoken on a number of conferences and events like OWASP, Recent OO Trends, Open Source Developer Conference and Engineering World.<br />
<b>Vulnerability:</b> Insecure Direct Object Reference is when a web application exposes an internal implementation object to the user. Some examples of internal implementation objects are database records, URLs, or files.<br><br />
<b>Attack:</b> An attacker can modify the internal implementation object in an attempt to abuse the access controls on this object. When the attacker does this they may have the ability to access functionality that the developer didn’t intend to expose access to.<br><br />
<b>Countermeasure:</b> Reference should be validated for authorization and accessed through reference maps. How this should be done will be shown.<br><br />
([[Media:20100311_VAC-IDOR_Marinus Kuivenhoven.pdf|the slides in pdf format]])<br><br />
<b>20.30 – 21.15 Overlooked Resources and Practices</b> (By Justin Clarke)<br><br />
In his second presentation, Justin Clarke discussed OWASP resources and best practices by highlighting some OWASP projects and underused security practices. He shared his experiences in his daily work as well as the known pitfalls.<br><br />
([[Media:20100311_Overlooked_Resources_and _Practices-Justin_Clarke.pdf|the slides in pdf format]])<br><br />
<b>21.15 – 21:30 Discussion, questions and social networking</b><br><br />
<br />
The Announcement of this meeting: [[Media:Announcement_OWASP-NL_March_11th_2010.pdf]]<br> <br />
The flyer of this meeting: [[Media:Owasp_NL_march2010.pdf]] <br> <br />
<br />
== Past Events ==<br />
<br />
*Events held in [[Netherlands Previous Events 2009|2009]] <br />
*Events held in [[Netherlands Previous Events 2008|2008]] <br />
*Events held in [[Netherlands Previous Events 2007|2007]] <br />
*Events held in [[Netherlands Previous Events 2006|2006]] <br />
*Events held in [[Netherlands Previous Events 2005|2005]]<br />
<br />
==== Call for Speakers ====<br />
<br />
We are continuously looking for speakers.<br>'''Presentations:''' Are you working on an interesting subject, would you like to share your experience with the OWASP community and do you have presentation skills. Please let us know! Any topic related to web application security will be appreciated!<br>'''VAC, Vulnerability, Attack, Countermeasure:''' The VAC is a re occuring part of the chapter meetings. The VAC is a half hour in-depth technical presentation about a vulnerability, how it can be exploited and how to prevent it!<br> <br />
<br />
<span style="font-weight: bold;">Links: </span> <br />
<br />
[http://www.owasp.org/index.php/Speaker_Agreement Speaker Agreement] <br />
<br />
[http://www.owasp.org/images/5/54/Presentation_template.ppt Template] <br />
<br />
Interested in presenting at a local chapter meeting, please send an email to: netherlands 'at' owasp.org<br />
<br />
==== Call for Location ====<br />
For the OWASP Netherlands chapter meetings to come, we are continuously looking for locations!<br />
<br />
Most preferable, the location is good accessible with public transport and by car. Free parking should be provided.<br />
<br />
What do we expect:<br />
* meeting room for at least 50 people<br />
* lunch for attendees<br />
** drinks, sandwiches...<br />
* a small present for the speakers <br />
** (e.g. bottle of wine, for speakers from aboard alcohol might be less practical if flying in only with hand luggage)<br />
<br />
Interested in sponsoring a local chapter meeting, please send an email to: netherlands 'at' owasp.org<br />
<br />
==== Chapter Leaders ====<br />
<br />
The Netherlands Chapter is supported by the following board: <br />
<br />
*[mailto:bert.koelewijn@owasp.org Bert Koelewijn], ASR <br />
*[mailto:ferdinand.vroom@owasp.org Ferdinand Vroom], Nationale Nederlanden<br />
*[mailto:martin.knobloch@owasp.org Martin Knobloch], Sogeti <br />
*[mailto:peter.gouwentak@owasp.org Peter Gouwentak], ING <br />
<br />
*[mailto:netherlands@owasp.org OWASP Netherlands], OWASP Netherlands board email adres<br />
<br />
Our goal is to professionalize the local OWASP functioning, provide in a bigger footprint to detect OWASP opportunities such as speakers/topics/sponsors/… and set a 5 year target on: Target audiences, Different events and Interactions of OWASP global – local projects.<br />
<br />
==== Chapter Sponsoring ====<br />
<br />
OWASP Netherlands is looking for organizations to sponsor our chapter. If you are interested in sponsoring the Netherlands chapter please contact via email: [mailto:netherlands@owasp.org netherlands 'at' owasp.org]. <br />
<br />
<br>If you would like to donate to our chapter, please use the PayPal link below. Thank you! <br />
<br />
<br><paypal>Netherlands</paypal> <br />
__NOTOC__<headertabs/></div>Martinknoblochhttps://wiki.owasp.org/index.php?title=GEC_Agenda_2010-08-25&diff=87527GEC Agenda 2010-08-252010-08-11T22:42:28Z<p>Martinknobloch: Created page with '{| style="width:90%" border="0" cellpadding="0" align="center" |- | style="width:100%" valign="middle" height="30" bgcolor="white" align="center" colspan="2" | '''Please see […'</p>
<hr />
<div>{| style="width:90%" border="0" cellpadding="0" align="center"<br />
|-<br />
| style="width:100%" valign="middle" height="30" bgcolor="white" align="center" colspan="2" | <br />
'''Please see [[:Category:GEC_Meetings|GEC Meetings]] for previous GEC Meetings Agenda and the Dial-In details'''<br />
|}<br />
{| style="width:90%" border="0" cellpadding="0" align="center"<br />
|-<br />
| style="width:100%" valign="middle" height="30" bgcolor="#7b8abd" align="center" colspan="2" | '''AGENDA - August 25th, 2010'''<br />
|- <br />
| style="width:50%" valign="middle" height="30" bgcolor="#CCCCEE" align="center" colspan="0" | '''Item/Issue'''<br />
| style="width:50%" valign="middle" height="30" bgcolor="#CCCCEE" align="center" colspan="0" | '''Decisions/Comments Made'''<br />
|- <br />
| style="width:100%" valign="middle" height="30" bgcolor="#cccccc" align="center" colspan="2" | '''Current Meeting'''<br />
|-<br />
| valign="middle" bgcolor="#EEEEEE" align="left" colspan="0" |<br />
<br />
'''put your issues in here'''<br />
<br />
<br />
<br />
| valign="middle" bgcolor="#EEEEEE" align="left" colspan="0" |<br />
|-<br />
| valign="middle" bgcolor="#EEEEEE" align="left" colspan="0" |<br />
| valign="middle" bgcolor="#EEEEEE" align="left" colspan="0" |<br />
<br />
|-<br />
| style="width:100%" valign="middle" height="30" bgcolor="#7b8abd" align="center" colspan="2" | '''Meeting Attendance'''<br />
|-<br />
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" |<br />
'''Attendees'''<br />
| valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" |<br />
'''Apologies'''<br />
|-<br />
| style="width:100%" valign="middle" height="30" bgcolor="#7b8abd" align="center" colspan="2" | '''Meeting Notes'''<br />
|-<br />
| valign="middle" height="30" bgcolor="#EEEEEE" align="left" colspan="2" |<br />
<br />
|}<br />
__NOTOC__ <br />
<br />
[[Category:GEC_Meetings]]</div>Martinknoblochhttps://wiki.owasp.org/index.php?title=Global_Education_Committee&diff=87526Global Education Committee2010-08-11T22:37:10Z<p>Martinknobloch: /* Agenda */</p>
<hr />
<div>[[Category:OWASP Project]]<br />
<br />
= About the Global Education Committee =<br />
'''The Global Education Committee was created during the OWASP EU Summit in Portugal 2008. The primary purpose of the Global Education Committee is: to work with the [https://www.owasp.org/index.php/Category:OWASP_Education_Project OWASP Education Project] to provide educational materials for both internal and external users, develop liaisons with educational institutions worldwide.'''<br />
<br />
== Mission ==<br />
Provide awareness, training and educational services to corporate,<br />
government and educational institutions on application security.<br />
<br />
== Vision ==<br />
Make OWASP educational material globally available as a well known resource<br />
in easily consumable form mapped to a framework tied specifically to user<br />
roles and responsibilities<br />
<br />
== Committee Members ==<br />
Chairs: [mailto:martin.knobloch@owasp.org Martin Knobloch] (Netherlands) and [mailto:kuai.hinojosa@owasp.org Kuai Hinjosa] (U.S.)<br />
<br />
* [mailto:mano.paul@securisksolutions.com Mano Paul] (U.S.)<br />
* [mailto:eduardo.neves@owasp.org Eduardo Neves] (Brazil)<br />
* [mailto:cecil.su@GRANTTHORNTON.COM.SG Cecil Su] (Singapore)<br />
* [mailto:fabio.e.cerullo@aib.ie Fabio Cerullo] (Ireland)<br />
* [mailto:andrzej.targosz@proidea.org.pl Andrzej Targosz] (Poland)<br />
* [mailto:nishi787@hotmail.com Nishi Kumar] (U.S.)<br />
* [mailto:sebastien.gioria@owasp.org Sebastien Gioria] (France)<br />
<br />
= Monthly Report Format =<br />
<br />
Date of last update: July 28th<br />
Updated by: Martin Knobloch<br />
<br />
Accomplishments for this Month<br />
* Updates on the CTF and Education project (and project wiki's)<br />
* Getting in contact with universities <br />
* <br />
Planned for Next Month<br />
* Update GEC targets and Committee wiki<br />
* Update GEC committee members<br />
* OWASP Education Committee namely: development and packaging of OWASP Training materials and the development of the ‘OWASP Academies concept <br />
Issues/Risks/Challenges<br />
* Finding new active members<br />
* Refocusing on less targets<br />
*<br />
<br />
[https://www.owasp.org/index.php/How_to_Join_a_Committee How to join this committee]<br />
<br />
[https://lists.owasp.org/mailman/listinfo/global_education_committee Join our mailing list]<br />
<br />
<paypal>Global Education Committee</paypal><br />
<br />
== Scheduled Meetings ==<br />
'''The next meeting is scheduled for August 25th'''<br />
<pre><br />
The Global Education Committee Meetings take place via conference call every fortnightly Wednesday!<br />
<br />
Meeting times: <br />
3:00 p.m. @ Austin, Texas <br />
4:00 p.m. @ New York <br />
7:00 p.m. @ Brasil <br />
10:00 p.m. @ Netherlands<br />
4:00 a.m. @ Singapore (following day)<br />
<br />
</pre><br />
===Agenda===<br />
* [[GEC Agenda 2010-08-25|August 25th 2010]]<br />
<br />
All meeting agenda's and notes are on the [[:Category:GEC Meetings|GEG Meetings]] page<br />
<br />
== Targets <font color="red">'''(DRAFT)'''</font> ==<br />
Below you can find the timeline, what has to be achieved by when. <br />
All tasks must be SMART!<br />
<br />
{| class="prettytable"<br />
! Update July 2010<br />
! Task<br />
! Deadline<br />
! Type<br />
! Status<br />
! Description<br />
! Who<br />
|-<br />
| Finished<br />
| [[Categorize (Organization) of educational materials]]<br />
| N/A<br />
| Documentation<br />
| Done<br />
| Categorize / Organization of the educational materials for audience by roles and responsibilities/technologies and use the summit workshop notes.<br />
| Martin<br />
|-<br />
| Package has been created for the OWASP Loondon Training<br />
| [[Train the trainers (Teach the teachers)]]<br />
| '''Q1/Q2/Q3/Q4 2009'''<br />
| Delivery <br />
| in progress<br />
| Develop a train the trainer program that will train trainers to deliver training on OWASP related material.<br />
| Fabio / Nishi<br />
|-<br />
| Died <br />
| [[Create an online assessment and training portal]]<br />
| '''Q2/Q3/Q4 2009'''<br />
| Delivery <br />
| Planning<br />
| Develop an OWASP assessment and training portal that end users can use to gauge their knowledge on OWASP concepts and training providers can use to promote their training offerings.<br />
| Mano/Fabio<br />
|-<br />
| on hold <br />
| [[OWASP Boot Camp Project]]<br />
| '''Proposal:''' February 2009 '''Final:''' Oktober 2009 at OWASP AppSec US 2009<br />
| Delivery <br />
| wainting on project content<br />
| OWASP Boot Camp about the OWASP projects, to deliver a Boot Camp presentation should be one of the criteria to get an alpha status as project<br />
| Martin<br />
|-<br />
| active, CTF hold at OWASP AppSec-EU<br />
| [[OWASP CTF event]]<br />
| OWASP AppSec Conferences<br />
| Delivery <br />
| Done<br />
| Develop an OWASP Capture the Flag contest that could be easy use for OWASP conferences.<br />
| Martin<br />
|-<br />
| on hold<br />
| [[Speakers Bureau Project]]<br />
| '''TBD'''<br />
| Delivery <br />
| '''started'''<br />
| List of speakers, Name, Bio, Topics, History <br><br />
Speakers in conferences (OOTM ask for funds on this)/summit <br />
| Martin<br />
|-<br />
| Died<br />
| [[Marketing efforts]]<br />
| '''Q4 2009'''<br />
| Awareness Services <br />
| Started<br />
| Select material.<br />
| Eduardo<br />
|-<br />
| Hibernating, update requested<br />
| [[Internationalization of the training materials]]<br />
| '''Q4 2009'''<br />
| Awareness Services <br />
| Startes<br />
| Select material for translation services for highly spoken languages <br />
| Eduardo<br />
|-<br />
| busy, just al darn long lasting task<br />
| [[Education material]]<br />
| '''TBD'''<br />
| Training & Educational Services <br />
| started<br />
| All projects should be summoned to create educational material (training service)<br />
1) Each Projects --> Documents (help), Tool, Training; Live CD (Portable)<br />
| Martin<br />
|-<br />
| Uncertain, update requested<br />
| [[Educational Academic Services]]<br />
| '''TBD'''<br />
| Training & Educational Services <br />
| <br />
<br />
3 Universities already in contact with and planning OWASP events to participate in. <br />
<br />
| Incorporate OWASP into the following top 5 Universities, within the next 12 months by introducing OWASP training and education resources at University's events.<br />
<br />
1) New York University<br />
2) Cornell University<br />
3) Princeton University<br />
4) University of Minnesota<br />
5) Columbia University<br />
<br />
As a result of these initiative we would hope to see:<br />
<br />
1) Confirming participation at arranged events<br />
2) Asking Universities to recognize they are using our resources by allowing us to place their names in wiki pages such as http://www.owasp.org/index.php/OWASP_Top_Ten_Project <br />
3) University faculty, staff and students participate in local and international events/meetings<br />
4) University faculty, staff and students contribute to OWASP projects<br />
<br />
|Kuai Hinojosa, Andrzej<br />
|}<br />
<br />
= Proposal <font color="red">'''(DRAFT)'''</font> =<br />
== Categorize (Organization) of educational materials ==<br />
Objective: Categorize / Organize educational material, estyle the Education Project website.<br><br />
<br />
Activities/Deadline:<br> <br />
* Categorize education material according to the CLASP roles<br><br />
* Group material into management-ish, student-ish, technical-ish <br><br />
<br />
Benefits<br><br />
Target specific demographic (managers, students...) Provide easy access to education material. Efficient categorization of education materials.<br />
<br />
== Train the trainers (Teach the teachers) ==<br />
Objective:<br />
Develop a train the trainer program that will train trainers to deliver training on OWASP related material.<br />
<br />
Activities/Deadline:<br />
# Develop a criteria to identify and approve trainers / Q1 2009<br />
# Identify pertinent OWASP related material that will be included in the training kit / Q2 2009. This is dependent on the education project organizing material.<br />
# Create a training toolkit with pre-built presentation and training materials, assessments etc. / Q3 2009<br />
# Conduct train the trainer sessions (remote or in-person) / Q4 2009<br />
<br />
Benefits:<br />
The training kit and trained trainers will be available resources promoting OWASP in local events worldwide.<br />
<br />
== Create an online assessment and training portal ==<br />
Objective:<br />
Develop an OWASP assessment and training portal that end users can use to gauge their knowledge on OWASP concepts and training providers can use to promote their training offerings.<br />
<br />
Activities/Deadline:<br />
# Generate OWASP assessment items (can use the testing guide and other sources) / Q2-Q3 2009<br />
# Develop an assessment portal to deliver taking of assessments with robust reporting by knowledge area / Q4 2009<br />
# Develop a training portal to allow training providers to publish and promote their training offerings / Q4 2009<br />
This can be developed as a summer of code project but is not a requirement. <br />
<br />
Benefits:<br />
Assessments that can be offered in OWASP events and other conferences to users will increase OWASP awareness. The portal can become the link between trainers and trainees and will eventually help in increasing the awareness and knowledge of application security in the industry.<br />
<br />
== OWASP Boot Camp Project ==<br />
Objective<br><br />
To deliver a Boot Camp session which would lead to be one of the main criteria to produce alpha status projects<br />
<br />
Activities/Deadline:<br> <br />
<br />
Benefits<br><br />
<br />
== OWASP CTF event ==<br />
Objective<br />
Generate a Capture The Flag framework to be offered at OWASP events<br />
<br />
Activities/Deadline: <br />
* Andrzej will contact the organizers of the CTF from the Denver OWASP Conference and work in using same model<br />
<br />
Benefits<br />
Capture The Flag events are very popular in conferences, creating and OWASP specific CTF will offer entertainment at events, generate attendants participation etc.<br />
<br />
== Speakers Bureau Project ==<br />
<br />
Objective<br><br />
OWASP Boot Camp about the OWASP projects, to deliver a Boot Camp presentation should be one of the criteria to get an alpha status as project<br><br />
<br />
Activities/Deadline:<br> <br />
<br />
Benefits<br><br />
List of speakers, Name, Bio, Topics, History <br />
Speakers in conferences (OOTM ask for funds on this)/summit<br />
<br />
Speakers Agreement - https://www.owasp.org/index.php/Speaker_Agreement<br />
<br />
== Marketing efforts ==<br />
Objective: To promote OWASP projects, events, education material and OWASP mission.<br><br />
<br />
Activities/Deadline:<br> <br />
* Gather flyers, Brochures of OWASP Top 10, Testing Guide<br />
<br />
Benefits<br><br />
Group promotional material which can be hand out at events<br />
<br />
== Internationalization of the training materials ==<br />
Objective<br><br />
Translate training materials<br />
<br />
Activities/Deadline:<br> <br />
Identify point of contacts places for translation efforts and setup a deadline<br />
Translate material in French, Portuguese, Spanish, Malay, Italian, Indonesian, Chinese<br />
<br />
Benefits<br><br />
To reach international audiences<br />
<br />
== Education material ==<br />
Objective: Consolidate all projects (Tools, Help Documents, Presentations, LiveCD) create educational material (training service) <br />
<br />
Activities/Deadline:<br> <br />
<br />
Benefits<br><br />
<br />
== Academic Educational Services ==<br />
Objectives<br><br />
Promote and encourage OWASP resources at accredited Universities around the world within the next 12 months by introducing OWASP training and education material at University's events.<br />
<br />
Activities/Deadline:<br />
<br />
* Build a list of at least 5 Universities with computer science or risk management programs that can be targeted /Q1 2009 <br />
* Establish communication with targeted universities, generate key contacts and establish relationships /Q1 - Q4 2009<br />
* Develop a list of possible academic events in which to participate /Q1 - Q2 2009 <br />
* Participate in at least 1 Academic event, present case studies or OWASP education materials /Q1 - Q4<br />
<br />
Benefits<br><br />
OWASP will gain exposure in the academic industry, starting with accredited universities around the world. Universities will become members of OWASP, provide meeting space, students will apply to OWASP grants, and provide support and structure</div>Martinknoblochhttps://wiki.owasp.org/index.php?title=Global_Education_Committee&diff=87525Global Education Committee2010-08-11T22:36:13Z<p>Martinknobloch: /* Scheduled Meetings */</p>
<hr />
<div>[[Category:OWASP Project]]<br />
<br />
= About the Global Education Committee =<br />
'''The Global Education Committee was created during the OWASP EU Summit in Portugal 2008. The primary purpose of the Global Education Committee is: to work with the [https://www.owasp.org/index.php/Category:OWASP_Education_Project OWASP Education Project] to provide educational materials for both internal and external users, develop liaisons with educational institutions worldwide.'''<br />
<br />
== Mission ==<br />
Provide awareness, training and educational services to corporate,<br />
government and educational institutions on application security.<br />
<br />
== Vision ==<br />
Make OWASP educational material globally available as a well known resource<br />
in easily consumable form mapped to a framework tied specifically to user<br />
roles and responsibilities<br />
<br />
== Committee Members ==<br />
Chairs: [mailto:martin.knobloch@owasp.org Martin Knobloch] (Netherlands) and [mailto:kuai.hinojosa@owasp.org Kuai Hinjosa] (U.S.)<br />
<br />
* [mailto:mano.paul@securisksolutions.com Mano Paul] (U.S.)<br />
* [mailto:eduardo.neves@owasp.org Eduardo Neves] (Brazil)<br />
* [mailto:cecil.su@GRANTTHORNTON.COM.SG Cecil Su] (Singapore)<br />
* [mailto:fabio.e.cerullo@aib.ie Fabio Cerullo] (Ireland)<br />
* [mailto:andrzej.targosz@proidea.org.pl Andrzej Targosz] (Poland)<br />
* [mailto:nishi787@hotmail.com Nishi Kumar] (U.S.)<br />
* [mailto:sebastien.gioria@owasp.org Sebastien Gioria] (France)<br />
<br />
= Monthly Report Format =<br />
<br />
Date of last update: July 28th<br />
Updated by: Martin Knobloch<br />
<br />
Accomplishments for this Month<br />
* Updates on the CTF and Education project (and project wiki's)<br />
* Getting in contact with universities <br />
* <br />
Planned for Next Month<br />
* Update GEC targets and Committee wiki<br />
* Update GEC committee members<br />
* OWASP Education Committee namely: development and packaging of OWASP Training materials and the development of the ‘OWASP Academies concept <br />
Issues/Risks/Challenges<br />
* Finding new active members<br />
* Refocusing on less targets<br />
*<br />
<br />
[https://www.owasp.org/index.php/How_to_Join_a_Committee How to join this committee]<br />
<br />
[https://lists.owasp.org/mailman/listinfo/global_education_committee Join our mailing list]<br />
<br />
<paypal>Global Education Committee</paypal><br />
<br />
== Scheduled Meetings ==<br />
'''The next meeting is scheduled for August 25th'''<br />
<pre><br />
The Global Education Committee Meetings take place via conference call every fortnightly Wednesday!<br />
<br />
Meeting times: <br />
3:00 p.m. @ Austin, Texas <br />
4:00 p.m. @ New York <br />
7:00 p.m. @ Brasil <br />
10:00 p.m. @ Netherlands<br />
4:00 a.m. @ Singapore (following day)<br />
<br />
</pre><br />
===Agenda===<br />
* [[GEC Agenda 2010-02-24|24th Fev 2010]]<br />
<br />
All meeting agenda's and notes are on the [[:Category:GEC Meetings|GEG Meetings]] page<br />
<br />
== Targets <font color="red">'''(DRAFT)'''</font> ==<br />
Below you can find the timeline, what has to be achieved by when. <br />
All tasks must be SMART!<br />
<br />
{| class="prettytable"<br />
! Update July 2010<br />
! Task<br />
! Deadline<br />
! Type<br />
! Status<br />
! Description<br />
! Who<br />
|-<br />
| Finished<br />
| [[Categorize (Organization) of educational materials]]<br />
| N/A<br />
| Documentation<br />
| Done<br />
| Categorize / Organization of the educational materials for audience by roles and responsibilities/technologies and use the summit workshop notes.<br />
| Martin<br />
|-<br />
| Package has been created for the OWASP Loondon Training<br />
| [[Train the trainers (Teach the teachers)]]<br />
| '''Q1/Q2/Q3/Q4 2009'''<br />
| Delivery <br />
| in progress<br />
| Develop a train the trainer program that will train trainers to deliver training on OWASP related material.<br />
| Fabio / Nishi<br />
|-<br />
| Died <br />
| [[Create an online assessment and training portal]]<br />
| '''Q2/Q3/Q4 2009'''<br />
| Delivery <br />
| Planning<br />
| Develop an OWASP assessment and training portal that end users can use to gauge their knowledge on OWASP concepts and training providers can use to promote their training offerings.<br />
| Mano/Fabio<br />
|-<br />
| on hold <br />
| [[OWASP Boot Camp Project]]<br />
| '''Proposal:''' February 2009 '''Final:''' Oktober 2009 at OWASP AppSec US 2009<br />
| Delivery <br />
| wainting on project content<br />
| OWASP Boot Camp about the OWASP projects, to deliver a Boot Camp presentation should be one of the criteria to get an alpha status as project<br />
| Martin<br />
|-<br />
| active, CTF hold at OWASP AppSec-EU<br />
| [[OWASP CTF event]]<br />
| OWASP AppSec Conferences<br />
| Delivery <br />
| Done<br />
| Develop an OWASP Capture the Flag contest that could be easy use for OWASP conferences.<br />
| Martin<br />
|-<br />
| on hold<br />
| [[Speakers Bureau Project]]<br />
| '''TBD'''<br />
| Delivery <br />
| '''started'''<br />
| List of speakers, Name, Bio, Topics, History <br><br />
Speakers in conferences (OOTM ask for funds on this)/summit <br />
| Martin<br />
|-<br />
| Died<br />
| [[Marketing efforts]]<br />
| '''Q4 2009'''<br />
| Awareness Services <br />
| Started<br />
| Select material.<br />
| Eduardo<br />
|-<br />
| Hibernating, update requested<br />
| [[Internationalization of the training materials]]<br />
| '''Q4 2009'''<br />
| Awareness Services <br />
| Startes<br />
| Select material for translation services for highly spoken languages <br />
| Eduardo<br />
|-<br />
| busy, just al darn long lasting task<br />
| [[Education material]]<br />
| '''TBD'''<br />
| Training & Educational Services <br />
| started<br />
| All projects should be summoned to create educational material (training service)<br />
1) Each Projects --> Documents (help), Tool, Training; Live CD (Portable)<br />
| Martin<br />
|-<br />
| Uncertain, update requested<br />
| [[Educational Academic Services]]<br />
| '''TBD'''<br />
| Training & Educational Services <br />
| <br />
<br />
3 Universities already in contact with and planning OWASP events to participate in. <br />
<br />
| Incorporate OWASP into the following top 5 Universities, within the next 12 months by introducing OWASP training and education resources at University's events.<br />
<br />
1) New York University<br />
2) Cornell University<br />
3) Princeton University<br />
4) University of Minnesota<br />
5) Columbia University<br />
<br />
As a result of these initiative we would hope to see:<br />
<br />
1) Confirming participation at arranged events<br />
2) Asking Universities to recognize they are using our resources by allowing us to place their names in wiki pages such as http://www.owasp.org/index.php/OWASP_Top_Ten_Project <br />
3) University faculty, staff and students participate in local and international events/meetings<br />
4) University faculty, staff and students contribute to OWASP projects<br />
<br />
|Kuai Hinojosa, Andrzej<br />
|}<br />
<br />
= Proposal <font color="red">'''(DRAFT)'''</font> =<br />
== Categorize (Organization) of educational materials ==<br />
Objective: Categorize / Organize educational material, estyle the Education Project website.<br><br />
<br />
Activities/Deadline:<br> <br />
* Categorize education material according to the CLASP roles<br><br />
* Group material into management-ish, student-ish, technical-ish <br><br />
<br />
Benefits<br><br />
Target specific demographic (managers, students...) Provide easy access to education material. Efficient categorization of education materials.<br />
<br />
== Train the trainers (Teach the teachers) ==<br />
Objective:<br />
Develop a train the trainer program that will train trainers to deliver training on OWASP related material.<br />
<br />
Activities/Deadline:<br />
# Develop a criteria to identify and approve trainers / Q1 2009<br />
# Identify pertinent OWASP related material that will be included in the training kit / Q2 2009. This is dependent on the education project organizing material.<br />
# Create a training toolkit with pre-built presentation and training materials, assessments etc. / Q3 2009<br />
# Conduct train the trainer sessions (remote or in-person) / Q4 2009<br />
<br />
Benefits:<br />
The training kit and trained trainers will be available resources promoting OWASP in local events worldwide.<br />
<br />
== Create an online assessment and training portal ==<br />
Objective:<br />
Develop an OWASP assessment and training portal that end users can use to gauge their knowledge on OWASP concepts and training providers can use to promote their training offerings.<br />
<br />
Activities/Deadline:<br />
# Generate OWASP assessment items (can use the testing guide and other sources) / Q2-Q3 2009<br />
# Develop an assessment portal to deliver taking of assessments with robust reporting by knowledge area / Q4 2009<br />
# Develop a training portal to allow training providers to publish and promote their training offerings / Q4 2009<br />
This can be developed as a summer of code project but is not a requirement. <br />
<br />
Benefits:<br />
Assessments that can be offered in OWASP events and other conferences to users will increase OWASP awareness. The portal can become the link between trainers and trainees and will eventually help in increasing the awareness and knowledge of application security in the industry.<br />
<br />
== OWASP Boot Camp Project ==<br />
Objective<br><br />
To deliver a Boot Camp session which would lead to be one of the main criteria to produce alpha status projects<br />
<br />
Activities/Deadline:<br> <br />
<br />
Benefits<br><br />
<br />
== OWASP CTF event ==<br />
Objective<br />
Generate a Capture The Flag framework to be offered at OWASP events<br />
<br />
Activities/Deadline: <br />
* Andrzej will contact the organizers of the CTF from the Denver OWASP Conference and work in using same model<br />
<br />
Benefits<br />
Capture The Flag events are very popular in conferences, creating and OWASP specific CTF will offer entertainment at events, generate attendants participation etc.<br />
<br />
== Speakers Bureau Project ==<br />
<br />
Objective<br><br />
OWASP Boot Camp about the OWASP projects, to deliver a Boot Camp presentation should be one of the criteria to get an alpha status as project<br><br />
<br />
Activities/Deadline:<br> <br />
<br />
Benefits<br><br />
List of speakers, Name, Bio, Topics, History <br />
Speakers in conferences (OOTM ask for funds on this)/summit<br />
<br />
Speakers Agreement - https://www.owasp.org/index.php/Speaker_Agreement<br />
<br />
== Marketing efforts ==<br />
Objective: To promote OWASP projects, events, education material and OWASP mission.<br><br />
<br />
Activities/Deadline:<br> <br />
* Gather flyers, Brochures of OWASP Top 10, Testing Guide<br />
<br />
Benefits<br><br />
Group promotional material which can be hand out at events<br />
<br />
== Internationalization of the training materials ==<br />
Objective<br><br />
Translate training materials<br />
<br />
Activities/Deadline:<br> <br />
Identify point of contacts places for translation efforts and setup a deadline<br />
Translate material in French, Portuguese, Spanish, Malay, Italian, Indonesian, Chinese<br />
<br />
Benefits<br><br />
To reach international audiences<br />
<br />
== Education material ==<br />
Objective: Consolidate all projects (Tools, Help Documents, Presentations, LiveCD) create educational material (training service) <br />
<br />
Activities/Deadline:<br> <br />
<br />
Benefits<br><br />
<br />
== Academic Educational Services ==<br />
Objectives<br><br />
Promote and encourage OWASP resources at accredited Universities around the world within the next 12 months by introducing OWASP training and education material at University's events.<br />
<br />
Activities/Deadline:<br />
<br />
* Build a list of at least 5 Universities with computer science or risk management programs that can be targeted /Q1 2009 <br />
* Establish communication with targeted universities, generate key contacts and establish relationships /Q1 - Q4 2009<br />
* Develop a list of possible academic events in which to participate /Q1 - Q2 2009 <br />
* Participate in at least 1 Academic event, present case studies or OWASP education materials /Q1 - Q4<br />
<br />
Benefits<br><br />
OWASP will gain exposure in the academic industry, starting with accredited universities around the world. Universities will become members of OWASP, provide meeting space, students will apply to OWASP grants, and provide support and structure</div>Martinknoblochhttps://wiki.owasp.org/index.php?title=Global_Education_Committee&diff=87524Global Education Committee2010-08-11T22:32:22Z<p>Martinknobloch: /* Scheduled Meetings */</p>
<hr />
<div>[[Category:OWASP Project]]<br />
<br />
= About the Global Education Committee =<br />
'''The Global Education Committee was created during the OWASP EU Summit in Portugal 2008. The primary purpose of the Global Education Committee is: to work with the [https://www.owasp.org/index.php/Category:OWASP_Education_Project OWASP Education Project] to provide educational materials for both internal and external users, develop liaisons with educational institutions worldwide.'''<br />
<br />
== Mission ==<br />
Provide awareness, training and educational services to corporate,<br />
government and educational institutions on application security.<br />
<br />
== Vision ==<br />
Make OWASP educational material globally available as a well known resource<br />
in easily consumable form mapped to a framework tied specifically to user<br />
roles and responsibilities<br />
<br />
== Committee Members ==<br />
Chairs: [mailto:martin.knobloch@owasp.org Martin Knobloch] (Netherlands) and [mailto:kuai.hinojosa@owasp.org Kuai Hinjosa] (U.S.)<br />
<br />
* [mailto:mano.paul@securisksolutions.com Mano Paul] (U.S.)<br />
* [mailto:eduardo.neves@owasp.org Eduardo Neves] (Brazil)<br />
* [mailto:cecil.su@GRANTTHORNTON.COM.SG Cecil Su] (Singapore)<br />
* [mailto:fabio.e.cerullo@aib.ie Fabio Cerullo] (Ireland)<br />
* [mailto:andrzej.targosz@proidea.org.pl Andrzej Targosz] (Poland)<br />
* [mailto:nishi787@hotmail.com Nishi Kumar] (U.S.)<br />
* [mailto:sebastien.gioria@owasp.org Sebastien Gioria] (France)<br />
<br />
= Monthly Report Format =<br />
<br />
Date of last update: July 28th<br />
Updated by: Martin Knobloch<br />
<br />
Accomplishments for this Month<br />
* Updates on the CTF and Education project (and project wiki's)<br />
* Getting in contact with universities <br />
* <br />
Planned for Next Month<br />
* Update GEC targets and Committee wiki<br />
* Update GEC committee members<br />
* OWASP Education Committee namely: development and packaging of OWASP Training materials and the development of the ‘OWASP Academies concept <br />
Issues/Risks/Challenges<br />
* Finding new active members<br />
* Refocusing on less targets<br />
*<br />
<br />
[https://www.owasp.org/index.php/How_to_Join_a_Committee How to join this committee]<br />
<br />
[https://lists.owasp.org/mailman/listinfo/global_education_committee Join our mailing list]<br />
<br />
<paypal>Global Education Committee</paypal><br />
<br />
== Scheduled Meetings ==<br />
<pre><br />
The Global Education Committee Meetings take place via conference call at every last Wednesday of the month <br />
at the following local times: <br />
3:00 p.m. @ Austin, Texas <br />
4:00 p.m. @ New York <br />
7:00 p.m. @ Brasil <br />
10:00 p.m. @ Netherlands<br />
4:00 a.m. @ Singapore (following day)<br />
<br />
</pre><br />
===Agenda===<br />
* [[GEC Agenda 2010-02-24|24th Fev 2010]]<br />
<br />
All meeting agenda's and notes are on the [[:Category:GEC Meetings|GEG Meetings]] page<br />
<br />
== Targets <font color="red">'''(DRAFT)'''</font> ==<br />
Below you can find the timeline, what has to be achieved by when. <br />
All tasks must be SMART!<br />
<br />
{| class="prettytable"<br />
! Update July 2010<br />
! Task<br />
! Deadline<br />
! Type<br />
! Status<br />
! Description<br />
! Who<br />
|-<br />
| Finished<br />
| [[Categorize (Organization) of educational materials]]<br />
| N/A<br />
| Documentation<br />
| Done<br />
| Categorize / Organization of the educational materials for audience by roles and responsibilities/technologies and use the summit workshop notes.<br />
| Martin<br />
|-<br />
| Package has been created for the OWASP Loondon Training<br />
| [[Train the trainers (Teach the teachers)]]<br />
| '''Q1/Q2/Q3/Q4 2009'''<br />
| Delivery <br />
| in progress<br />
| Develop a train the trainer program that will train trainers to deliver training on OWASP related material.<br />
| Fabio / Nishi<br />
|-<br />
| Died <br />
| [[Create an online assessment and training portal]]<br />
| '''Q2/Q3/Q4 2009'''<br />
| Delivery <br />
| Planning<br />
| Develop an OWASP assessment and training portal that end users can use to gauge their knowledge on OWASP concepts and training providers can use to promote their training offerings.<br />
| Mano/Fabio<br />
|-<br />
| on hold <br />
| [[OWASP Boot Camp Project]]<br />
| '''Proposal:''' February 2009 '''Final:''' Oktober 2009 at OWASP AppSec US 2009<br />
| Delivery <br />
| wainting on project content<br />
| OWASP Boot Camp about the OWASP projects, to deliver a Boot Camp presentation should be one of the criteria to get an alpha status as project<br />
| Martin<br />
|-<br />
| active, CTF hold at OWASP AppSec-EU<br />
| [[OWASP CTF event]]<br />
| OWASP AppSec Conferences<br />
| Delivery <br />
| Done<br />
| Develop an OWASP Capture the Flag contest that could be easy use for OWASP conferences.<br />
| Martin<br />
|-<br />
| on hold<br />
| [[Speakers Bureau Project]]<br />
| '''TBD'''<br />
| Delivery <br />
| '''started'''<br />
| List of speakers, Name, Bio, Topics, History <br><br />
Speakers in conferences (OOTM ask for funds on this)/summit <br />
| Martin<br />
|-<br />
| Died<br />
| [[Marketing efforts]]<br />
| '''Q4 2009'''<br />
| Awareness Services <br />
| Started<br />
| Select material.<br />
| Eduardo<br />
|-<br />
| Hibernating, update requested<br />
| [[Internationalization of the training materials]]<br />
| '''Q4 2009'''<br />
| Awareness Services <br />
| Startes<br />
| Select material for translation services for highly spoken languages <br />
| Eduardo<br />
|-<br />
| busy, just al darn long lasting task<br />
| [[Education material]]<br />
| '''TBD'''<br />
| Training & Educational Services <br />
| started<br />
| All projects should be summoned to create educational material (training service)<br />
1) Each Projects --> Documents (help), Tool, Training; Live CD (Portable)<br />
| Martin<br />
|-<br />
| Uncertain, update requested<br />
| [[Educational Academic Services]]<br />
| '''TBD'''<br />
| Training & Educational Services <br />
| <br />
<br />
3 Universities already in contact with and planning OWASP events to participate in. <br />
<br />
| Incorporate OWASP into the following top 5 Universities, within the next 12 months by introducing OWASP training and education resources at University's events.<br />
<br />
1) New York University<br />
2) Cornell University<br />
3) Princeton University<br />
4) University of Minnesota<br />
5) Columbia University<br />
<br />
As a result of these initiative we would hope to see:<br />
<br />
1) Confirming participation at arranged events<br />
2) Asking Universities to recognize they are using our resources by allowing us to place their names in wiki pages such as http://www.owasp.org/index.php/OWASP_Top_Ten_Project <br />
3) University faculty, staff and students participate in local and international events/meetings<br />
4) University faculty, staff and students contribute to OWASP projects<br />
<br />
|Kuai Hinojosa, Andrzej<br />
|}<br />
<br />
= Proposal <font color="red">'''(DRAFT)'''</font> =<br />
== Categorize (Organization) of educational materials ==<br />
Objective: Categorize / Organize educational material, estyle the Education Project website.<br><br />
<br />
Activities/Deadline:<br> <br />
* Categorize education material according to the CLASP roles<br><br />
* Group material into management-ish, student-ish, technical-ish <br><br />
<br />
Benefits<br><br />
Target specific demographic (managers, students...) Provide easy access to education material. Efficient categorization of education materials.<br />
<br />
== Train the trainers (Teach the teachers) ==<br />
Objective:<br />
Develop a train the trainer program that will train trainers to deliver training on OWASP related material.<br />
<br />
Activities/Deadline:<br />
# Develop a criteria to identify and approve trainers / Q1 2009<br />
# Identify pertinent OWASP related material that will be included in the training kit / Q2 2009. This is dependent on the education project organizing material.<br />
# Create a training toolkit with pre-built presentation and training materials, assessments etc. / Q3 2009<br />
# Conduct train the trainer sessions (remote or in-person) / Q4 2009<br />
<br />
Benefits:<br />
The training kit and trained trainers will be available resources promoting OWASP in local events worldwide.<br />
<br />
== Create an online assessment and training portal ==<br />
Objective:<br />
Develop an OWASP assessment and training portal that end users can use to gauge their knowledge on OWASP concepts and training providers can use to promote their training offerings.<br />
<br />
Activities/Deadline:<br />
# Generate OWASP assessment items (can use the testing guide and other sources) / Q2-Q3 2009<br />
# Develop an assessment portal to deliver taking of assessments with robust reporting by knowledge area / Q4 2009<br />
# Develop a training portal to allow training providers to publish and promote their training offerings / Q4 2009<br />
This can be developed as a summer of code project but is not a requirement. <br />
<br />
Benefits:<br />
Assessments that can be offered in OWASP events and other conferences to users will increase OWASP awareness. The portal can become the link between trainers and trainees and will eventually help in increasing the awareness and knowledge of application security in the industry.<br />
<br />
== OWASP Boot Camp Project ==<br />
Objective<br><br />
To deliver a Boot Camp session which would lead to be one of the main criteria to produce alpha status projects<br />
<br />
Activities/Deadline:<br> <br />
<br />
Benefits<br><br />
<br />
== OWASP CTF event ==<br />
Objective<br />
Generate a Capture The Flag framework to be offered at OWASP events<br />
<br />
Activities/Deadline: <br />
* Andrzej will contact the organizers of the CTF from the Denver OWASP Conference and work in using same model<br />
<br />
Benefits<br />
Capture The Flag events are very popular in conferences, creating and OWASP specific CTF will offer entertainment at events, generate attendants participation etc.<br />
<br />
== Speakers Bureau Project ==<br />
<br />
Objective<br><br />
OWASP Boot Camp about the OWASP projects, to deliver a Boot Camp presentation should be one of the criteria to get an alpha status as project<br><br />
<br />
Activities/Deadline:<br> <br />
<br />
Benefits<br><br />
List of speakers, Name, Bio, Topics, History <br />
Speakers in conferences (OOTM ask for funds on this)/summit<br />
<br />
Speakers Agreement - https://www.owasp.org/index.php/Speaker_Agreement<br />
<br />
== Marketing efforts ==<br />
Objective: To promote OWASP projects, events, education material and OWASP mission.<br><br />
<br />
Activities/Deadline:<br> <br />
* Gather flyers, Brochures of OWASP Top 10, Testing Guide<br />
<br />
Benefits<br><br />
Group promotional material which can be hand out at events<br />
<br />
== Internationalization of the training materials ==<br />
Objective<br><br />
Translate training materials<br />
<br />
Activities/Deadline:<br> <br />
Identify point of contacts places for translation efforts and setup a deadline<br />
Translate material in French, Portuguese, Spanish, Malay, Italian, Indonesian, Chinese<br />
<br />
Benefits<br><br />
To reach international audiences<br />
<br />
== Education material ==<br />
Objective: Consolidate all projects (Tools, Help Documents, Presentations, LiveCD) create educational material (training service) <br />
<br />
Activities/Deadline:<br> <br />
<br />
Benefits<br><br />
<br />
== Academic Educational Services ==<br />
Objectives<br><br />
Promote and encourage OWASP resources at accredited Universities around the world within the next 12 months by introducing OWASP training and education material at University's events.<br />
<br />
Activities/Deadline:<br />
<br />
* Build a list of at least 5 Universities with computer science or risk management programs that can be targeted /Q1 2009 <br />
* Establish communication with targeted universities, generate key contacts and establish relationships /Q1 - Q4 2009<br />
* Develop a list of possible academic events in which to participate /Q1 - Q2 2009 <br />
* Participate in at least 1 Academic event, present case studies or OWASP education materials /Q1 - Q4<br />
<br />
Benefits<br><br />
OWASP will gain exposure in the academic industry, starting with accredited universities around the world. Universities will become members of OWASP, provide meeting space, students will apply to OWASP grants, and provide support and structure</div>Martinknoblochhttps://wiki.owasp.org/index.php?title=Category:OWASP_Education_Project&diff=87362Category:OWASP Education Project2010-08-05T21:14:15Z<p>Martinknobloch: /* Educations */</p>
<hr />
<div>{{:Project Information:template Education Project}}<br />
[[Category:OWASP Project|Education Project New]]<br />
[[Category:OWASP Education Modules]]<br />
[[Category:OWASP Document]]<br />
[[Category:OWASP Download]]<br />
[[Category:OWASP Beta Quality Document]]<br />
<br />
<br />
== Welcome to the OWASP Education Project==<br />
<br />
Web Application Security Education and Awareness is needed throughout the entire organization, each area and level of organizations have specific needs and requirements regarding education. A manager needs other information than a security professional or developer. Novices to the profession require other training than people with several years of experience. <br><br />
This Education project aims to provide in building blocks of web application security information. These modules can be combined together in education tracks targeting different audiences.<br><br><br />
The first list of modules can be found [[OWASP Education Project Modules|here]].<br />
<br />
==== Educational Material ====<br />
<br />
=== Categorized educational material ===<br />
The categorized educational material can be found [[OWASP Education Material Categorized|here]].<br />
<br />
=== Resources and links ===<br />
<br />
This project is not standalone. There is an awfull lot of information that can be found throughout this site and from other resources on the Internet. <br><br />
This project will draw pieces of information from:<br />
* The [http://www.owasp.org/index.php/Category:OWASP_Video Video's]<br />
* The presentations, currently being inventorized in the [[OWASP Education Presentation|consolidation page of OWASP presentations]]¨<br />
* [http://www.owasp.org/index.php/Category:OWASP_WebGoat_Project WebGoat]<br />
* ...<br />
One of the modules to create will be a Resources module, not limited to OWASP.<br />
<br />
=== Donated Material ===<br />
<br />
The following training material and presentations were donated to the education project and will be integrated in future Education Tracks.<br />
* [[Education Donated: OWASP Safe Browsing]]<br />
* [[Education Donated: OWASP ASVS 1.0 ~2 day training deck]]<br />
<br />
=== Educations ===<br />
* [http://www.owasp.org/index.php/Education_Track:_What_Developers_Should_Know_on_Web_Application_Security What Developers Should Know]<br />
==== About the Project ====<br />
<br />
=== Goals & Roadmap ===<br />
<br />
Currently the project goals are to create Educational Tracks:<br />
* A [[Education Track: Web Application Security Primer|Web Application Security Primer]] Track for beginners (4 hours) <br />
* [[Education Track: What Developers Should Know on Web Application Security|What Developers Should Know on Web Application Security]] Track for developers (4 hours) <br />
* Create a [[OWASP Education Presentation|consolidation page of OWASP presentations]] performed in the past with the possibility to add comments<br />
* [[Education Track: OWASP Boot Camp |OWASP Boot Camp]] OWASP Training events, get ready for secure application development<br />
* [[Education Track: OWASP Capture the flag application | Capture the flag application ]] <br />
* ...<br />
Further breakdown of tasks and future developments are listed in the [[OWASP Education Project Roadmap|road map]].<br><br />
<br><br />
<br />
<br />
=== Spoc007 Progress ===<br />
The Education project was selected for [http://www.owasp.org/index.php/SpoC_007_-_OWASP_Education_Project Spoc007 participation] (see page for progress).<br />
<br />
The SpoC007 goal is to finish Sub Goals 1, 2, 3 and perform Sub Goal 4 during the coming months ([[OWASP Education Project Roadmap|road map]]).<br />
<br />
==== Participation ====<br />
=== Project Guiding Principles ===<br />
<br />
This project aims to provide in building blocks of web application security knowledge that can easily be integrated in awareness sessions or presentations on this topic. The building blocks provided by this project can then be bundled together in eduction tracks.<br><br />
An important guideline is therefore that the material produced is modular.<br><br />
<br />
<br />
=== Feedback and Participation: ===<br />
<br />
We hope you find the OWASP Education Project useful. Please contribute to the Project by volunteering for one of the Tasks, sending your comments, questions, and suggestions to the [http://lists.owasp.org/mailman/listinfo/owasp-education mailing list].<br />
<br />
If you used material from our project, please use the available [[:Image:Education_Track_Evaluation_Template.doc|evaluation forms]] and let uw know how we can improve our modules and tracks.<br />
<br />
=== Project Contributors ===<br />
<br />
If you contribute to this Project, please add your name here.<br><br />
Project Lead:<br />
* [[User:knoblochmartin| Martin Knobloch]]<br />
<br />
Contributors:<br />
<br />
* [[User:Sdeleersnyder|Sebastien Deleersnyder]]<br />
* [[User:medelibero|Mike de Libero]]<br />
* [[User:Bunyamin|Bunyamin Demir]]<br />
* [[User:xxradar|Philippe Bogaerts]]<br />
* [[User:Brennan|Tom Brennan]]<br />
* [[User:Mccorga| Grady McCorkle]]<br />
* you? ...<br />
<br />
__NOTOC__<br />
<headertabs/><br />
<br />
{{PutInCategory}}</div>Martinknoblochhttps://wiki.owasp.org/index.php?title=Category:OWASP_Education_Project&diff=87361Category:OWASP Education Project2010-08-05T21:11:12Z<p>Martinknobloch: </p>
<hr />
<div>{{:Project Information:template Education Project}}<br />
[[Category:OWASP Project|Education Project New]]<br />
[[Category:OWASP Education Modules]]<br />
[[Category:OWASP Document]]<br />
[[Category:OWASP Download]]<br />
[[Category:OWASP Beta Quality Document]]<br />
<br />
<br />
== Welcome to the OWASP Education Project==<br />
<br />
Web Application Security Education and Awareness is needed throughout the entire organization, each area and level of organizations have specific needs and requirements regarding education. A manager needs other information than a security professional or developer. Novices to the profession require other training than people with several years of experience. <br><br />
This Education project aims to provide in building blocks of web application security information. These modules can be combined together in education tracks targeting different audiences.<br><br><br />
The first list of modules can be found [[OWASP Education Project Modules|here]].<br />
<br />
==== Educational Material ====<br />
<br />
=== Categorized educational material ===<br />
The categorized educational material can be found [[OWASP Education Material Categorized|here]].<br />
<br />
=== Resources and links ===<br />
<br />
This project is not standalone. There is an awfull lot of information that can be found throughout this site and from other resources on the Internet. <br><br />
This project will draw pieces of information from:<br />
* The [http://www.owasp.org/index.php/Category:OWASP_Video Video's]<br />
* The presentations, currently being inventorized in the [[OWASP Education Presentation|consolidation page of OWASP presentations]]¨<br />
* [http://www.owasp.org/index.php/Category:OWASP_WebGoat_Project WebGoat]<br />
* ...<br />
One of the modules to create will be a Resources module, not limited to OWASP.<br />
<br />
=== Donated Material ===<br />
<br />
The following training material and presentations were donated to the education project and will be integrated in future Education Tracks.<br />
* [[Education Donated: OWASP Safe Browsing]]<br />
* [[Education Donated: OWASP ASVS 1.0 ~2 day training deck]]<br />
<br />
=== Educations ===<br />
* [[What Developers Should Know :http://www.owasp.org/index.php/Education_Track:_What_Developers_Should_Know_on_Web_Application_Security]]<br />
==== About the Project ====<br />
=== Goals & Roadmap ===<br />
<br />
Currently the project goals are to create Educational Tracks:<br />
* A [[Education Track: Web Application Security Primer|Web Application Security Primer]] Track for beginners (4 hours) <br />
* [[Education Track: What Developers Should Know on Web Application Security|What Developers Should Know on Web Application Security]] Track for developers (4 hours) <br />
* Create a [[OWASP Education Presentation|consolidation page of OWASP presentations]] performed in the past with the possibility to add comments<br />
* [[Education Track: OWASP Boot Camp |OWASP Boot Camp]] OWASP Training events, get ready for secure application development<br />
* [[Education Track: OWASP Capture the flag application | Capture the flag application ]] <br />
* ...<br />
Further breakdown of tasks and future developments are listed in the [[OWASP Education Project Roadmap|road map]].<br><br />
<br><br />
<br />
<br />
=== Spoc007 Progress ===<br />
The Education project was selected for [http://www.owasp.org/index.php/SpoC_007_-_OWASP_Education_Project Spoc007 participation] (see page for progress).<br />
<br />
The SpoC007 goal is to finish Sub Goals 1, 2, 3 and perform Sub Goal 4 during the coming months ([[OWASP Education Project Roadmap|road map]]).<br />
<br />
==== Participation ====<br />
=== Project Guiding Principles ===<br />
<br />
This project aims to provide in building blocks of web application security knowledge that can easily be integrated in awareness sessions or presentations on this topic. The building blocks provided by this project can then be bundled together in eduction tracks.<br><br />
An important guideline is therefore that the material produced is modular.<br><br />
<br />
<br />
=== Feedback and Participation: ===<br />
<br />
We hope you find the OWASP Education Project useful. Please contribute to the Project by volunteering for one of the Tasks, sending your comments, questions, and suggestions to the [http://lists.owasp.org/mailman/listinfo/owasp-education mailing list].<br />
<br />
If you used material from our project, please use the available [[:Image:Education_Track_Evaluation_Template.doc|evaluation forms]] and let uw know how we can improve our modules and tracks.<br />
<br />
=== Project Contributors ===<br />
<br />
If you contribute to this Project, please add your name here.<br><br />
Project Lead:<br />
* [[User:knoblochmartin| Martin Knobloch]]<br />
<br />
Contributors:<br />
<br />
* [[User:Sdeleersnyder|Sebastien Deleersnyder]]<br />
* [[User:medelibero|Mike de Libero]]<br />
* [[User:Bunyamin|Bunyamin Demir]]<br />
* [[User:xxradar|Philippe Bogaerts]]<br />
* [[User:Brennan|Tom Brennan]]<br />
* [[User:Mccorga| Grady McCorkle]]<br />
* you? ...<br />
<br />
__NOTOC__<br />
<headertabs/><br />
<br />
{{PutInCategory}}</div>Martinknoblochhttps://wiki.owasp.org/index.php?title=Global_Committee_Pages&diff=87354Global Committee Pages2010-08-05T20:06:05Z<p>Martinknobloch: </p>
<hr />
<div>__notoc__<br />
=NEW GLOBAL COMMITTEE STRUCTURE=<br />
OWASP recognized the extraordinary contribution of our most active leaders by engaging them to lead a set of six new committees that report to the [https://www.owasp.org/index.php/Contact OWASP Board of Directors]. Each democratically established committee will focus on a key function or geographic region, such as OWASP projects, conferences, local chapters, membership and industry outreach. [http://www.owasp.org/index.php/Category:OWASP_Chapter#Local_Chapters Local Chapters] should contact the appropriate committee for assistance, guidance or to suggest best practice. <br />
<br />
{| style="width:90%" border="0" align="center"<br />
| colspan="8" align="center" style="background:#4058A0; color:white" | '''OWASP GLOBAL COMMITTEES'''<br />
|-<br />
| style="width:15%; background:#f2984c" align="center" | OWASP GLOBAL COMMITTEE<br />
| style="width:15%; background:#f2984c" align="center" | [[Global Projects Committee|'''Projects''']] <br />
| style="width:14%; background:#f2984c" align="center" | [[Global Membership Committee|'''Membership''']]<br />
| style="width:14%; background:#f2984c" align="center" | [[Global Education Committee|'''Education''']]<br />
| style="width:14%; background:#f2984c" align="center" | [[Global Conferences Committee|'''Conferences''']] <br />
| style="width:14%; background:#f2984c" align="center" | [[Global Industry Committee|'''Industry''']]<br />
| style="width:14%; background:#f2984c" align="center" | [[Global Chapter Committee|'''Chapters''']] <br />
| style="width:14%; background:#f2984c" align="center" | [[OWASP Connections Committee|'''Connections''']] <br />
|-<br />
| style="width:15%; background:#cccccc" align="left" | <br />
| style="width:15%; background:#cccccc" align="left" valign="top" |<br />
<br />
* [[User:Jason Li|Jason Li]] <br />
* [[User:Bradcausey|Brad Causey]]<br />
* [[:User:Pravir Chandra|Pravir Chandra]] <br />
* [[:Image:Image022-Leo Cavallari.jpg|Leo Cavallari]] <br />
| style="width:14%; background:#cccccc" align="left" valign="top" | <br />
<br />
* [[:Image:Image018-Dan Cornell.jpg|Dan Cornell]] <br />
* [[:Image:Image017-Michael Coates.jpg|Michael Coates]] <br />
* [[:Image:Image023-StephenCraigEvans.jpg|Stephen Craig Evans]]<br />
| style="width:14%; background:#cccccc" align="left" valign="top" | <br />
<br />
*[[:Image:Image010-Kuai Hinjosa.jpg|Kuai Hinjosa]]<br />
*[[:Image:Image007-Martin Knobloch.jpg|Martin Knobloch]]<br />
* [[:Image:Image012-Mano Paul.jpg|Mano Paul]]<br />
* [[:Image:Image008-Eduardo Neves.jpg|Eduardo Neves]]<br />
* [[:Image:Image011-Cecil Su.jpg|Cecil Su]] <br />
* [[:Image:Image009-Fabio Cerullo.jpg|Fabio Cerullo]]<br />
* [[:Global Education Committee - Application 1|Andrzej Targosz]]<br />
* [[:Global Education Committee - Application 3|Sebastien Gioria]]<br />
* [[:Global Education Committee - Application 4|Nishi Kumar]]<br />
| style="width:14%; background:#cccccc" align="left" valign="top" |<br />
<br />
* [[:Global Conferences Committee - Application 1|Mark Bristow]]<br />
* [[:Global_Conferences_Committee_-_Application_2|Lucas Ferreira]]<br />
* [[:Global_Conferences_Committee_-_Application_3|John Wilander]]<br />
| style="width:14%; background:#cccccc" align="left" valign="top" |<br />
<br />
* [[Global_Industry_Committee_-_Application_1|Colin Watson]]<br />
* [[:Image:Image014 Rex Booth.jpg|Rex Booth]]<br />
* [[:Image:Image016-Georg Hess.jpg|Georg Hess]]<br />
* [[:Image:Image013-Eoin Keary.jpg|Eoin Keary]] <br />
* [[:Image:Image015-David Campbell.jpg|David Campbell]]<br />
* [[Global_Industry_Committee_-_Application_3|Yiannis Pavlosoglou]]<br />
* [[Global_Industry_Committee_-_Application_4|Joe Bernik]]<br />
* [[Global_Industry_Committee_-_Application_2|Alexander Fry]]<br />
<br />
See also:<br />
<br />
* [http://www.owasp.org/index.php/Global_Industry_Committee-SIG Special Interest Groups]<br />
* [http://www.owasp.org/index.php/Category:India OWASP India Advisory Board]<br />
| style="width:14%; background:#cccccc" align="left" valign="top" |<br />
<br />
* [[:User:Mchalmers|Matthew Chalmers]]<br />
* [[:Image:Image002-Puneet Mehta.jpg|Puneet Mehta]]<br />
* Mandeep Khera<br />
<br />
| style="width:14%; background:#cccccc" align="left" valign="top"|<br />
* [[OWASP_Connections_Committee_-_Application_1|Lorna Alamri]]<br />
* [[OWASP_Connections_Committee_-_Application_2|Robert Hansen]]<br />
* [[OWASP_Connections_Committee_-_Application_3|Justin Clarke]]<br />
* [[OWASP_Connections_Committee_-_Application_4|Jim Manico]]<br />
|}<br />
<br />
<br />
<center>[https://www.owasp.org/index.php/How_to_Join_a_Committee '''How to Join a Global Committee''']</center></div>Martinknoblochhttps://wiki.owasp.org/index.php?title=OWASP_Education_Material_Categorized&diff=87353OWASP Education Material Categorized2010-08-05T19:54:42Z<p>Martinknobloch: </p>
<hr />
<div>== Education Material Categorized ==<br />
<br />
back to the [[http://www.owasp.org/index.php/Category:OWASP_Education_Project Education Project]]<br />
<br />
==== Profession / Interest ====<br />
Below you find the education material categorized by profession and interest. <br />
{| style="width:100%" border="0" align="center"<br />
! colspan="4" align="center" style="background:#FFFFFF color:white"|<font color="003399">'''Management''' <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Beginner''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Experienced''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Expert''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|}<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="4" align="center" style="background:#FFFFFF color:white"|<font color="003399">'''Student''' <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Beginner''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Experienced''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Expert''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|}<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="4" align="center" style="background:#FFFFFF color:white"|<font color="003399">'''Developer''' <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Beginner''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Experienced''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Expert''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|}<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="4" align="center" style="background:#FFFFFF color:white"|<font color="003399">'''Tester''' <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Beginner''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Experienced''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Expert''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|}<br />
<br><br />
<br />
==== OWASP Top Ten ====<br />
The [[:Category:OWASP_Top_Ten_Project |'''OWASP Top Ten''']] represents a broad consensus about what the most critical web application security flaws are. Project members include a variety of security experts from around the world who have shared their expertise to produce this list. There are currently versions in English, French, Japanese, Korean and Turkish. A Spanish version is in the works. We urge all companies to adopt this awareness document within their organization and start the process of ensuring that their web applications do not contain these flaws. Adopting the OWASP Top Ten is perhaps the most effective first step towards changing the software development culture within your organization into one that produces secure code.<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="4" align="center" style="background:#FFFFFF; color:white"|<font color="white"><br />
'''[[Top_10_2007-A1|A1 - Cross Site Scripting (XSS)]]''' <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Presentation''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Video's ''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training video <br />
|}<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="4" align="center" style="background:#FFFFFF; color:white"|<font color="white"><br />
'''[[Top_10_2007-A2|A2 - Injection Flaws]]''' <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Presentation''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Video's ''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training video <br />
|}<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="4" align="center" style="background:#FFFFFF; color:white"|<font color="white"><br />
'''[[Top_10_2007-A3|A3 - Malicious File Execution]]''' <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Presentation''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Video's ''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training video <br />
|}<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="4" align="center" style="background:#FFFFFF; color:white"|<font color="white"><br />
'''[[Top_10_2007-A4|A4 - Insecure Direct Object Reference]]''' <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Presentation''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Video's ''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training video <br />
|}<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="4" align="center" style="background:#FFFFFF; color:white"|<font color="white"><br />
'''[[Top_10_2007-A5|A5 - Cross Site Request Forgery (CSRF)]]''' <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Presentation''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Video's ''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training video <br />
|}<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="4" align="center" style="background:#FFFFFF; color:white"|<font color="white"><br />
'''[[Top_10_2007-A6|A6 - Information Leakage and Improper Error Handling]]''' <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Presentation''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Video's ''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training video <br />
|}<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="4" align="center" style="background:#FFFFFF; color:white"|<font color="white"><br />
'''[[Top_10_2007-A7|A7 - Broken Authentication and Session Management]]''' <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Presentation''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Video's ''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training video <br />
|}<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="4" align="center" style="background:#FFFFFF; color:white"|<font color="white"><br />
'''[[Top_10_2007-A8|A8 - Insecure Cryptographic Storage]]''' <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Presentation''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Video's ''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training video <br />
|}<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="4" align="center" style="background:#FFFFFF; color:white"|<font color="white"><br />
'''[[Top_10_2007-A9|A9 - Insecure Communications]]''' <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Presentation''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Video's ''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training video <br />
|}<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="4" align="center" style="background:#FFFFFF; color:white"|<font color="white"><br />
'''[[Top_10_2007-A10|A10 - Failure to Restrict URL Access]]''' <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Presentation''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Video's ''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training video <br />
|}<br />
<br />
<br><br />
<br />
==== OWASP Tooling ====<br />
An [[:Category:OWASP_Project |'''OWASP Project''']] is a collection of related tasks that have a defined roadmap and team members. OWASP project leaders are responsible for defining the vision, roadmap, and tasks for the project. The project leader also promotes the project and builds the team. Tools and documents are organized into the following categories:<br />
PROTECT - These are tools and documents that can be used to guard against security-related design and implementation flaws.<br />
DETECT - These are tools and documents that can be used to find security-related design and implementation flaws.<br />
LIFE CYCLE - These are tools and documents that can be used to add security-related activities into the Software Development Life Cycle (SDLC).<br />
<br />
<hr><br>''' Protect:'''<br />
<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="4" align="center" style="background:#FFFFFF; color:white"|<font color="white"><br />
'''[[:Category:OWASP_AntiSamy_Project|OWASP AntiSamy Java Project]] ''' <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Beginner''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Experienced''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Expert''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Video's ''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training video <br />
|}<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="4" align="center" style="background:#FFFFFF; color:white"|<font color="white"><br />
'''[[:Category:OWASP_Enterprise_Security_API|OWASP Enterprise Security API (ESAPI) Project]] ''' <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Beginner''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Experienced''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Expert''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|}<br />
<br />
<br>''' Detect:'''<br />
<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="4" align="center" style="background:#FFFFFF color:white"|<font color="white"><br />
'''[[:Category:OWASP_Live_CD_Project|OWASP Live CD Project]]''' <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Beginner''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Experienced''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Expert''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|}<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="4" align="center" style="background:#FFFFFF color:white"|<font color="white"><br />
'''[[:Category:OWASP_WebScarab_Project|OWASP WebScarab Project]]''' <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Beginner''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Experienced''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Expert''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|}<br />
<br />
<br>''' Life Cycle:'''<br />
<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="4" align="center" style="background:#FFFFFF color:white"|<font color="white"><br />
'''[[:Category:OWASP_WebGoat_Project|OWASP WebGoat Project]]''' <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Beginner''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Experienced''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Expert''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|}<br />
<br><br />
==== OWASP Documentation ====<br />
An [[:Category:OWASP_Project |'''OWASP Project''']] is a collection of related tasks that have a defined roadmap and team members. OWASP project leaders are responsible for defining the vision, roadmap, and tasks for the project. The project leader also promotes the project and builds the team. Tools and documents are organized into the following categories:<br />
PROTECT - These are tools and documents that can be used to guard against security-related design and implementation flaws.<br />
DETECT - These are tools and documents that can be used to find security-related design and implementation flaws.<br />
LIFE CYCLE - These are tools and documents that can be used to add security-related activities into the Software Development Life Cycle (SDLC).<br />
<br />
<hr><br> '''Protect: '''<br />
<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="4" align="center" style="background:#FFFFFF color:white"|<font color="white"><br />
'''[[:Category:OWASP_Guide_Project|OWASP Development Guide]]''' <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Beginner''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Experienced''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Expert''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|}<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="4" align="center" style="background:#FFFFFF color:white"|<font color="white"><br />
'''[[:Category:OWASP_Ruby_on_Rails_Security_Guide_V2|OWASP Ruby on Rails Security Guide V2]]''' <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Beginner''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Experienced''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Expert''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|}<br />
<br />
<br />
<br>''' Detect:'''<br />
<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="4" align="center" style="background:#FFFFFF color:white"|<font color="white"><br />
'''[[:Category:OWASP_Code_Review_Project|OWASP Code Review Guide]]''' <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Beginner''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Experienced''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Expert''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|}<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="4" align="center" style="background:#FFFFFF color:white"|<font color="white"><br />
'''[[:Category:OWASP_Testing_Project|OWASP Testing Guide]]''' <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Beginner''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Experienced''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Expert''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|}<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="4" align="center" style="background:#FFFFFF color:white"|<font color="white"><br />
'''[[:Category:OWASP_Top_Ten_Project|OOWASP Top Ten Project]]''' <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Beginner''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Experienced''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Expert''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|}<br />
<br />
<br>''' Life Cycle:'''<br />
<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="4" align="center" style="background:#FFFFFF color:white"|<font color="white"><br />
'''[[:Category:OWASP_AppSec_FAQ_Project|OWASP AppSec FAQ Project]]''' <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Beginner''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Experienced''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Expert''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|}<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="4" align="center" style="background:#FFFFFF color:white"|<font color="white"><br />
'''[[:Category:OWASP_Legal_Project|OWASP Legal Project]]''' <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Beginner''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Experienced''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Expert''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|}<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="4" align="center" style="background:#FFFFFF color:white"|<font color="white"><br />
'''[[:Category:OWASP_Source_Code_Review_OWASP_Projects_Project|OWASP Source Code Review for OWASP-Projects]]''' <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Beginner''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Experienced''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Expert''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|}<br />
<br><br />
<br />
==== CLASP roles ====<br />
[http://www.owasp.org/index.php/Category:OWASP_CLASP_Project '''CLASP'''] (Comprehensive, Lightweight Application Security Process) provides a well-organized and structured approach for moving security concerns into the early stages of the software development lifecycle, whenever possible.<br />
<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="4" align="center" style="background:#FFFFFF color:white"|<font color="white">'''[[Architect]]''' <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Beginner''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Experienced''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Expert''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|}<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="4" align="center" style="background:#FFFFFF color:white"|<font color="white">'''[[Designer]]''' <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Beginner''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Experienced''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Expert''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|}<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="4" align="center" style="background:#FFFFFF color:white"|<font color="white">'''[[Implementer]]''' <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Beginner''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Experienced''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Expert''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|}<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="4" align="center" style="background:#FFFFFF color:white"|<font color="white">'''[[Project Manager]]''' <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Beginner''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Experienced''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Expert''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|}<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="4" align="center" style="background:#FFFFFF color:white"|<font color="white">'''[[Requirements Specifier]]''' <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Beginner''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Experienced''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Expert''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|}<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="4" align="center" style="background:#FFFFFF color:white"|<font color="white">'''[[Security Auditor]]''' <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Beginner''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Experienced''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Expert''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|}<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="4" align="center" style="background:#FFFFFF color:white"|<font color="white">'''[[Test Analyst]]''' <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Beginner''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Experienced''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Expert''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|}<br />
<br />
==== SAMM Disciplines & Functions ====<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="4" align="center" style="background:#FFFFFF color:white"|<font color="003399">'''Alignment & Governance''' <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Education & Guidance''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Standards & Compliance''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Strategic Planning''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|}<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="4" align="center" style="background:#FFFFFF color:white"|<font color="003399">'''Requirements & Design''' <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Threat Modeling''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Security Requirements''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Defensive Design''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|}<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="4" align="center" style="background:#FFFFFF color:white"|<font color="003399">'''Verification & Assessment''' <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Architectuur Review''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Code Review''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Security Testing''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|}<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="4" align="center" style="background:#FFFFFF color:white"|<font color="003399">'''Deployment & Operations''' <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Vulnerability Mangement''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Infrastrucxture Hardening''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Operational Enablement''' <br />
* beginner<br />
* mediate<br />
* expert<br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|}<br />
__NOTOC__<br />
<headertabs/><br />
<br />
[[Category:OWASP Education Project]]</div>Martinknoblochhttps://wiki.owasp.org/index.php?title=Category:GEC_Meetings&diff=87323Category:GEC Meetings2010-08-04T20:49:22Z<p>Martinknobloch: </p>
<hr />
<div>Agendas for past [http://www.owasp.org/index.php/Global_Education_Committee Global Education Committee] meetings are included in this category.<br />
<br />
Next meeting agenda: [[GEC Agenda 2010-05-26]]<br />
<br />
<br />
== Last meetings ==<br />
* [[GEC Agenda 2010-04-31]]<br />
* [[GEC Agenda 2010-03-31]]<br />
* [[GEC Agenda 2010-02-24]]<br />
* [[GEC_Agenda_2009-10-29]]<br />
* [[GEC_Agenda_2009-09-24]]<br />
* [[File:Owasp-gec-slides June 2009.ppt| June 2009 meeting]]<br />
* [[File:Owasp-gec-slides August 2009.ppt| August 2009 meeting]]<br />
<br />
== Dial-in Details ==<br />
<br />
We welcome participation from the OWASP community.<br />
<br />
If you wish to join a discussion please email one of the committee members.<br />
<br />
[[Category:Global_Education_Committee]]</div>Martinknoblochhttps://wiki.owasp.org/index.php?title=Global_Education_Committee&diff=87100Global Education Committee2010-07-28T22:38:53Z<p>Martinknobloch: /* Monthly Report Format */</p>
<hr />
<div>[[Category:OWASP Project]]<br />
<br />
= About the Global Education Committee =<br />
'''The Global Education Committee was created during the OWASP EU Summit in Portugal 2008. The primary purpose of the Global Education Committee is: to work with the [https://www.owasp.org/index.php/Category:OWASP_Education_Project OWASP Education Project] to provide educational materials for both internal and external users, develop liaisons with educational institutions worldwide.'''<br />
<br />
== Mission ==<br />
Provide awareness, training and educational services to corporate,<br />
government and educational institutions on application security.<br />
<br />
== Vision ==<br />
Make OWASP educational material globally available as a well known resource<br />
in easily consumable form mapped to a framework tied specifically to user<br />
roles and responsibilities<br />
<br />
== Committee Members ==<br />
Chairs: [mailto:martin.knobloch@owasp.org Martin Knobloch] (Netherlands) and [mailto:kuai.hinojosa@owasp.org Kuai Hinjosa] (U.S.)<br />
<br />
* [mailto:mano.paul@securisksolutions.com Mano Paul] (U.S.)<br />
* [mailto:eduardo.neves@owasp.org Eduardo Neves] (Brazil)<br />
* [mailto:cecil.su@GRANTTHORNTON.COM.SG Cecil Su] (Singapore)<br />
* [mailto:fabio.e.cerullo@aib.ie Fabio Cerullo] (Ireland)<br />
* [mailto:andrzej.targosz@proidea.org.pl Andrzej Targosz] (Poland)<br />
* [mailto:nishi787@hotmail.com Nishi Kumar] (U.S.)<br />
* [mailto:sebastien.gioria@owasp.org Sebastien Gioria] (France)<br />
<br />
= Monthly Report Format =<br />
<br />
Date of last update: July 28th<br />
Updated by: Martin Knobloch<br />
<br />
Accomplishments for this Month<br />
* Updates on the CTF and Education project (and project wiki's)<br />
* Getting in contact with universities <br />
* <br />
Planned for Next Month<br />
* Update GEC targets and Committee wiki<br />
* Update GEC committee members<br />
* OWASP Education Committee namely: development and packaging of OWASP Training materials and the development of the ‘OWASP Academies concept <br />
Issues/Risks/Challenges<br />
* Finding new active members<br />
* Refocusing on less targets<br />
*<br />
<br />
[https://www.owasp.org/index.php/How_to_Join_a_Committee How to join this committee]<br />
<br />
[https://lists.owasp.org/mailman/listinfo/global_education_committee Join our mailing list]<br />
<br />
<paypal>Global Education Committee</paypal><br />
<br />
== Scheduled Meetings ==<br />
<pre><br />
The Global Education Committee Meetings take place via conference call at every last Wednesday of the month <br />
at the following local times: <br />
4:00 p.m. @ Austin, Texas <br />
5:00 p.m. @ New York <br />
8:00 p.m. @ Brasil <br />
11:00 p.m. @ Netherlands<br />
5:00 a.m. @ Singapore (following day)<br />
The Dial in number: +1-866-534-4754, Guest Code: 891237<br />
</pre><br />
===Agenda===<br />
* [[GEC Agenda 2010-02-24|24th Fev 2010]]<br />
<br />
All meeting agenda's and notes are on the [[:Category:GEC Meetings|GEG Meetings]] page<br />
<br />
<br />
== Targets <font color="red">'''(DRAFT)'''</font> ==<br />
Below you can find the timeline, what has to be achieved by when. <br />
All tasks must be SMART!<br />
<br />
{| class="prettytable"<br />
! Update July 2010<br />
! Task<br />
! Deadline<br />
! Type<br />
! Status<br />
! Description<br />
! Who<br />
|-<br />
| Finished<br />
| [[Categorize (Organization) of educational materials]]<br />
| N/A<br />
| Documentation<br />
| Done<br />
| Categorize / Organization of the educational materials for audience by roles and responsibilities/technologies and use the summit workshop notes.<br />
| Martin<br />
|-<br />
| Package has been created for the OWASP Loondon Training<br />
| [[Train the trainers (Teach the teachers)]]<br />
| '''Q1/Q2/Q3/Q4 2009'''<br />
| Delivery <br />
| in progress<br />
| Develop a train the trainer program that will train trainers to deliver training on OWASP related material.<br />
| Fabio / Nishi<br />
|-<br />
| Died <br />
| [[Create an online assessment and training portal]]<br />
| '''Q2/Q3/Q4 2009'''<br />
| Delivery <br />
| Planning<br />
| Develop an OWASP assessment and training portal that end users can use to gauge their knowledge on OWASP concepts and training providers can use to promote their training offerings.<br />
| Mano/Fabio<br />
|-<br />
| on hold <br />
| [[OWASP Boot Camp Project]]<br />
| '''Proposal:''' February 2009 '''Final:''' Oktober 2009 at OWASP AppSec US 2009<br />
| Delivery <br />
| wainting on project content<br />
| OWASP Boot Camp about the OWASP projects, to deliver a Boot Camp presentation should be one of the criteria to get an alpha status as project<br />
| Martin<br />
|-<br />
| active, CTF hold at OWASP AppSec-EU<br />
| [[OWASP CTF event]]<br />
| OWASP AppSec Conferences<br />
| Delivery <br />
| Done<br />
| Develop an OWASP Capture the Flag contest that could be easy use for OWASP conferences.<br />
| Martin<br />
|-<br />
| on hold<br />
| [[Speakers Bureau Project]]<br />
| '''TBD'''<br />
| Delivery <br />
| '''started'''<br />
| List of speakers, Name, Bio, Topics, History <br><br />
Speakers in conferences (OOTM ask for funds on this)/summit <br />
| Martin<br />
|-<br />
| Died<br />
| [[Marketing efforts]]<br />
| '''Q4 2009'''<br />
| Awareness Services <br />
| Started<br />
| Select material.<br />
| Eduardo<br />
|-<br />
| Hibernating, update requested<br />
| [[Internationalization of the training materials]]<br />
| '''Q4 2009'''<br />
| Awareness Services <br />
| Startes<br />
| Select material for translation services for highly spoken languages <br />
| Eduardo<br />
|-<br />
| busy, just al darn long lasting task<br />
| [[Education material]]<br />
| '''TBD'''<br />
| Training & Educational Services <br />
| started<br />
| All projects should be summoned to create educational material (training service)<br />
1) Each Projects --> Documents (help), Tool, Training; Live CD (Portable)<br />
| Martin<br />
|-<br />
| Uncertain, update requested<br />
| [[Educational Academic Services]]<br />
| '''TBD'''<br />
| Training & Educational Services <br />
| <br />
<br />
3 Universities already in contact with and planning OWASP events to participate in. <br />
<br />
| Incorporate OWASP into the following top 5 Universities, within the next 12 months by introducing OWASP training and education resources at University's events.<br />
<br />
1) New York University<br />
2) Cornell University<br />
3) Princeton University<br />
4) University of Minnesota<br />
5) Columbia University<br />
<br />
As a result of these initiative we would hope to see:<br />
<br />
1) Confirming participation at arranged events<br />
2) Asking Universities to recognize they are using our resources by allowing us to place their names in wiki pages such as http://www.owasp.org/index.php/OWASP_Top_Ten_Project <br />
3) University faculty, staff and students participate in local and international events/meetings<br />
4) University faculty, staff and students contribute to OWASP projects<br />
<br />
|Kuai Hinojosa, Andrzej<br />
|}<br />
<br />
= Proposal <font color="red">'''(DRAFT)'''</font> =<br />
== Categorize (Organization) of educational materials ==<br />
Objective: Categorize / Organize educational material, estyle the Education Project website.<br><br />
<br />
Activities/Deadline:<br> <br />
* Categorize education material according to the CLASP roles<br><br />
* Group material into management-ish, student-ish, technical-ish <br><br />
<br />
Benefits<br><br />
Target specific demographic (managers, students...) Provide easy access to education material. Efficient categorization of education materials.<br />
<br />
== Train the trainers (Teach the teachers) ==<br />
Objective:<br />
Develop a train the trainer program that will train trainers to deliver training on OWASP related material.<br />
<br />
Activities/Deadline:<br />
# Develop a criteria to identify and approve trainers / Q1 2009<br />
# Identify pertinent OWASP related material that will be included in the training kit / Q2 2009. This is dependent on the education project organizing material.<br />
# Create a training toolkit with pre-built presentation and training materials, assessments etc. / Q3 2009<br />
# Conduct train the trainer sessions (remote or in-person) / Q4 2009<br />
<br />
Benefits:<br />
The training kit and trained trainers will be available resources promoting OWASP in local events worldwide.<br />
<br />
== Create an online assessment and training portal ==<br />
Objective:<br />
Develop an OWASP assessment and training portal that end users can use to gauge their knowledge on OWASP concepts and training providers can use to promote their training offerings.<br />
<br />
Activities/Deadline:<br />
# Generate OWASP assessment items (can use the testing guide and other sources) / Q2-Q3 2009<br />
# Develop an assessment portal to deliver taking of assessments with robust reporting by knowledge area / Q4 2009<br />
# Develop a training portal to allow training providers to publish and promote their training offerings / Q4 2009<br />
This can be developed as a summer of code project but is not a requirement. <br />
<br />
Benefits:<br />
Assessments that can be offered in OWASP events and other conferences to users will increase OWASP awareness. The portal can become the link between trainers and trainees and will eventually help in increasing the awareness and knowledge of application security in the industry.<br />
<br />
== OWASP Boot Camp Project ==<br />
Objective<br><br />
To deliver a Boot Camp session which would lead to be one of the main criteria to produce alpha status projects<br />
<br />
Activities/Deadline:<br> <br />
<br />
Benefits<br><br />
<br />
== OWASP CTF event ==<br />
Objective<br />
Generate a Capture The Flag framework to be offered at OWASP events<br />
<br />
Activities/Deadline: <br />
* Andrzej will contact the organizers of the CTF from the Denver OWASP Conference and work in using same model<br />
<br />
Benefits<br />
Capture The Flag events are very popular in conferences, creating and OWASP specific CTF will offer entertainment at events, generate attendants participation etc.<br />
<br />
== Speakers Bureau Project ==<br />
<br />
Objective<br><br />
OWASP Boot Camp about the OWASP projects, to deliver a Boot Camp presentation should be one of the criteria to get an alpha status as project<br><br />
<br />
Activities/Deadline:<br> <br />
<br />
Benefits<br><br />
List of speakers, Name, Bio, Topics, History <br />
Speakers in conferences (OOTM ask for funds on this)/summit<br />
<br />
Speakers Agreement - https://www.owasp.org/index.php/Speaker_Agreement<br />
<br />
== Marketing efforts ==<br />
Objective: To promote OWASP projects, events, education material and OWASP mission.<br><br />
<br />
Activities/Deadline:<br> <br />
* Gather flyers, Brochures of OWASP Top 10, Testing Guide<br />
<br />
Benefits<br><br />
Group promotional material which can be hand out at events<br />
<br />
== Internationalization of the training materials ==<br />
Objective<br><br />
Translate training materials<br />
<br />
Activities/Deadline:<br> <br />
Identify point of contacts places for translation efforts and setup a deadline<br />
Translate material in French, Portuguese, Spanish, Malay, Italian, Indonesian, Chinese<br />
<br />
Benefits<br><br />
To reach international audiences<br />
<br />
== Education material ==<br />
Objective: Consolidate all projects (Tools, Help Documents, Presentations, LiveCD) create educational material (training service) <br />
<br />
Activities/Deadline:<br> <br />
<br />
Benefits<br><br />
<br />
== Academic Educational Services ==<br />
Objectives<br><br />
Promote and encourage OWASP resources at accredited Universities around the world within the next 12 months by introducing OWASP training and education material at University's events.<br />
<br />
Activities/Deadline:<br />
<br />
* Build a list of at least 5 Universities with computer science or risk management programs that can be targeted /Q1 2009 <br />
* Establish communication with targeted universities, generate key contacts and establish relationships /Q1 - Q4 2009<br />
* Develop a list of possible academic events in which to participate /Q1 - Q2 2009 <br />
* Participate in at least 1 Academic event, present case studies or OWASP education materials /Q1 - Q4<br />
<br />
Benefits<br><br />
OWASP will gain exposure in the academic industry, starting with accredited universities around the world. Universities will become members of OWASP, provide meeting space, students will apply to OWASP grants, and provide support and structure</div>Martinknoblochhttps://wiki.owasp.org/index.php?title=Global_Education_Committee&diff=87099Global Education Committee2010-07-28T22:31:41Z<p>Martinknobloch: /* Targets (DRAFT) */</p>
<hr />
<div>[[Category:OWASP Project]]<br />
<br />
= About the Global Education Committee =<br />
'''The Global Education Committee was created during the OWASP EU Summit in Portugal 2008. The primary purpose of the Global Education Committee is: to work with the [https://www.owasp.org/index.php/Category:OWASP_Education_Project OWASP Education Project] to provide educational materials for both internal and external users, develop liaisons with educational institutions worldwide.'''<br />
<br />
== Mission ==<br />
Provide awareness, training and educational services to corporate,<br />
government and educational institutions on application security.<br />
<br />
== Vision ==<br />
Make OWASP educational material globally available as a well known resource<br />
in easily consumable form mapped to a framework tied specifically to user<br />
roles and responsibilities<br />
<br />
== Committee Members ==<br />
Chairs: [mailto:martin.knobloch@owasp.org Martin Knobloch] (Netherlands) and [mailto:kuai.hinojosa@owasp.org Kuai Hinjosa] (U.S.)<br />
<br />
* [mailto:mano.paul@securisksolutions.com Mano Paul] (U.S.)<br />
* [mailto:eduardo.neves@owasp.org Eduardo Neves] (Brazil)<br />
* [mailto:cecil.su@GRANTTHORNTON.COM.SG Cecil Su] (Singapore)<br />
* [mailto:fabio.e.cerullo@aib.ie Fabio Cerullo] (Ireland)<br />
* [mailto:andrzej.targosz@proidea.org.pl Andrzej Targosz] (Poland)<br />
* [mailto:nishi787@hotmail.com Nishi Kumar] (U.S.)<br />
* [mailto:sebastien.gioria@owasp.org Sebastien Gioria] (France)<br />
<br />
= Monthly Report Format =<br />
<br />
Date of last update: July 28th<br />
Updated by: Martin Knobloch<br />
<br />
Accomplishments for this Month<br />
* Updates on the CTF and Education project (and project wiki's)<br />
* Getting in contact with universities <br />
* <br />
Planned for Next Month<br />
* Update GEC targets and Committee wiki<br />
* Update GEC committee members<br />
*<br />
Issues/Risks/Challenges<br />
* Finding new active members<br />
* Refocusing on less targets<br />
*<br />
<br />
[https://www.owasp.org/index.php/How_to_Join_a_Committee How to join this committee]<br />
<br />
[https://lists.owasp.org/mailman/listinfo/global_education_committee Join our mailing list]<br />
<br />
<paypal>Global Education Committee</paypal><br />
<br />
== Scheduled Meetings ==<br />
<pre><br />
The Global Education Committee Meetings take place via conference call at every last Wednesday of the month <br />
at the following local times: <br />
4:00 p.m. @ Austin, Texas <br />
5:00 p.m. @ New York <br />
8:00 p.m. @ Brasil <br />
11:00 p.m. @ Netherlands<br />
5:00 a.m. @ Singapore (following day)<br />
The Dial in number: +1-866-534-4754, Guest Code: 891237<br />
</pre><br />
===Agenda===<br />
* [[GEC Agenda 2010-02-24|24th Fev 2010]]<br />
<br />
All meeting agenda's and notes are on the [[:Category:GEC Meetings|GEG Meetings]] page<br />
<br />
<br />
== Targets <font color="red">'''(DRAFT)'''</font> ==<br />
Below you can find the timeline, what has to be achieved by when. <br />
All tasks must be SMART!<br />
<br />
{| class="prettytable"<br />
! Update July 2010<br />
! Task<br />
! Deadline<br />
! Type<br />
! Status<br />
! Description<br />
! Who<br />
|-<br />
| Finished<br />
| [[Categorize (Organization) of educational materials]]<br />
| N/A<br />
| Documentation<br />
| Done<br />
| Categorize / Organization of the educational materials for audience by roles and responsibilities/technologies and use the summit workshop notes.<br />
| Martin<br />
|-<br />
| Package has been created for the OWASP Loondon Training<br />
| [[Train the trainers (Teach the teachers)]]<br />
| '''Q1/Q2/Q3/Q4 2009'''<br />
| Delivery <br />
| in progress<br />
| Develop a train the trainer program that will train trainers to deliver training on OWASP related material.<br />
| Fabio / Nishi<br />
|-<br />
| Died <br />
| [[Create an online assessment and training portal]]<br />
| '''Q2/Q3/Q4 2009'''<br />
| Delivery <br />
| Planning<br />
| Develop an OWASP assessment and training portal that end users can use to gauge their knowledge on OWASP concepts and training providers can use to promote their training offerings.<br />
| Mano/Fabio<br />
|-<br />
| on hold <br />
| [[OWASP Boot Camp Project]]<br />
| '''Proposal:''' February 2009 '''Final:''' Oktober 2009 at OWASP AppSec US 2009<br />
| Delivery <br />
| wainting on project content<br />
| OWASP Boot Camp about the OWASP projects, to deliver a Boot Camp presentation should be one of the criteria to get an alpha status as project<br />
| Martin<br />
|-<br />
| active, CTF hold at OWASP AppSec-EU<br />
| [[OWASP CTF event]]<br />
| OWASP AppSec Conferences<br />
| Delivery <br />
| Done<br />
| Develop an OWASP Capture the Flag contest that could be easy use for OWASP conferences.<br />
| Martin<br />
|-<br />
| on hold<br />
| [[Speakers Bureau Project]]<br />
| '''TBD'''<br />
| Delivery <br />
| '''started'''<br />
| List of speakers, Name, Bio, Topics, History <br><br />
Speakers in conferences (OOTM ask for funds on this)/summit <br />
| Martin<br />
|-<br />
| Died<br />
| [[Marketing efforts]]<br />
| '''Q4 2009'''<br />
| Awareness Services <br />
| Started<br />
| Select material.<br />
| Eduardo<br />
|-<br />
| Hibernating, update requested<br />
| [[Internationalization of the training materials]]<br />
| '''Q4 2009'''<br />
| Awareness Services <br />
| Startes<br />
| Select material for translation services for highly spoken languages <br />
| Eduardo<br />
|-<br />
| busy, just al darn long lasting task<br />
| [[Education material]]<br />
| '''TBD'''<br />
| Training & Educational Services <br />
| started<br />
| All projects should be summoned to create educational material (training service)<br />
1) Each Projects --> Documents (help), Tool, Training; Live CD (Portable)<br />
| Martin<br />
|-<br />
| Uncertain, update requested<br />
| [[Educational Academic Services]]<br />
| '''TBD'''<br />
| Training & Educational Services <br />
| <br />
<br />
3 Universities already in contact with and planning OWASP events to participate in. <br />
<br />
| Incorporate OWASP into the following top 5 Universities, within the next 12 months by introducing OWASP training and education resources at University's events.<br />
<br />
1) New York University<br />
2) Cornell University<br />
3) Princeton University<br />
4) University of Minnesota<br />
5) Columbia University<br />
<br />
As a result of these initiative we would hope to see:<br />
<br />
1) Confirming participation at arranged events<br />
2) Asking Universities to recognize they are using our resources by allowing us to place their names in wiki pages such as http://www.owasp.org/index.php/OWASP_Top_Ten_Project <br />
3) University faculty, staff and students participate in local and international events/meetings<br />
4) University faculty, staff and students contribute to OWASP projects<br />
<br />
|Kuai Hinojosa, Andrzej<br />
|}<br />
<br />
= Proposal <font color="red">'''(DRAFT)'''</font> =<br />
== Categorize (Organization) of educational materials ==<br />
Objective: Categorize / Organize educational material, estyle the Education Project website.<br><br />
<br />
Activities/Deadline:<br> <br />
* Categorize education material according to the CLASP roles<br><br />
* Group material into management-ish, student-ish, technical-ish <br><br />
<br />
Benefits<br><br />
Target specific demographic (managers, students...) Provide easy access to education material. Efficient categorization of education materials.<br />
<br />
== Train the trainers (Teach the teachers) ==<br />
Objective:<br />
Develop a train the trainer program that will train trainers to deliver training on OWASP related material.<br />
<br />
Activities/Deadline:<br />
# Develop a criteria to identify and approve trainers / Q1 2009<br />
# Identify pertinent OWASP related material that will be included in the training kit / Q2 2009. This is dependent on the education project organizing material.<br />
# Create a training toolkit with pre-built presentation and training materials, assessments etc. / Q3 2009<br />
# Conduct train the trainer sessions (remote or in-person) / Q4 2009<br />
<br />
Benefits:<br />
The training kit and trained trainers will be available resources promoting OWASP in local events worldwide.<br />
<br />
== Create an online assessment and training portal ==<br />
Objective:<br />
Develop an OWASP assessment and training portal that end users can use to gauge their knowledge on OWASP concepts and training providers can use to promote their training offerings.<br />
<br />
Activities/Deadline:<br />
# Generate OWASP assessment items (can use the testing guide and other sources) / Q2-Q3 2009<br />
# Develop an assessment portal to deliver taking of assessments with robust reporting by knowledge area / Q4 2009<br />
# Develop a training portal to allow training providers to publish and promote their training offerings / Q4 2009<br />
This can be developed as a summer of code project but is not a requirement. <br />
<br />
Benefits:<br />
Assessments that can be offered in OWASP events and other conferences to users will increase OWASP awareness. The portal can become the link between trainers and trainees and will eventually help in increasing the awareness and knowledge of application security in the industry.<br />
<br />
== OWASP Boot Camp Project ==<br />
Objective<br><br />
To deliver a Boot Camp session which would lead to be one of the main criteria to produce alpha status projects<br />
<br />
Activities/Deadline:<br> <br />
<br />
Benefits<br><br />
<br />
== OWASP CTF event ==<br />
Objective<br />
Generate a Capture The Flag framework to be offered at OWASP events<br />
<br />
Activities/Deadline: <br />
* Andrzej will contact the organizers of the CTF from the Denver OWASP Conference and work in using same model<br />
<br />
Benefits<br />
Capture The Flag events are very popular in conferences, creating and OWASP specific CTF will offer entertainment at events, generate attendants participation etc.<br />
<br />
== Speakers Bureau Project ==<br />
<br />
Objective<br><br />
OWASP Boot Camp about the OWASP projects, to deliver a Boot Camp presentation should be one of the criteria to get an alpha status as project<br><br />
<br />
Activities/Deadline:<br> <br />
<br />
Benefits<br><br />
List of speakers, Name, Bio, Topics, History <br />
Speakers in conferences (OOTM ask for funds on this)/summit<br />
<br />
Speakers Agreement - https://www.owasp.org/index.php/Speaker_Agreement<br />
<br />
== Marketing efforts ==<br />
Objective: To promote OWASP projects, events, education material and OWASP mission.<br><br />
<br />
Activities/Deadline:<br> <br />
* Gather flyers, Brochures of OWASP Top 10, Testing Guide<br />
<br />
Benefits<br><br />
Group promotional material which can be hand out at events<br />
<br />
== Internationalization of the training materials ==<br />
Objective<br><br />
Translate training materials<br />
<br />
Activities/Deadline:<br> <br />
Identify point of contacts places for translation efforts and setup a deadline<br />
Translate material in French, Portuguese, Spanish, Malay, Italian, Indonesian, Chinese<br />
<br />
Benefits<br><br />
To reach international audiences<br />
<br />
== Education material ==<br />
Objective: Consolidate all projects (Tools, Help Documents, Presentations, LiveCD) create educational material (training service) <br />
<br />
Activities/Deadline:<br> <br />
<br />
Benefits<br><br />
<br />
== Academic Educational Services ==<br />
Objectives<br><br />
Promote and encourage OWASP resources at accredited Universities around the world within the next 12 months by introducing OWASP training and education material at University's events.<br />
<br />
Activities/Deadline:<br />
<br />
* Build a list of at least 5 Universities with computer science or risk management programs that can be targeted /Q1 2009 <br />
* Establish communication with targeted universities, generate key contacts and establish relationships /Q1 - Q4 2009<br />
* Develop a list of possible academic events in which to participate /Q1 - Q2 2009 <br />
* Participate in at least 1 Academic event, present case studies or OWASP education materials /Q1 - Q4<br />
<br />
Benefits<br><br />
OWASP will gain exposure in the academic industry, starting with accredited universities around the world. Universities will become members of OWASP, provide meeting space, students will apply to OWASP grants, and provide support and structure</div>Martinknoblochhttps://wiki.owasp.org/index.php?title=Global_Education_Committee&diff=87098Global Education Committee2010-07-28T22:21:03Z<p>Martinknobloch: /* Monthly Report Format */</p>
<hr />
<div>[[Category:OWASP Project]]<br />
<br />
= About the Global Education Committee =<br />
'''The Global Education Committee was created during the OWASP EU Summit in Portugal 2008. The primary purpose of the Global Education Committee is: to work with the [https://www.owasp.org/index.php/Category:OWASP_Education_Project OWASP Education Project] to provide educational materials for both internal and external users, develop liaisons with educational institutions worldwide.'''<br />
<br />
== Mission ==<br />
Provide awareness, training and educational services to corporate,<br />
government and educational institutions on application security.<br />
<br />
== Vision ==<br />
Make OWASP educational material globally available as a well known resource<br />
in easily consumable form mapped to a framework tied specifically to user<br />
roles and responsibilities<br />
<br />
== Committee Members ==<br />
Chairs: [mailto:martin.knobloch@owasp.org Martin Knobloch] (Netherlands) and [mailto:kuai.hinojosa@owasp.org Kuai Hinjosa] (U.S.)<br />
<br />
* [mailto:mano.paul@securisksolutions.com Mano Paul] (U.S.)<br />
* [mailto:eduardo.neves@owasp.org Eduardo Neves] (Brazil)<br />
* [mailto:cecil.su@GRANTTHORNTON.COM.SG Cecil Su] (Singapore)<br />
* [mailto:fabio.e.cerullo@aib.ie Fabio Cerullo] (Ireland)<br />
* [mailto:andrzej.targosz@proidea.org.pl Andrzej Targosz] (Poland)<br />
* [mailto:nishi787@hotmail.com Nishi Kumar] (U.S.)<br />
* [mailto:sebastien.gioria@owasp.org Sebastien Gioria] (France)<br />
<br />
= Monthly Report Format =<br />
<br />
Date of last update: July 28th<br />
Updated by: Martin Knobloch<br />
<br />
Accomplishments for this Month<br />
* Updates on the CTF and Education project (and project wiki's)<br />
* Getting in contact with universities <br />
* <br />
Planned for Next Month<br />
* Update GEC targets and Committee wiki<br />
* Update GEC committee members<br />
*<br />
Issues/Risks/Challenges<br />
* Finding new active members<br />
* Refocusing on less targets<br />
*<br />
<br />
[https://www.owasp.org/index.php/How_to_Join_a_Committee How to join this committee]<br />
<br />
[https://lists.owasp.org/mailman/listinfo/global_education_committee Join our mailing list]<br />
<br />
<paypal>Global Education Committee</paypal><br />
<br />
== Scheduled Meetings ==<br />
<pre><br />
The Global Education Committee Meetings take place via conference call at every last Wednesday of the month <br />
at the following local times: <br />
4:00 p.m. @ Austin, Texas <br />
5:00 p.m. @ New York <br />
8:00 p.m. @ Brasil <br />
11:00 p.m. @ Netherlands<br />
5:00 a.m. @ Singapore (following day)<br />
The Dial in number: +1-866-534-4754, Guest Code: 891237<br />
</pre><br />
===Agenda===<br />
* [[GEC Agenda 2010-02-24|24th Fev 2010]]<br />
<br />
All meeting agenda's and notes are on the [[:Category:GEC Meetings|GEG Meetings]] page<br />
<br />
<br />
== Targets <font color="red">'''(DRAFT)'''</font> ==<br />
Below you can find the timeline, what has to be achieved by when. <br />
All tasks must be SMART!<br />
<br />
{| class="prettytable"<br />
! Task<br />
! Deadline<br />
! Type<br />
! Status<br />
! Description<br />
! Who<br />
|-<br />
| [[Categorize (Organization) of educational materials]]<br />
| N/A<br />
| Documentation<br />
| Done<br />
| Categorize / Organization of the educational materials for audience by roles and responsibilities/technologies and use the summit workshop notes.<br />
| Martin<br />
|-<br />
| [[Train the trainers (Teach the teachers)]]<br />
| '''Q1/Q2/Q3/Q4 2009'''<br />
| Delivery <br />
| Planning<br />
| Develop a train the trainer program that will train trainers to deliver training on OWASP related material.<br />
| Mano/Fabio<br />
|-<br />
| [[Create an online assessment and training portal]]<br />
| '''Q2/Q3/Q4 2009'''<br />
| Delivery <br />
| Planning<br />
| Develop an OWASP assessment and training portal that end users can use to gauge their knowledge on OWASP concepts and training providers can use to promote their training offerings.<br />
| Mano/Fabio<br />
|-<br />
| [[OWASP Boot Camp Project]]<br />
| '''Proposal:''' February 2009 '''Final:''' Oktober 2009 at OWASP AppSec US 2009<br />
| Delivery <br />
| wainting on project content<br />
| OWASP Boot Camp about the OWASP projects, to deliver a Boot Camp presentation should be one of the criteria to get an alpha status as project<br />
| Martin<br />
|-<br />
| [[OWASP CTF event]]<br />
| OWASP AppSec Conferences<br />
| Delivery <br />
| Done<br />
| Develop an OWASP Capture the Flag contest that could be easy use for OWASP conferences.<br />
| Martin<br />
|-<br />
| [[Speakers Bureau Project]]<br />
| '''TBD'''<br />
| Delivery <br />
| '''started'''<br />
| List of speakers, Name, Bio, Topics, History <br><br />
Speakers in conferences (OOTM ask for funds on this)/summit <br />
| Martin<br />
|-<br />
| [[Marketing efforts]]<br />
| '''Q4 2009'''<br />
| Awareness Services <br />
| Started<br />
| Select material.<br />
| Eduardo<br />
|-<br />
| [[Internationalization of the training materials]]<br />
| '''Q4 2009'''<br />
| Awareness Services <br />
| Startes<br />
| Select material for translation services for highly spoken languages <br />
| Eduardo<br />
|-<br />
| [[Education material]]<br />
| '''TBD'''<br />
| Training & Educational Services <br />
| started<br />
| All projects should be summoned to create educational material (training service)<br />
1) Each Projects --> Documents (help), Tool, Training; Live CD (Portable)<br />
| Martin<br />
|-<br />
| [[Educational Academic Services]]<br />
| '''TBD'''<br />
| Training & Educational Services <br />
| <br />
<br />
3 Universities already in contact with and planning OWASP events to participate in. <br />
<br />
| Incorporate OWASP into the following top 5 Universities, within the next 12 months by introducing OWASP training and education resources at University's events.<br />
<br />
1) New York University<br />
2) Cornell University<br />
3) Princeton University<br />
4) University of Minnesota<br />
5) Columbia University<br />
<br />
As a result of these initiative we would hope to see:<br />
<br />
1) Confirming participation at arranged events<br />
2) Asking Universities to recognize they are using our resources by allowing us to place their names in wiki pages such as http://www.owasp.org/index.php/OWASP_Top_Ten_Project <br />
3) University faculty, staff and students participate in local and international events/meetings<br />
4) University faculty, staff and students contribute to OWASP projects<br />
<br />
|Kuai Hinojosa, Andrzej<br />
|}<br />
<br />
= Proposal <font color="red">'''(DRAFT)'''</font> =<br />
== Categorize (Organization) of educational materials ==<br />
Objective: Categorize / Organize educational material, estyle the Education Project website.<br><br />
<br />
Activities/Deadline:<br> <br />
* Categorize education material according to the CLASP roles<br><br />
* Group material into management-ish, student-ish, technical-ish <br><br />
<br />
Benefits<br><br />
Target specific demographic (managers, students...) Provide easy access to education material. Efficient categorization of education materials.<br />
<br />
== Train the trainers (Teach the teachers) ==<br />
Objective:<br />
Develop a train the trainer program that will train trainers to deliver training on OWASP related material.<br />
<br />
Activities/Deadline:<br />
# Develop a criteria to identify and approve trainers / Q1 2009<br />
# Identify pertinent OWASP related material that will be included in the training kit / Q2 2009. This is dependent on the education project organizing material.<br />
# Create a training toolkit with pre-built presentation and training materials, assessments etc. / Q3 2009<br />
# Conduct train the trainer sessions (remote or in-person) / Q4 2009<br />
<br />
Benefits:<br />
The training kit and trained trainers will be available resources promoting OWASP in local events worldwide.<br />
<br />
== Create an online assessment and training portal ==<br />
Objective:<br />
Develop an OWASP assessment and training portal that end users can use to gauge their knowledge on OWASP concepts and training providers can use to promote their training offerings.<br />
<br />
Activities/Deadline:<br />
# Generate OWASP assessment items (can use the testing guide and other sources) / Q2-Q3 2009<br />
# Develop an assessment portal to deliver taking of assessments with robust reporting by knowledge area / Q4 2009<br />
# Develop a training portal to allow training providers to publish and promote their training offerings / Q4 2009<br />
This can be developed as a summer of code project but is not a requirement. <br />
<br />
Benefits:<br />
Assessments that can be offered in OWASP events and other conferences to users will increase OWASP awareness. The portal can become the link between trainers and trainees and will eventually help in increasing the awareness and knowledge of application security in the industry.<br />
<br />
== OWASP Boot Camp Project ==<br />
Objective<br><br />
To deliver a Boot Camp session which would lead to be one of the main criteria to produce alpha status projects<br />
<br />
Activities/Deadline:<br> <br />
<br />
Benefits<br><br />
<br />
== OWASP CTF event ==<br />
Objective<br />
Generate a Capture The Flag framework to be offered at OWASP events<br />
<br />
Activities/Deadline: <br />
* Andrzej will contact the organizers of the CTF from the Denver OWASP Conference and work in using same model<br />
<br />
Benefits<br />
Capture The Flag events are very popular in conferences, creating and OWASP specific CTF will offer entertainment at events, generate attendants participation etc.<br />
<br />
== Speakers Bureau Project ==<br />
<br />
Objective<br><br />
OWASP Boot Camp about the OWASP projects, to deliver a Boot Camp presentation should be one of the criteria to get an alpha status as project<br><br />
<br />
Activities/Deadline:<br> <br />
<br />
Benefits<br><br />
List of speakers, Name, Bio, Topics, History <br />
Speakers in conferences (OOTM ask for funds on this)/summit<br />
<br />
Speakers Agreement - https://www.owasp.org/index.php/Speaker_Agreement<br />
<br />
== Marketing efforts ==<br />
Objective: To promote OWASP projects, events, education material and OWASP mission.<br><br />
<br />
Activities/Deadline:<br> <br />
* Gather flyers, Brochures of OWASP Top 10, Testing Guide<br />
<br />
Benefits<br><br />
Group promotional material which can be hand out at events<br />
<br />
== Internationalization of the training materials ==<br />
Objective<br><br />
Translate training materials<br />
<br />
Activities/Deadline:<br> <br />
Identify point of contacts places for translation efforts and setup a deadline<br />
Translate material in French, Portuguese, Spanish, Malay, Italian, Indonesian, Chinese<br />
<br />
Benefits<br><br />
To reach international audiences<br />
<br />
== Education material ==<br />
Objective: Consolidate all projects (Tools, Help Documents, Presentations, LiveCD) create educational material (training service) <br />
<br />
Activities/Deadline:<br> <br />
<br />
Benefits<br><br />
<br />
== Academic Educational Services ==<br />
Objectives<br><br />
Promote and encourage OWASP resources at accredited Universities around the world within the next 12 months by introducing OWASP training and education material at University's events.<br />
<br />
Activities/Deadline:<br />
<br />
* Build a list of at least 5 Universities with computer science or risk management programs that can be targeted /Q1 2009 <br />
* Establish communication with targeted universities, generate key contacts and establish relationships /Q1 - Q4 2009<br />
* Develop a list of possible academic events in which to participate /Q1 - Q2 2009 <br />
* Participate in at least 1 Academic event, present case studies or OWASP education materials /Q1 - Q4<br />
<br />
Benefits<br><br />
OWASP will gain exposure in the academic industry, starting with accredited universities around the world. Universities will become members of OWASP, provide meeting space, students will apply to OWASP grants, and provide support and structure</div>Martinknoblochhttps://wiki.owasp.org/index.php?title=Global_Education_Committee&diff=87097Global Education Committee2010-07-28T21:48:29Z<p>Martinknobloch: /* Targets (DRAFT) */</p>
<hr />
<div>[[Category:OWASP Project]]<br />
<br />
= About the Global Education Committee =<br />
'''The Global Education Committee was created during the OWASP EU Summit in Portugal 2008. The primary purpose of the Global Education Committee is: to work with the [https://www.owasp.org/index.php/Category:OWASP_Education_Project OWASP Education Project] to provide educational materials for both internal and external users, develop liaisons with educational institutions worldwide.'''<br />
<br />
== Mission ==<br />
Provide awareness, training and educational services to corporate,<br />
government and educational institutions on application security.<br />
<br />
== Vision ==<br />
Make OWASP educational material globally available as a well known resource<br />
in easily consumable form mapped to a framework tied specifically to user<br />
roles and responsibilities<br />
<br />
== Committee Members ==<br />
Chairs: [mailto:martin.knobloch@owasp.org Martin Knobloch] (Netherlands) and [mailto:kuai.hinojosa@owasp.org Kuai Hinjosa] (U.S.)<br />
<br />
* [mailto:mano.paul@securisksolutions.com Mano Paul] (U.S.)<br />
* [mailto:eduardo.neves@owasp.org Eduardo Neves] (Brazil)<br />
* [mailto:cecil.su@GRANTTHORNTON.COM.SG Cecil Su] (Singapore)<br />
* [mailto:fabio.e.cerullo@aib.ie Fabio Cerullo] (Ireland)<br />
* [mailto:andrzej.targosz@proidea.org.pl Andrzej Targosz] (Poland)<br />
* [mailto:nishi787@hotmail.com Nishi Kumar] (U.S.)<br />
* [mailto:sebastien.gioria@owasp.org Sebastien Gioria] (France)<br />
<br />
= Monthly Report Format =<br />
<br />
Date of last update:<br />
Updated by:<br />
<br />
Accomplishments for this Month<br />
* <br />
*<br />
*<br />
Planned for Next Month<br />
*<br />
*<br />
*<br />
Issues/Risks/Challenges<br />
* <br />
* <br />
*<br />
<br />
[https://www.owasp.org/index.php/How_to_Join_a_Committee How to join this committee]<br />
<br />
[https://lists.owasp.org/mailman/listinfo/global_education_committee Join our mailing list]<br />
<br />
<paypal>Global Education Committee</paypal><br />
<br />
== Scheduled Meetings ==<br />
<pre><br />
The Global Education Committee Meetings take place via conference call at every last Wednesday of the month <br />
at the following local times: <br />
4:00 p.m. @ Austin, Texas <br />
5:00 p.m. @ New York <br />
8:00 p.m. @ Brasil <br />
11:00 p.m. @ Netherlands<br />
5:00 a.m. @ Singapore (following day)<br />
The Dial in number: +1-866-534-4754, Guest Code: 891237<br />
</pre><br />
===Agenda===<br />
* [[GEC Agenda 2010-02-24|24th Fev 2010]]<br />
<br />
All meeting agenda's and notes are on the [[:Category:GEC Meetings|GEG Meetings]] page<br />
<br />
<br />
== Targets <font color="red">'''(DRAFT)'''</font> ==<br />
Below you can find the timeline, what has to be achieved by when. <br />
All tasks must be SMART!<br />
<br />
{| class="prettytable"<br />
! Task<br />
! Deadline<br />
! Type<br />
! Status<br />
! Description<br />
! Who<br />
|-<br />
| [[Categorize (Organization) of educational materials]]<br />
| N/A<br />
| Documentation<br />
| Done<br />
| Categorize / Organization of the educational materials for audience by roles and responsibilities/technologies and use the summit workshop notes.<br />
| Martin<br />
|-<br />
| [[Train the trainers (Teach the teachers)]]<br />
| '''Q1/Q2/Q3/Q4 2009'''<br />
| Delivery <br />
| Planning<br />
| Develop a train the trainer program that will train trainers to deliver training on OWASP related material.<br />
| Mano/Fabio<br />
|-<br />
| [[Create an online assessment and training portal]]<br />
| '''Q2/Q3/Q4 2009'''<br />
| Delivery <br />
| Planning<br />
| Develop an OWASP assessment and training portal that end users can use to gauge their knowledge on OWASP concepts and training providers can use to promote their training offerings.<br />
| Mano/Fabio<br />
|-<br />
| [[OWASP Boot Camp Project]]<br />
| '''Proposal:''' February 2009 '''Final:''' Oktober 2009 at OWASP AppSec US 2009<br />
| Delivery <br />
| wainting on project content<br />
| OWASP Boot Camp about the OWASP projects, to deliver a Boot Camp presentation should be one of the criteria to get an alpha status as project<br />
| Martin<br />
|-<br />
| [[OWASP CTF event]]<br />
| OWASP AppSec Conferences<br />
| Delivery <br />
| Done<br />
| Develop an OWASP Capture the Flag contest that could be easy use for OWASP conferences.<br />
| Martin<br />
|-<br />
| [[Speakers Bureau Project]]<br />
| '''TBD'''<br />
| Delivery <br />
| '''started'''<br />
| List of speakers, Name, Bio, Topics, History <br><br />
Speakers in conferences (OOTM ask for funds on this)/summit <br />
| Martin<br />
|-<br />
| [[Marketing efforts]]<br />
| '''Q4 2009'''<br />
| Awareness Services <br />
| Started<br />
| Select material.<br />
| Eduardo<br />
|-<br />
| [[Internationalization of the training materials]]<br />
| '''Q4 2009'''<br />
| Awareness Services <br />
| Startes<br />
| Select material for translation services for highly spoken languages <br />
| Eduardo<br />
|-<br />
| [[Education material]]<br />
| '''TBD'''<br />
| Training & Educational Services <br />
| started<br />
| All projects should be summoned to create educational material (training service)<br />
1) Each Projects --> Documents (help), Tool, Training; Live CD (Portable)<br />
| Martin<br />
|-<br />
| [[Educational Academic Services]]<br />
| '''TBD'''<br />
| Training & Educational Services <br />
| <br />
<br />
3 Universities already in contact with and planning OWASP events to participate in. <br />
<br />
| Incorporate OWASP into the following top 5 Universities, within the next 12 months by introducing OWASP training and education resources at University's events.<br />
<br />
1) New York University<br />
2) Cornell University<br />
3) Princeton University<br />
4) University of Minnesota<br />
5) Columbia University<br />
<br />
As a result of these initiative we would hope to see:<br />
<br />
1) Confirming participation at arranged events<br />
2) Asking Universities to recognize they are using our resources by allowing us to place their names in wiki pages such as http://www.owasp.org/index.php/OWASP_Top_Ten_Project <br />
3) University faculty, staff and students participate in local and international events/meetings<br />
4) University faculty, staff and students contribute to OWASP projects<br />
<br />
|Kuai Hinojosa, Andrzej<br />
|}<br />
<br />
= Proposal <font color="red">'''(DRAFT)'''</font> =<br />
== Categorize (Organization) of educational materials ==<br />
Objective: Categorize / Organize educational material, estyle the Education Project website.<br><br />
<br />
Activities/Deadline:<br> <br />
* Categorize education material according to the CLASP roles<br><br />
* Group material into management-ish, student-ish, technical-ish <br><br />
<br />
Benefits<br><br />
Target specific demographic (managers, students...) Provide easy access to education material. Efficient categorization of education materials.<br />
<br />
== Train the trainers (Teach the teachers) ==<br />
Objective:<br />
Develop a train the trainer program that will train trainers to deliver training on OWASP related material.<br />
<br />
Activities/Deadline:<br />
# Develop a criteria to identify and approve trainers / Q1 2009<br />
# Identify pertinent OWASP related material that will be included in the training kit / Q2 2009. This is dependent on the education project organizing material.<br />
# Create a training toolkit with pre-built presentation and training materials, assessments etc. / Q3 2009<br />
# Conduct train the trainer sessions (remote or in-person) / Q4 2009<br />
<br />
Benefits:<br />
The training kit and trained trainers will be available resources promoting OWASP in local events worldwide.<br />
<br />
== Create an online assessment and training portal ==<br />
Objective:<br />
Develop an OWASP assessment and training portal that end users can use to gauge their knowledge on OWASP concepts and training providers can use to promote their training offerings.<br />
<br />
Activities/Deadline:<br />
# Generate OWASP assessment items (can use the testing guide and other sources) / Q2-Q3 2009<br />
# Develop an assessment portal to deliver taking of assessments with robust reporting by knowledge area / Q4 2009<br />
# Develop a training portal to allow training providers to publish and promote their training offerings / Q4 2009<br />
This can be developed as a summer of code project but is not a requirement. <br />
<br />
Benefits:<br />
Assessments that can be offered in OWASP events and other conferences to users will increase OWASP awareness. The portal can become the link between trainers and trainees and will eventually help in increasing the awareness and knowledge of application security in the industry.<br />
<br />
== OWASP Boot Camp Project ==<br />
Objective<br><br />
To deliver a Boot Camp session which would lead to be one of the main criteria to produce alpha status projects<br />
<br />
Activities/Deadline:<br> <br />
<br />
Benefits<br><br />
<br />
== OWASP CTF event ==<br />
Objective<br />
Generate a Capture The Flag framework to be offered at OWASP events<br />
<br />
Activities/Deadline: <br />
* Andrzej will contact the organizers of the CTF from the Denver OWASP Conference and work in using same model<br />
<br />
Benefits<br />
Capture The Flag events are very popular in conferences, creating and OWASP specific CTF will offer entertainment at events, generate attendants participation etc.<br />
<br />
== Speakers Bureau Project ==<br />
<br />
Objective<br><br />
OWASP Boot Camp about the OWASP projects, to deliver a Boot Camp presentation should be one of the criteria to get an alpha status as project<br><br />
<br />
Activities/Deadline:<br> <br />
<br />
Benefits<br><br />
List of speakers, Name, Bio, Topics, History <br />
Speakers in conferences (OOTM ask for funds on this)/summit<br />
<br />
Speakers Agreement - https://www.owasp.org/index.php/Speaker_Agreement<br />
<br />
== Marketing efforts ==<br />
Objective: To promote OWASP projects, events, education material and OWASP mission.<br><br />
<br />
Activities/Deadline:<br> <br />
* Gather flyers, Brochures of OWASP Top 10, Testing Guide<br />
<br />
Benefits<br><br />
Group promotional material which can be hand out at events<br />
<br />
== Internationalization of the training materials ==<br />
Objective<br><br />
Translate training materials<br />
<br />
Activities/Deadline:<br> <br />
Identify point of contacts places for translation efforts and setup a deadline<br />
Translate material in French, Portuguese, Spanish, Malay, Italian, Indonesian, Chinese<br />
<br />
Benefits<br><br />
To reach international audiences<br />
<br />
== Education material ==<br />
Objective: Consolidate all projects (Tools, Help Documents, Presentations, LiveCD) create educational material (training service) <br />
<br />
Activities/Deadline:<br> <br />
<br />
Benefits<br><br />
<br />
== Academic Educational Services ==<br />
Objectives<br><br />
Promote and encourage OWASP resources at accredited Universities around the world within the next 12 months by introducing OWASP training and education material at University's events.<br />
<br />
Activities/Deadline:<br />
<br />
* Build a list of at least 5 Universities with computer science or risk management programs that can be targeted /Q1 2009 <br />
* Establish communication with targeted universities, generate key contacts and establish relationships /Q1 - Q4 2009<br />
* Develop a list of possible academic events in which to participate /Q1 - Q2 2009 <br />
* Participate in at least 1 Academic event, present case studies or OWASP education materials /Q1 - Q4<br />
<br />
Benefits<br><br />
OWASP will gain exposure in the academic industry, starting with accredited universities around the world. Universities will become members of OWASP, provide meeting space, students will apply to OWASP grants, and provide support and structure</div>Martinknoblochhttps://wiki.owasp.org/index.php?title=OWASP_CTF_event&diff=87096OWASP CTF event2010-07-28T21:43:27Z<p>Martinknobloch: </p>
<hr />
<div>__NOTOC__<br />
<br />
Return to [[Global Education Committee]]<br />
<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="4" align="center" style="background:#4058A0; color:white"|<font color="white">'''ACTIVITY IDENTIFICATION''' <br />
|-<br />
| style="width:15%; background:#7B8ABD" align="center"|'''Activity Name'''<br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<font color="black">Capture the Flag ''' <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="center"| '''Short Description''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|Develop CtF contest<br />
|-<br />
| style="width:25%; background:#7B8ABD" align="center"| '''Related Projects ''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|None<br />
|-<br />
| style="width:25%; background:#7B8ABD" align="center"|'''Email Contacts & Roles'''<br />
| style="width:25%; background:#cccccc" align="center"|'''Primary'''<br>[mailto:andrzej.targosz(at)proidea.org.pl '''Andrzej Targosz'''] <br />
| style="width:25%; background:#cccccc" align="center"|'''Secondary'''<br>[mailto:martin.knobloch(at)owasp '''Martin Knobloch'''] <br />
| style="width:25%; background:#cccccc" align="center"|'''[https://lists.owasp.org/mailman/listinfo/owasp-ctf The CTF project's Mailing list]'''<br />
|}<br />
<br><br />
{| style="width:100%" border="0" align="center"<br />
! colspan="4" align="center" style="background:#4058A0; color:white"|<font color="white">'''Prepare CtF rules''' <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="center"|'''Objectives'''<br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
<br />
1) Prepare CtF rules<br><br />
2) Develop Capture the Flag contest<br><br />
|-<br />
| style="width:25%; background:#7B8ABD" align="center"| '''Deadlines''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
OWASP EU, May 2009<br />
|-<br />
| style="width:25%; background:#7B8ABD" align="center"| '''Status''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
Building the team to prepare CtF contest.<br />
<br />
|-<br />
| style="width:25%; background:#7B8ABD" align="center"| '''Resources''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
Previous CtF contests<br />
|-<br />
|}<br />
<br><br />
{| style="width:100%" border="0" align="center"<br />
! colspan="4" align="center" style="background:#4058A0; color:white"|<font color="white">'''Develop Capture the Flag contest''' <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="center"|'''Objectives'''<br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* ''''TODO'''<br />
|-<br />
| style="width:25%; background:#7B8ABD" align="center"| '''Deadlines''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* May 2009<br />
|-<br />
| style="width:25%; background:#7B8ABD" align="center"| '''Status''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* ''''TODO'''<br />
|-<br />
| style="width:25%; background:#7B8ABD" align="center"| '''Resources''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* ''''TODO'''<br />
|-<br />
|}<br />
<br><br />
{| style="width:100%" border="0" align="center"<br />
! colspan="4" align="center" style="background:#4058A0; color:white"|<font color="white">'''ACTIVITY SPECIFICS''' <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="center"|'''Objectives'''<br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* ''''TODO'''<br />
|-<br />
| style="width:25%; background:#7B8ABD" align="center"| '''Deadlines''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* ''''TODO'''<br />
|-<br />
| style="width:25%; background:#7B8ABD" align="center"| '''Status''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* ''''TODO'''<br />
|-<br />
| style="width:25%; background:#7B8ABD" align="center"| '''Resources''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* ''''TODO'''<br />
|-<br />
|}<br />
<br><br />
{| style="width:100%" border="0" align="center"<br />
! colspan="4" align="center" style="background:#4058A0; color:white"|<font color="white">'''ACTIVITY SPECIFICS''' <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="center"|'''Objectives'''<br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* ''''TODO'''<br />
|-<br />
| style="width:25%; background:#7B8ABD" align="center"| '''Deadlines''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* ''''TODO'''<br />
|-<br />
| style="width:25%; background:#7B8ABD" align="center"| '''Status''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* ''''TODO'''<br />
|-<br />
| style="width:25%; background:#7B8ABD" align="center"| '''Resources''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* ''''TODO'''<br />
|-<br />
|}</div>Martinknoblochhttps://wiki.owasp.org/index.php?title=OWASP_Education_Material_Categorized&diff=86771OWASP Education Material Categorized2010-07-22T00:29:27Z<p>Martinknobloch: </p>
<hr />
<div>== Education Material Categorized ==<br />
<br />
<br />
==== Profession / Interest ====<br />
Below you find the education material categorized by profession and interest. <br />
{| style="width:100%" border="0" align="center"<br />
! colspan="4" align="center" style="background:#FFFFFF color:white"|<font color="003399">'''Management''' <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Beginner''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Experienced''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Expert''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|}<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="4" align="center" style="background:#FFFFFF color:white"|<font color="003399">'''Student''' <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Beginner''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Experienced''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Expert''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|}<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="4" align="center" style="background:#FFFFFF color:white"|<font color="003399">'''Developer''' <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Beginner''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Experienced''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Expert''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|}<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="4" align="center" style="background:#FFFFFF color:white"|<font color="003399">'''Tester''' <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Beginner''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Experienced''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Expert''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|}<br />
<br><br />
<br />
==== OWASP Top Ten ====<br />
The [[:Category:OWASP_Top_Ten_Project |'''OWASP Top Ten''']] represents a broad consensus about what the most critical web application security flaws are. Project members include a variety of security experts from around the world who have shared their expertise to produce this list. There are currently versions in English, French, Japanese, Korean and Turkish. A Spanish version is in the works. We urge all companies to adopt this awareness document within their organization and start the process of ensuring that their web applications do not contain these flaws. Adopting the OWASP Top Ten is perhaps the most effective first step towards changing the software development culture within your organization into one that produces secure code.<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="4" align="center" style="background:#FFFFFF; color:white"|<font color="white"><br />
'''[[Top_10_2007-A1|A1 - Cross Site Scripting (XSS)]]''' <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Presentation''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Video's ''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training video <br />
|}<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="4" align="center" style="background:#FFFFFF; color:white"|<font color="white"><br />
'''[[Top_10_2007-A2|A2 - Injection Flaws]]''' <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Presentation''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Video's ''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training video <br />
|}<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="4" align="center" style="background:#FFFFFF; color:white"|<font color="white"><br />
'''[[Top_10_2007-A3|A3 - Malicious File Execution]]''' <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Presentation''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Video's ''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training video <br />
|}<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="4" align="center" style="background:#FFFFFF; color:white"|<font color="white"><br />
'''[[Top_10_2007-A4|A4 - Insecure Direct Object Reference]]''' <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Presentation''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Video's ''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training video <br />
|}<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="4" align="center" style="background:#FFFFFF; color:white"|<font color="white"><br />
'''[[Top_10_2007-A5|A5 - Cross Site Request Forgery (CSRF)]]''' <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Presentation''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Video's ''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training video <br />
|}<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="4" align="center" style="background:#FFFFFF; color:white"|<font color="white"><br />
'''[[Top_10_2007-A6|A6 - Information Leakage and Improper Error Handling]]''' <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Presentation''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Video's ''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training video <br />
|}<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="4" align="center" style="background:#FFFFFF; color:white"|<font color="white"><br />
'''[[Top_10_2007-A7|A7 - Broken Authentication and Session Management]]''' <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Presentation''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Video's ''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training video <br />
|}<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="4" align="center" style="background:#FFFFFF; color:white"|<font color="white"><br />
'''[[Top_10_2007-A8|A8 - Insecure Cryptographic Storage]]''' <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Presentation''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Video's ''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training video <br />
|}<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="4" align="center" style="background:#FFFFFF; color:white"|<font color="white"><br />
'''[[Top_10_2007-A9|A9 - Insecure Communications]]''' <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Presentation''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Video's ''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training video <br />
|}<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="4" align="center" style="background:#FFFFFF; color:white"|<font color="white"><br />
'''[[Top_10_2007-A10|A10 - Failure to Restrict URL Access]]''' <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Presentation''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Video's ''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training video <br />
|}<br />
<br />
<br><br />
<br />
==== OWASP Tooling ====<br />
An [[:Category:OWASP_Project |'''OWASP Project''']] is a collection of related tasks that have a defined roadmap and team members. OWASP project leaders are responsible for defining the vision, roadmap, and tasks for the project. The project leader also promotes the project and builds the team. Tools and documents are organized into the following categories:<br />
PROTECT - These are tools and documents that can be used to guard against security-related design and implementation flaws.<br />
DETECT - These are tools and documents that can be used to find security-related design and implementation flaws.<br />
LIFE CYCLE - These are tools and documents that can be used to add security-related activities into the Software Development Life Cycle (SDLC).<br />
<br />
<hr><br>''' Protect:'''<br />
<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="4" align="center" style="background:#FFFFFF; color:white"|<font color="white"><br />
'''[[:Category:OWASP_AntiSamy_Project|OWASP AntiSamy Java Project]] ''' <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Beginner''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Experienced''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Expert''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Video's ''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training video <br />
|}<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="4" align="center" style="background:#FFFFFF; color:white"|<font color="white"><br />
'''[[:Category:OWASP_Enterprise_Security_API|OWASP Enterprise Security API (ESAPI) Project]] ''' <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Beginner''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Experienced''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Expert''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|}<br />
<br />
<br>''' Detect:'''<br />
<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="4" align="center" style="background:#FFFFFF color:white"|<font color="white"><br />
'''[[:Category:OWASP_Live_CD_Project|OWASP Live CD Project]]''' <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Beginner''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Experienced''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Expert''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|}<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="4" align="center" style="background:#FFFFFF color:white"|<font color="white"><br />
'''[[:Category:OWASP_WebScarab_Project|OWASP WebScarab Project]]''' <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Beginner''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Experienced''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Expert''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|}<br />
<br />
<br>''' Life Cycle:'''<br />
<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="4" align="center" style="background:#FFFFFF color:white"|<font color="white"><br />
'''[[:Category:OWASP_WebGoat_Project|OWASP WebGoat Project]]''' <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Beginner''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Experienced''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Expert''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|}<br />
<br><br />
==== OWASP Documentation ====<br />
An [[:Category:OWASP_Project |'''OWASP Project''']] is a collection of related tasks that have a defined roadmap and team members. OWASP project leaders are responsible for defining the vision, roadmap, and tasks for the project. The project leader also promotes the project and builds the team. Tools and documents are organized into the following categories:<br />
PROTECT - These are tools and documents that can be used to guard against security-related design and implementation flaws.<br />
DETECT - These are tools and documents that can be used to find security-related design and implementation flaws.<br />
LIFE CYCLE - These are tools and documents that can be used to add security-related activities into the Software Development Life Cycle (SDLC).<br />
<br />
<hr><br> '''Protect: '''<br />
<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="4" align="center" style="background:#FFFFFF color:white"|<font color="white"><br />
'''[[:Category:OWASP_Guide_Project|OWASP Development Guide]]''' <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Beginner''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Experienced''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Expert''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|}<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="4" align="center" style="background:#FFFFFF color:white"|<font color="white"><br />
'''[[:Category:OWASP_Ruby_on_Rails_Security_Guide_V2|OWASP Ruby on Rails Security Guide V2]]''' <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Beginner''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Experienced''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Expert''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|}<br />
<br />
<br />
<br>''' Detect:'''<br />
<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="4" align="center" style="background:#FFFFFF color:white"|<font color="white"><br />
'''[[:Category:OWASP_Code_Review_Project|OWASP Code Review Guide]]''' <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Beginner''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Experienced''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Expert''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|}<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="4" align="center" style="background:#FFFFFF color:white"|<font color="white"><br />
'''[[:Category:OWASP_Testing_Project|OWASP Testing Guide]]''' <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Beginner''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Experienced''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Expert''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|}<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="4" align="center" style="background:#FFFFFF color:white"|<font color="white"><br />
'''[[:Category:OWASP_Top_Ten_Project|OOWASP Top Ten Project]]''' <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Beginner''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Experienced''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Expert''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|}<br />
<br />
<br>''' Life Cycle:'''<br />
<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="4" align="center" style="background:#FFFFFF color:white"|<font color="white"><br />
'''[[:Category:OWASP_AppSec_FAQ_Project|OWASP AppSec FAQ Project]]''' <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Beginner''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Experienced''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Expert''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|}<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="4" align="center" style="background:#FFFFFF color:white"|<font color="white"><br />
'''[[:Category:OWASP_Legal_Project|OWASP Legal Project]]''' <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Beginner''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Experienced''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Expert''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|}<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="4" align="center" style="background:#FFFFFF color:white"|<font color="white"><br />
'''[[:Category:OWASP_Source_Code_Review_OWASP_Projects_Project|OWASP Source Code Review for OWASP-Projects]]''' <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Beginner''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Experienced''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Expert''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|}<br />
<br><br />
<br />
==== CLASP roles ====<br />
[http://www.owasp.org/index.php/Category:OWASP_CLASP_Project '''CLASP'''] (Comprehensive, Lightweight Application Security Process) provides a well-organized and structured approach for moving security concerns into the early stages of the software development lifecycle, whenever possible.<br />
<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="4" align="center" style="background:#FFFFFF color:white"|<font color="white">'''[[Architect]]''' <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Beginner''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Experienced''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Expert''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|}<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="4" align="center" style="background:#FFFFFF color:white"|<font color="white">'''[[Designer]]''' <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Beginner''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Experienced''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Expert''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|}<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="4" align="center" style="background:#FFFFFF color:white"|<font color="white">'''[[Implementer]]''' <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Beginner''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Experienced''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Expert''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|}<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="4" align="center" style="background:#FFFFFF color:white"|<font color="white">'''[[Project Manager]]''' <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Beginner''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Experienced''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Expert''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|}<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="4" align="center" style="background:#FFFFFF color:white"|<font color="white">'''[[Requirements Specifier]]''' <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Beginner''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Experienced''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Expert''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|}<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="4" align="center" style="background:#FFFFFF color:white"|<font color="white">'''[[Security Auditor]]''' <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Beginner''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Experienced''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Expert''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|}<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="4" align="center" style="background:#FFFFFF color:white"|<font color="white">'''[[Test Analyst]]''' <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Beginner''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Experienced''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Expert''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|}<br />
<br />
==== SAMM Disciplines & Functions ====<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="4" align="center" style="background:#FFFFFF color:white"|<font color="003399">'''Alignment & Governance''' <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Education & Guidance''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Standards & Compliance''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Strategic Planning''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|}<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="4" align="center" style="background:#FFFFFF color:white"|<font color="003399">'''Requirements & Design''' <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Threat Modeling''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Security Requirements''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Defensive Design''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|}<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="4" align="center" style="background:#FFFFFF color:white"|<font color="003399">'''Verification & Assessment''' <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Architectuur Review''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Code Review''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Security Testing''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|}<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="4" align="center" style="background:#FFFFFF color:white"|<font color="003399">'''Deployment & Operations''' <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Vulnerability Mangement''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Infrastrucxture Hardening''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Operational Enablement''' <br />
* beginner<br />
* mediate<br />
* expert<br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|}<br />
__NOTOC__<br />
<headertabs/><br />
<br />
[[Category:OWASP Education Project]]</div>Martinknoblochhttps://wiki.owasp.org/index.php?title=Category:OWASP_Education_Project&diff=86770Category:OWASP Education Project2010-07-22T00:27:12Z<p>Martinknobloch: </p>
<hr />
<div>{{:Project Information:template Education Project}}<br />
[[Category:OWASP Project|Education Project New]]<br />
[[Category:OWASP Education Modules]]<br />
[[Category:OWASP Document]]<br />
[[Category:OWASP Download]]<br />
[[Category:OWASP Beta Quality Document]]<br />
<br />
<br />
== Welcome to the OWASP Education Project==<br />
<br />
Web Application Security Education and Awareness is needed throughout the entire organization, each area and level of organizations have specific needs and requirements regarding education. A manager needs other information than a security professional or developer. Novices to the profession require other training than people with several years of experience. <br><br />
This Education project aims to provide in building blocks of web application security information. These modules can be combined together in education tracks targeting different audiences.<br><br><br />
The first list of modules can be found [[OWASP Education Project Modules|here]].<br />
<br />
==== Educational Material ====<br />
<br />
=== Categorized educational material ===<br />
The categorized educational material can be found [[OWASP Education Material Categorized|here]].<br />
<br />
=== Resources and links ===<br />
<br />
This project is not standalone. There is an awfull lot of information that can be found throughout this site and from other resources on the Internet. <br><br />
This project will draw pieces of information from:<br />
* The [http://www.owasp.org/index.php/Category:OWASP_Video Video's]<br />
* The presentations, currently being inventorized in the [[OWASP Education Presentation|consolidation page of OWASP presentations]]¨<br />
* [http://www.owasp.org/index.php/Category:OWASP_WebGoat_Project WebGoat]<br />
* ...<br />
One of the modules to create will be a Resources module, not limited to OWASP.<br />
<br />
=== Donated Material ===<br />
<br />
The following training material and presentations were donated to the education project and will be integrated in future Education Tracks.<br />
* [[Education Donated: OWASP Safe Browsing]]<br />
* [[Education Donated: OWASP ASVS 1.0 ~2 day training deck]]<br />
<br />
==== About the Project ====<br />
=== Goals & Roadmap ===<br />
<br />
Currently the project goals are to create Educational Tracks:<br />
* A [[Education Track: Web Application Security Primer|Web Application Security Primer]] Track for beginners (4 hours) <br />
* [[Education Track: What Developers Should Know on Web Application Security|What Developers Should Know on Web Application Security]] Track for developers (4 hours) <br />
* Create a [[OWASP Education Presentation|consolidation page of OWASP presentations]] performed in the past with the possibility to add comments<br />
* [[Education Track: OWASP Boot Camp |OWASP Boot Camp]] OWASP Training events, get ready for secure application development<br />
* [[Education Track: OWASP Capture the flag application | Capture the flag application ]] <br />
* ...<br />
Further breakdown of tasks and future developments are listed in the [[OWASP Education Project Roadmap|road map]].<br><br />
<br><br />
<br />
<br />
=== Spoc007 Progress ===<br />
The Education project was selected for [http://www.owasp.org/index.php/SpoC_007_-_OWASP_Education_Project Spoc007 participation] (see page for progress).<br />
<br />
The SpoC007 goal is to finish Sub Goals 1, 2, 3 and perform Sub Goal 4 during the coming months ([[OWASP Education Project Roadmap|road map]]).<br />
<br />
==== Participation ====<br />
=== Project Guiding Principles ===<br />
<br />
This project aims to provide in building blocks of web application security knowledge that can easily be integrated in awareness sessions or presentations on this topic. The building blocks provided by this project can then be bundled together in eduction tracks.<br><br />
An important guideline is therefore that the material produced is modular.<br><br />
<br />
<br />
=== Feedback and Participation: ===<br />
<br />
We hope you find the OWASP Education Project useful. Please contribute to the Project by volunteering for one of the Tasks, sending your comments, questions, and suggestions to the [http://lists.owasp.org/mailman/listinfo/owasp-education mailing list].<br />
<br />
If you used material from our project, please use the available [[:Image:Education_Track_Evaluation_Template.doc|evaluation forms]] and let uw know how we can improve our modules and tracks.<br />
<br />
=== Project Contributors ===<br />
<br />
If you contribute to this Project, please add your name here.<br><br />
Project Lead:<br />
* [[User:knoblochmartin| Martin Knobloch]]<br />
<br />
Contributors:<br />
<br />
* [[User:Sdeleersnyder|Sebastien Deleersnyder]]<br />
* [[User:medelibero|Mike de Libero]]<br />
* [[User:Bunyamin|Bunyamin Demir]]<br />
* [[User:xxradar|Philippe Bogaerts]]<br />
* [[User:Brennan|Tom Brennan]]<br />
* [[User:Mccorga| Grady McCorkle]]<br />
* you? ...<br />
<br />
__NOTOC__<br />
<headertabs/><br />
<br />
{{PutInCategory}}</div>Martinknoblochhttps://wiki.owasp.org/index.php?title=OWASP_Education_Material_Categorized&diff=86769OWASP Education Material Categorized2010-07-22T00:05:24Z<p>Martinknobloch: Created page with '== Education Material Categorized == ==== Profession / Interest ==== Below you find the education material categorized by profession and interest. {| style="width:100%" border…'</p>
<hr />
<div>== Education Material Categorized ==<br />
<br />
<br />
==== Profession / Interest ====<br />
Below you find the education material categorized by profession and interest. <br />
{| style="width:100%" border="0" align="center"<br />
! colspan="4" align="center" style="background:#FFFFFF color:white"|<font color="003399">'''Management''' <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Beginner''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Experienced''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Expert''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|}<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="4" align="center" style="background:#FFFFFF color:white"|<font color="003399">'''Student''' <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Beginner''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Experienced''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Expert''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|}<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="4" align="center" style="background:#FFFFFF color:white"|<font color="003399">'''Developer''' <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Beginner''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Experienced''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Expert''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|}<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="4" align="center" style="background:#FFFFFF color:white"|<font color="003399">'''Tester''' <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Beginner''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Experienced''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Expert''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|}<br />
<br><br />
<br />
==== OWASP Top Ten ====<br />
The [[:Category:OWASP_Top_Ten_Project |'''OWASP Top Ten''']] represents a broad consensus about what the most critical web application security flaws are. Project members include a variety of security experts from around the world who have shared their expertise to produce this list. There are currently versions in English, French, Japanese, Korean and Turkish. A Spanish version is in the works. We urge all companies to adopt this awareness document within their organization and start the process of ensuring that their web applications do not contain these flaws. Adopting the OWASP Top Ten is perhaps the most effective first step towards changing the software development culture within your organization into one that produces secure code.<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="4" align="center" style="background:#FFFFFF; color:white"|<font color="white"><br />
'''[[Top_10_2007-A1|A1 - Cross Site Scripting (XSS)]]''' <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Presentation''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Video's ''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training video <br />
|}<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="4" align="center" style="background:#FFFFFF; color:white"|<font color="white"><br />
'''[[Top_10_2007-A2|A2 - Injection Flaws]]''' <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Presentation''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Video's ''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training video <br />
|}<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="4" align="center" style="background:#FFFFFF; color:white"|<font color="white"><br />
'''[[Top_10_2007-A3|A3 - Malicious File Execution]]''' <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Presentation''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Video's ''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training video <br />
|}<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="4" align="center" style="background:#FFFFFF; color:white"|<font color="white"><br />
'''[[Top_10_2007-A4|A4 - Insecure Direct Object Reference]]''' <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Presentation''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Video's ''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training video <br />
|}<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="4" align="center" style="background:#FFFFFF; color:white"|<font color="white"><br />
'''[[Top_10_2007-A5|A5 - Cross Site Request Forgery (CSRF)]]''' <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Presentation''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Video's ''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training video <br />
|}<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="4" align="center" style="background:#FFFFFF; color:white"|<font color="white"><br />
'''[[Top_10_2007-A6|A6 - Information Leakage and Improper Error Handling]]''' <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Presentation''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Video's ''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training video <br />
|}<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="4" align="center" style="background:#FFFFFF; color:white"|<font color="white"><br />
'''[[Top_10_2007-A7|A7 - Broken Authentication and Session Management]]''' <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Presentation''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Video's ''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training video <br />
|}<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="4" align="center" style="background:#FFFFFF; color:white"|<font color="white"><br />
'''[[Top_10_2007-A8|A8 - Insecure Cryptographic Storage]]''' <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Presentation''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Video's ''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training video <br />
|}<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="4" align="center" style="background:#FFFFFF; color:white"|<font color="white"><br />
'''[[Top_10_2007-A9|A9 - Insecure Communications]]''' <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Presentation''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Video's ''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training video <br />
|}<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="4" align="center" style="background:#FFFFFF; color:white"|<font color="white"><br />
'''[[Top_10_2007-A10|A10 - Failure to Restrict URL Access]]''' <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Presentation''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Video's ''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training video <br />
|}<br />
<br />
<br><br />
<br />
==== OWASP Tooling ====<br />
An [[:Category:OWASP_Project |'''OWASP Project''']] is a collection of related tasks that have a defined roadmap and team members. OWASP project leaders are responsible for defining the vision, roadmap, and tasks for the project. The project leader also promotes the project and builds the team. Tools and documents are organized into the following categories:<br />
PROTECT - These are tools and documents that can be used to guard against security-related design and implementation flaws.<br />
DETECT - These are tools and documents that can be used to find security-related design and implementation flaws.<br />
LIFE CYCLE - These are tools and documents that can be used to add security-related activities into the Software Development Life Cycle (SDLC).<br />
<br />
<hr><br>''' Protect:'''<br />
<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="4" align="center" style="background:#FFFFFF; color:white"|<font color="white"><br />
'''[[:Category:OWASP_AntiSamy_Project|OWASP AntiSamy Java Project]] ''' <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Beginner''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Experienced''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Expert''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Video's ''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training video <br />
|}<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="4" align="center" style="background:#FFFFFF; color:white"|<font color="white"><br />
'''[[:Category:OWASP_Enterprise_Security_API|OWASP Enterprise Security API (ESAPI) Project]] ''' <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Beginner''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Experienced''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Expert''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|}<br />
<br />
<br>''' Detect:'''<br />
<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="4" align="center" style="background:#FFFFFF color:white"|<font color="white"><br />
'''[[:Category:OWASP_Live_CD_Project|OWASP Live CD Project]]''' <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Beginner''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Experienced''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Expert''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|}<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="4" align="center" style="background:#FFFFFF color:white"|<font color="white"><br />
'''[[:Category:OWASP_WebScarab_Project|OWASP WebScarab Project]]''' <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Beginner''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Experienced''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Expert''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|}<br />
<br />
<br>''' Life Cycle:'''<br />
<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="4" align="center" style="background:#FFFFFF color:white"|<font color="white"><br />
'''[[:Category:OWASP_WebGoat_Project|OWASP WebGoat Project]]''' <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Beginner''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Experienced''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Expert''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|}<br />
<br><br />
==== OWASP Documentation ====<br />
An [[:Category:OWASP_Project |'''OWASP Project''']] is a collection of related tasks that have a defined roadmap and team members. OWASP project leaders are responsible for defining the vision, roadmap, and tasks for the project. The project leader also promotes the project and builds the team. Tools and documents are organized into the following categories:<br />
PROTECT - These are tools and documents that can be used to guard against security-related design and implementation flaws.<br />
DETECT - These are tools and documents that can be used to find security-related design and implementation flaws.<br />
LIFE CYCLE - These are tools and documents that can be used to add security-related activities into the Software Development Life Cycle (SDLC).<br />
<br />
<hr><br> '''Protect: '''<br />
<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="4" align="center" style="background:#FFFFFF color:white"|<font color="white"><br />
'''[[:Category:OWASP_Guide_Project|OWASP Development Guide]]''' <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Beginner''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Experienced''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Expert''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|}<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="4" align="center" style="background:#FFFFFF color:white"|<font color="white"><br />
'''[[:Category:OWASP_Ruby_on_Rails_Security_Guide_V2|OWASP Ruby on Rails Security Guide V2]]''' <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Beginner''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Experienced''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Expert''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|}<br />
<br />
<br />
<br>''' Detect:'''<br />
<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="4" align="center" style="background:#FFFFFF color:white"|<font color="white"><br />
'''[[:Category:OWASP_Code_Review_Project|OWASP Code Review Guide]]''' <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Beginner''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Experienced''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Expert''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|}<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="4" align="center" style="background:#FFFFFF color:white"|<font color="white"><br />
'''[[:Category:OWASP_Testing_Project|OWASP Testing Guide]]''' <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Beginner''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Experienced''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Expert''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|}<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="4" align="center" style="background:#FFFFFF color:white"|<font color="white"><br />
'''[[:Category:OWASP_Top_Ten_Project|OOWASP Top Ten Project]]''' <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Beginner''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Experienced''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Expert''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|}<br />
<br />
<br>''' Life Cycle:'''<br />
<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="4" align="center" style="background:#FFFFFF color:white"|<font color="white"><br />
'''[[:Category:OWASP_AppSec_FAQ_Project|OWASP AppSec FAQ Project]]''' <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Beginner''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Experienced''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Expert''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|}<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="4" align="center" style="background:#FFFFFF color:white"|<font color="white"><br />
'''[[:Category:OWASP_Legal_Project|OWASP Legal Project]]''' <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Beginner''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Experienced''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Expert''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|}<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="4" align="center" style="background:#FFFFFF color:white"|<font color="white"><br />
'''[[:Category:OWASP_Source_Code_Review_OWASP_Projects_Project|OWASP Source Code Review for OWASP-Projects]]''' <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Beginner''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Experienced''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Expert''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|}<br />
<br><br />
<br />
==== CLASP roles ====<br />
[http://www.owasp.org/index.php/Category:OWASP_CLASP_Project '''CLASP'''] (Comprehensive, Lightweight Application Security Process) provides a well-organized and structured approach for moving security concerns into the early stages of the software development lifecycle, whenever possible.<br />
<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="4" align="center" style="background:#FFFFFF color:white"|<font color="white">'''[[Architect]]''' <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Beginner''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Experienced''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Expert''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|}<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="4" align="center" style="background:#FFFFFF color:white"|<font color="white">'''[[Designer]]''' <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Beginner''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Experienced''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Expert''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|}<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="4" align="center" style="background:#FFFFFF color:white"|<font color="white">'''[[Implementer]]''' <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Beginner''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Experienced''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Expert''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|}<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="4" align="center" style="background:#FFFFFF color:white"|<font color="white">'''[[Project Manager]]''' <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Beginner''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Experienced''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Expert''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|}<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="4" align="center" style="background:#FFFFFF color:white"|<font color="white">'''[[Requirements Specifier]]''' <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Beginner''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Experienced''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Expert''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|}<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="4" align="center" style="background:#FFFFFF color:white"|<font color="white">'''[[Security Auditor]]''' <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Beginner''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Experienced''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Expert''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|}<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="4" align="center" style="background:#FFFFFF color:white"|<font color="white">'''[[Test Analyst]]''' <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Beginner''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Experienced''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Expert''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|}<br />
<br />
==== SAMM Disciplines & Functions ====<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="4" align="center" style="background:#FFFFFF color:white"|<font color="003399">'''Alignment & Governance''' <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Education & Guidance''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Standards & Compliance''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Strategic Planning''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|}<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="4" align="center" style="background:#FFFFFF color:white"|<font color="003399">'''Requirements & Design''' <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Threat Modeling''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Security Requirements''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Defensive Design''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|}<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="4" align="center" style="background:#FFFFFF color:white"|<font color="003399">'''Verification & Assessment''' <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Architectuur Review''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Code Review''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Security Testing''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|}<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="4" align="center" style="background:#FFFFFF color:white"|<font color="003399">'''Deployment & Operations''' <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Vulnerability Mangement''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Infrastrucxture Hardening''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Operational Enablement''' <br />
* beginner<br />
* mediate<br />
* expert<br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|}<br />
__NOTOC__<br />
<headertabs/></div>Martinknoblochhttps://wiki.owasp.org/index.php?title=Category:OWASP_Education_Project&diff=86768Category:OWASP Education Project2010-07-21T23:28:03Z<p>Martinknobloch: Major Change</p>
<hr />
<div>{{:Project Information:template Education Project}}<br />
[[Category:OWASP Project|Education Project New]]<br />
[[Category:OWASP Education Modules]]<br />
[[Category:OWASP Document]]<br />
[[Category:OWASP Download]]<br />
[[Category:OWASP Beta Quality Document]]<br />
<br />
== Welcome to the OWASP Education Project==<br />
<br />
Web Application Security Education and Awareness is needed throughout the entire organization, each area and level of organizations have specific needs and requirements regarding education. A manager needs other information than a security professional or developer. Novices to the profession require other training than people with several years of experience. <br><br />
This Education project aims to provide in building blocks of web application security information. These modules can be combined together in education tracks targeting different audiences.<br><br><br />
The first list of modules can be found [[OWASP Education Project Modules|here]].<br />
<br />
== Education Material Categorized ==<br />
<br />
The education materialis categorized in two manors, by the CLASP roles and a more global way of general concern.<br />
==== Profession / Interest ====<br />
Below you find the education material categorized by profession and interest. <br />
{| style="width:100%" border="0" align="center"<br />
! colspan="4" align="center" style="background:#FFFFFF color:white"|<font color="003399">'''Common''' <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Beginner''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Experienced''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Expert''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|}<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="4" align="center" style="background:#FFFFFF color:white"|<font color="003399">'''Management''' <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Beginner''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Experienced''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Expert''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|}<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="4" align="center" style="background:#FFFFFF color:white"|<font color="003399">'''Student''' <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Beginner''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Experienced''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Expert''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|}<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="4" align="center" style="background:#FFFFFF color:white"|<font color="003399">'''Developer''' <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Beginner''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Experienced''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Expert''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|}<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="4" align="center" style="background:#FFFFFF color:white"|<font color="003399">'''Tester''' <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Beginner''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Experienced''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Expert''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|}<br />
<br />
<br />
==== OWASP Top Ten ====<br />
The [[:Category:OWASP_Top_Ten_Project |'''OWASP Top Ten''']] represents a broad consensus about what the most critical web application security flaws are. Project members include a variety of security experts from around the world who have shared their expertise to produce this list. There are currently versions in English, French, Japanese, Korean and Turkish. A Spanish version is in the works. We urge all companies to adopt this awareness document within their organization and start the process of ensuring that their web applications do not contain these flaws. Adopting the OWASP Top Ten is perhaps the most effective first step towards changing the software development culture within your organization into one that produces secure code.<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="4" align="center" style="background:#FFFFFF; color:white"|<font color="white"><br />
'''[[Top_10_2007-A1|A1 - Cross Site Scripting (XSS)]]''' <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Presentation''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Video's ''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training video <br />
|}<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="4" align="center" style="background:#FFFFFF; color:white"|<font color="white"><br />
'''[[Top_10_2007-A2|A2 - Injection Flaws]]''' <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Presentation''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Video's ''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training video <br />
|}<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="4" align="center" style="background:#FFFFFF; color:white"|<font color="white"><br />
'''[[Top_10_2007-A3|A3 - Malicious File Execution]]''' <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Presentation''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Video's ''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training video <br />
|}<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="4" align="center" style="background:#FFFFFF; color:white"|<font color="white"><br />
'''[[Top_10_2007-A4|A4 - Insecure Direct Object Reference]]''' <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Presentation''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Video's ''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training video <br />
|}<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="4" align="center" style="background:#FFFFFF; color:white"|<font color="white"><br />
'''[[Top_10_2007-A5|A5 - Cross Site Request Forgery (CSRF)]]''' <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Presentation''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Video's ''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training video <br />
|}<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="4" align="center" style="background:#FFFFFF; color:white"|<font color="white"><br />
'''[[Top_10_2007-A6|A6 - Information Leakage and Improper Error Handling]]''' <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Presentation''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Video's ''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training video <br />
|}<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="4" align="center" style="background:#FFFFFF; color:white"|<font color="white"><br />
'''[[Top_10_2007-A7|A7 - Broken Authentication and Session Management]]''' <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Presentation''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Video's ''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training video <br />
|}<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="4" align="center" style="background:#FFFFFF; color:white"|<font color="white"><br />
'''[[Top_10_2007-A8|A8 - Insecure Cryptographic Storage]]''' <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Presentation''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Video's ''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training video <br />
|}<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="4" align="center" style="background:#FFFFFF; color:white"|<font color="white"><br />
'''[[Top_10_2007-A9|A9 - Insecure Communications]]''' <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Presentation''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Video's ''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training video <br />
|}<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="4" align="center" style="background:#FFFFFF; color:white"|<font color="white"><br />
'''[[Top_10_2007-A10|A10 - Failure to Restrict URL Access]]''' <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Presentation''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Video's ''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training video <br />
|}<br />
<br />
<br><br />
<br />
==== OWASP Tooling ====<br />
An [[:Category:OWASP_Project |'''OWASP Project''']] is a collection of related tasks that have a defined roadmap and team members. OWASP project leaders are responsible for defining the vision, roadmap, and tasks for the project. The project leader also promotes the project and builds the team. Tools and documents are organized into the following categories:<br />
PROTECT - These are tools and documents that can be used to guard against security-related design and implementation flaws.<br />
DETECT - These are tools and documents that can be used to find security-related design and implementation flaws.<br />
LIFE CYCLE - These are tools and documents that can be used to add security-related activities into the Software Development Life Cycle (SDLC).<br />
<br />
<hr><br>''' Protect:'''<br />
<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="4" align="center" style="background:#FFFFFF; color:white"|<font color="white"><br />
'''[[:Category:OWASP_AntiSamy_Project|OWASP AntiSamy Java Project]] ''' <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Beginner''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Experienced''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Expert''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Video's ''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training video <br />
|}<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="4" align="center" style="background:#FFFFFF; color:white"|<font color="white"><br />
'''[[:Category:OWASP_Enterprise_Security_API|OWASP Enterprise Security API (ESAPI) Project]] ''' <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Beginner''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Experienced''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Expert''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|}<br />
<br />
<br>''' Detect:'''<br />
<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="4" align="center" style="background:#FFFFFF color:white"|<font color="white"><br />
'''[[:Category:OWASP_Live_CD_Project|OWASP Live CD Project]]''' <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Beginner''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Experienced''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Expert''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|}<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="4" align="center" style="background:#FFFFFF color:white"|<font color="white"><br />
'''[[:Category:OWASP_WebScarab_Project|OWASP WebScarab Project]]''' <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Beginner''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Experienced''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Expert''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|}<br />
<br />
<br>''' Life Cycle:'''<br />
<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="4" align="center" style="background:#FFFFFF color:white"|<font color="white"><br />
'''[[:Category:OWASP_WebGoat_Project|OWASP WebGoat Project]]''' <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Beginner''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Experienced''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Expert''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|}<br />
<br><br />
==== OWASP Documentation ====<br />
An [[:Category:OWASP_Project |'''OWASP Project''']] is a collection of related tasks that have a defined roadmap and team members. OWASP project leaders are responsible for defining the vision, roadmap, and tasks for the project. The project leader also promotes the project and builds the team. Tools and documents are organized into the following categories:<br />
PROTECT - These are tools and documents that can be used to guard against security-related design and implementation flaws.<br />
DETECT - These are tools and documents that can be used to find security-related design and implementation flaws.<br />
LIFE CYCLE - These are tools and documents that can be used to add security-related activities into the Software Development Life Cycle (SDLC).<br />
<br />
<hr><br> '''Protect: '''<br />
<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="4" align="center" style="background:#FFFFFF color:white"|<font color="white"><br />
'''[[:Category:OWASP_Guide_Project|OWASP Development Guide]]''' <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Beginner''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Experienced''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Expert''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|}<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="4" align="center" style="background:#FFFFFF color:white"|<font color="white"><br />
'''[[:Category:OWASP_Ruby_on_Rails_Security_Guide_V2|OWASP Ruby on Rails Security Guide V2]]''' <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Beginner''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Experienced''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Expert''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|}<br />
<br />
<br />
<br>''' Detect:'''<br />
<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="4" align="center" style="background:#FFFFFF color:white"|<font color="white"><br />
'''[[:Category:OWASP_Code_Review_Project|OWASP Code Review Guide]]''' <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Beginner''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Experienced''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Expert''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|}<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="4" align="center" style="background:#FFFFFF color:white"|<font color="white"><br />
'''[[:Category:OWASP_Testing_Project|OWASP Testing Guide]]''' <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Beginner''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Experienced''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Expert''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|}<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="4" align="center" style="background:#FFFFFF color:white"|<font color="white"><br />
'''[[:Category:OWASP_Top_Ten_Project|OOWASP Top Ten Project]]''' <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Beginner''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Experienced''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Expert''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|}<br />
<br />
<br>''' Life Cycle:'''<br />
<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="4" align="center" style="background:#FFFFFF color:white"|<font color="white"><br />
'''[[:Category:OWASP_AppSec_FAQ_Project|OWASP AppSec FAQ Project]]''' <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Beginner''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Experienced''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Expert''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|}<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="4" align="center" style="background:#FFFFFF color:white"|<font color="white"><br />
'''[[:Category:OWASP_Legal_Project|OWASP Legal Project]]''' <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Beginner''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Experienced''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Expert''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|}<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="4" align="center" style="background:#FFFFFF color:white"|<font color="white"><br />
'''[[:Category:OWASP_Source_Code_Review_OWASP_Projects_Project|OWASP Source Code Review for OWASP-Projects]]''' <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Beginner''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Experienced''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Expert''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|}<br />
<br><br />
<br />
==== CLASP roles ====<br />
[http://www.owasp.org/index.php/Category:OWASP_CLASP_Project '''CLASP'''] (Comprehensive, Lightweight Application Security Process) provides a well-organized and structured approach for moving security concerns into the early stages of the software development lifecycle, whenever possible.<br />
<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="4" align="center" style="background:#FFFFFF color:white"|<font color="white">'''[[Architect]]''' <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Beginner''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Experienced''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Expert''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|}<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="4" align="center" style="background:#FFFFFF color:white"|<font color="white">'''[[Designer]]''' <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Beginner''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Experienced''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Expert''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|}<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="4" align="center" style="background:#FFFFFF color:white"|<font color="white">'''[[Implementer]]''' <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Beginner''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Experienced''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Expert''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|}<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="4" align="center" style="background:#FFFFFF color:white"|<font color="white">'''[[Project Manager]]''' <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Beginner''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Experienced''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Expert''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|}<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="4" align="center" style="background:#FFFFFF color:white"|<font color="white">'''[[Requirements Specifier]]''' <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Beginner''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Experienced''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Expert''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|}<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="4" align="center" style="background:#FFFFFF color:white"|<font color="white">'''[[Security Auditor]]''' <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Beginner''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Experienced''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Expert''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|}<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="4" align="center" style="background:#FFFFFF color:white"|<font color="white">'''[[Test Analyst]]''' <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Beginner''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Experienced''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Expert''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|}<br />
<br />
==== SAMM Disciplines & Functions ====<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="4" align="center" style="background:#FFFFFF color:white"|<font color="003399">'''Alignment & Governance''' <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Education & Guidance''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Standards & Compliance''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Strategic Planning''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|}<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="4" align="center" style="background:#FFFFFF color:white"|<font color="003399">'''Requirements & Design''' <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Threat Modeling''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Security Requirements''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Defensive Design''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|}<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="4" align="center" style="background:#FFFFFF color:white"|<font color="003399">'''Verification & Assessment''' <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Architectuur Review''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Code Review''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Security Testing''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|}<br />
{| style="width:100%" border="0" align="center"<br />
! colspan="4" align="center" style="background:#FFFFFF color:white"|<font color="003399">'''Deployment & Operations''' <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Vulnerability Mangement''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Infrastrucxture Hardening''' <br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|-<br />
| style="width:25%; background:#7B8ABD" align="left"| '''Operational Enablement''' <br />
* beginner<br />
* mediate<br />
* expert<br />
| colspan="3" style="width:75%; background:#cccccc" align="left"|<br />
* training material <br />
|}<br />
<br />
<br />
== Goals & Roadmap ==<br />
<br />
Currently the project goals are to create Educational Tracks:<br />
* A [[Education Track: Web Application Security Primer|Web Application Security Primer]] Track for beginners (4 hours) <br />
* [[Education Track: What Developers Should Know on Web Application Security|What Developers Should Know on Web Application Security]] Track for developers (4 hours) <br />
* Create a [[OWASP Education Presentation|consolidation page of OWASP presentations]] performed in the past with the possibility to add comments<br />
* [[Education Track: OWASP Boot Camp |OWASP Boot Camp]] OWASP Training events, get ready for secure application development<br />
* [[Education Track: OWASP Capture the flag application | Capture the flag application ]] <br />
* ...<br />
Further breakdown of tasks and future developments are listed in the [[OWASP Education Project Roadmap|road map]].<br><br />
<br />
== Spoc007 Progress ==<br />
The Education project was selected for [http://www.owasp.org/index.php/SpoC_007_-_OWASP_Education_Project Spoc007 participation] (see page for progress).<br />
<br />
The SpoC007 goal is to finish Sub Goals 1, 2, 3 and perform Sub Goal 4 during the coming months ([[OWASP Education Project Roadmap|road map]]).<br />
<br />
== Project Guiding Principles ==<br />
<br />
This project aims to provide in building blocks of web application security knowledge that can easily be integrated in awareness sessions or presentations on this topic. The building blocks provided by this project can then be bundled together in eduction tracks.<br><br />
An important guideline is therefore that the material produced is modular.<br><br />
<br />
== Resources and links ==<br />
<br />
This project is not standalone. There is an awfull lot of information that can be found throughout this site and from other resources on the Internet. <br><br />
This project will draw pieces of information from:<br />
* The [http://www.owasp.org/index.php/Category:OWASP_Video Video's]<br />
* The presentations, currently being inventorized in the [[OWASP Education Presentation Rating|consolidation page of OWASP presentations]]¨<br />
* [http://www.owasp.org/index.php/Category:OWASP_WebGoat_Project WebGoat]<br />
* ...<br />
One of the modules to create will be a Resources module, not limited to OWASP.<br />
<br />
== Feedback and Participation: ==<br />
<br />
We hope you find the OWASP Education Project useful. Please contribute to the Project by volunteering for one of the Tasks, sending your comments, questions, and suggestions to the [http://lists.owasp.org/mailman/listinfo/owasp-education mailing list].<br />
<br />
If you used material from our project, please use the available [[:Image:Education_Track_Evaluation_Template.doc|evaluation forms]] and let uw know how we can improve our modules and tracks.<br />
<br />
== Project Contributors ==<br />
<br />
If you contribute to this Project, please add your name here.<br><br />
Project Lead:<br />
* [[User:Sdeleersnyder|Sebastien Deleersnyder]]<br />
<br />
Contributors:<br />
<br />
* [[User:medelibero|Mike de Libero]]<br />
* [[User:Bunyamin|Bunyamin Demir]]<br />
* [[User:xxradar|Philippe Bogaerts]]<br />
* [[User:Brennan|Tom Brennan]]<br />
* [[User:knoblochmartin| Martin Knobloch]]<br />
* [[User:Mccorga| Grady McCorkle]]<br />
* you? ...<br />
<br />
__NOTOC__<br />
<headertabs/><br />
<br />
{{PutInCategory}}</div>Martinknoblochhttps://wiki.owasp.org/index.php?title=Category:OWASP_CTF_Project&diff=86478Category:OWASP CTF Project2010-07-14T21:46:42Z<p>Martinknobloch: </p>
<hr />
<div>==== Main ====<br />
<b>Welcome to the OWASP Capture The Flag (CTF) project!</b><br><br />
<br />
== What is the CTF ==<br />
<br />
The OWASP CTF project is a web base hacking challenge application with challenges categorized in web, network and ‘others’. You require creativity, resourcefulness and networking skills to solve the various challenges.<br />
<br />
== Open Source? ==<br />
<br />
First of all... sorry, but of course, we can not make the CTF and all challenges opensource.<br />
Hereby my apologies for not being as open as I want OWASP and OWASP projects to be. <br><br />
..I know you understand!<br />
<br />
Ahead of the OWASP AppSec-NY in 2009, the idea came up to supply an OWASP CTF event. This has been repeated successfully for the AppSec-EU 2009. Both developed by volunteering individuals, putting in a big amount of work, building the CTF from scratch.<br />
As the CTF event was warmly welcomed by those who participated, it was clear, the CTF has to become a event available for each OWASP event. To make this possible, the CTF project has been created!<br />
<br />
<br />
==== the CTF at your event ====<br />
<br />
Unfortunately, and I guess you understand, we can't share the current used CTF freely..<br />
For previous CTF applications and challenges, please see the download tab!<br />
<br />
To get the CTF at your (OWASP) event, send an email to martin.knobloch 'at' owasp.org<br />
<br />
<br />
= past events = <br />
<br />
* AppSec-EU Polen<br />
* AppSec-DC<br />
* HITB Amsterdam<br />
<br />
= future events = <br />
* AppSec- Research<br />
* AppSec-Ireland<br />
<br />
==== Playing the CTF ====<br />
The rules to participate and playing the CTF might change depending to the event the CTF is organized at.<br />
What you find below is what we think, the CTF should be done.. ;-)<br />
<br />
== Participating: ==<br />
Register at the CTF organizer with your MAC address and participant name. Once you have access to the application, you register with your chosen game name and the game is started.<br />
You can join whenever you like when the game started until the declared end of the game.<br />
== Rules: ==<br />
* You play with your own laptop<br />
* The game is open during the conference time.<br />
* Attacking the CTF outside of the challenges results in disqualification<br />
* Attacking CTF competitors results in disqualification<br />
== Scoring: ==<br />
For each solved challenge you get one point. <br />
* Who has the most challenges solved wins.<br />
* By same score, first scored wins.<br />
* Groups and single player are treated the same<br />
<br />
This is a proposal of rules. Those can be changed, depending on the event where the CTF is hold!<br />
=== who can anticipate in the CTF ===<br />
* Single Players, every one can anticipate on a CTF event by him self<br />
* Groups, you can up with others and anticipate as group. Dividing the prices is the responsibility of the group members though<br />
<br />
<br />
=== pointing system ===<br />
With each challenge you can get a certain score, depending on the difficulty of the challenge. After solving a challenge, a key is gained. You will have to insert that key in your account screen and points are added to your account. In case of same number of points, who ever scores first wins!<br />
<br />
<br />
== categories ==<br />
The challenges are categorized in Web, Networking and Forensic. <br />
* Web challenges<br />
* Networking challenges<br />
* Forensic challenges<br />
The current CTF contains the following categories:<br />
* Web<br />
* Networking<br />
* Others<br />
<br />
== score board ==<br />
For each category, there will be 4 challenges in different difficulty:<br />
* 200 pointsu<br />
* 300 points<br />
* 500 points<br />
* 750 points<br />
<br />
==== Downloads ====<br />
<br />
[http://code.google.com/p/owaspctf/ its home on Google Code]<br><br />
All available downloads can be found at [http://code.google.com/p/owaspctf/downloads/list its Google Code download location]<br />
<br />
As we can not make the current CTF and challenges available, so what is available to download?<br />
We will share previous used CTF applications, not longer used!<br />
<br />
Further, we are currently working on a plug-in system for the challenges.<br />
We will release a setup where to install challenges as plugins, soon.<br />
Also, we will continuously make obsolete challenges available to download!<br />
<br />
Available downloads:<br />
<br />
<br />
==== Roadmap ====<br />
<br />
* Development<br />
** Challenges<br />
<br />
* Obsolete<br />
==== Project Identification ====<br />
<br />
[[Category:OWASP Project|CTF Project]]<br />
[[Category:OWASP Document]]<br />
[[Category:OWASP Alpha Quality Document]]<br />
<br />
{{:GPC Project Details/OWASP CTF Project | OWASP Project Identification Tab}}<br />
<br />
__NOTOC__<br />
<headertabs/></div>Martinknoblochhttps://wiki.owasp.org/index.php?title=Category:OWASP_CTF_Project&diff=86477Category:OWASP CTF Project2010-07-14T21:44:03Z<p>Martinknobloch: </p>
<hr />
<div>==== Main ====<br />
<b>Welcome to the OWASP Capture The Flag (CTF) project!</b><br><br />
<br />
== What is the CTF ==<br />
<br />
The OWASP CTF project is a web base hacking challenge application with challenges categorized in web, network and ‘others’. You require creativity, resourcefulness and networking skills to solve the various challenges.<br />
<br />
== Open Source? ==<br />
<br />
First of all... sorry, but of course, we can not make the CTF and all challenges opensource.<br />
Hereby my apologies for not being as open as I want OWASP and OWASP projects to be. <br><br />
..I know you understand!<br />
<br />
Ahead of the OWASP AppSec-NY in 2009, the idea came up to supply an OWASP CTF event. This has been repeated successfully for the AppSec-EU 2009. Both developed by volunteering individuals, putting in a big amount of work, building the CTF from scratch.<br />
As the CTF event was warmly welcomed by those who participated, it was clear, the CTF has to become a event available for each OWASP event. To make this possible, the CTF project has been created!<br />
<br />
<br />
==== the CTF at your event ====<br />
<br />
Unfortunately, and I guess you understanFirst of all... sorry, but of course, we can not make the CTF and all challenges opensource. Hereby my apologies for not being as open as I want OWASP and OWASP projects to be. <br />
There is no download where to get the CTF from.<br />
<br />
..I know you understand!<br />
Nevertheless, I am sharing as much as I can. <br />
<br />
<br />
= past events = <br />
<br />
* AppSec-EU Polen<br />
* AppSec-DC<br />
* HITB Amsterdam<br />
<br />
= future events = <br />
* AppSec- Research<br />
* AppSec-Ireland<br />
<br />
==== Playing the CTF ====<br />
The rules to participate and playing the CTF might change depending to the event the CTF is organized at.<br />
What you find below is what we think, the CTF should be done.. ;-)<br />
<br />
== Participating: ==<br />
Register at the CTF organizer with your MAC address and participant name. Once you have access to the application, you register with your chosen game name and the game is started.<br />
You can join whenever you like when the game started until the declared end of the game.<br />
== Rules: ==<br />
* You play with your own laptop<br />
* The game is open during the conference time.<br />
* Attacking the CTF outside of the challenges results in disqualification<br />
* Attacking CTF competitors results in disqualification<br />
== Scoring: ==<br />
For each solved challenge you get one point. <br />
* Who has the most challenges solved wins.<br />
* By same score, first scored wins.<br />
* Groups and single player are treated the same<br />
<br />
This is a proposal of rules. Those can be changed, depending on the event where the CTF is hold!<br />
=== who can anticipate in the CTF ===<br />
* Single Players, every one can anticipate on a CTF event by him self<br />
* Groups, you can up with others and anticipate as group. Dividing the prices is the responsibility of the group members though<br />
<br />
<br />
=== pointing system ===<br />
With each challenge you can get a certain score, depending on the difficulty of the challenge. After solving a challenge, a key is gained. You will have to insert that key in your account screen and points are added to your account. In case of same number of points, who ever scores first wins!<br />
<br />
<br />
== categories ==<br />
The challenges are categorized in Web, Networking and Forensic. <br />
* Web challenges<br />
* Networking challenges<br />
* Forensic challenges<br />
The current CTF contains the following categories:<br />
* Web<br />
* Networking<br />
* Others<br />
<br />
== score board ==<br />
For each category, there will be 4 challenges in different difficulty:<br />
* 200 pointsu<br />
* 300 points<br />
* 500 points<br />
* 750 points<br />
<br />
==== Downloads ====<br />
<br />
[http://code.google.com/p/owaspctf/ its home on Google Code]<br><br />
All available downloads can be found at [http://code.google.com/p/owaspctf/downloads/list its Google Code download location]<br />
<br />
As we can not make the current CTF and challenges available, so what is available to download?<br />
We will share previous used CTF applications, not longer used!<br />
<br />
Further, we are currently working on a plug-in system for the challenges.<br />
We will release a setup where to install challenges as plugins, soon.<br />
Also, we will continuously make obsolete challenges available to download!<br />
<br />
Available downloads:<br />
<br />
<br />
==== Roadmap ====<br />
<br />
* Development<br />
** Challenges<br />
<br />
* Obsolete<br />
==== Project Identification ====<br />
<br />
[[Category:OWASP Project|CTF Project]]<br />
[[Category:OWASP Document]]<br />
[[Category:OWASP Alpha Quality Document]]<br />
<br />
{{:GPC Project Details/OWASP CTF Project | OWASP Project Identification Tab}}<br />
<br />
__NOTOC__<br />
<headertabs/></div>Martinknoblochhttps://wiki.owasp.org/index.php?title=Category:OWASP_CTF_Project&diff=86476Category:OWASP CTF Project2010-07-14T21:36:43Z<p>Martinknobloch: </p>
<hr />
<div>==== Main ====<br />
<b>Welcome to the OWASP Capture The Flag (CTF) project!</b><br><br />
<br />
== What is the CTF ==<br />
<br />
The OWASP CTF project is a web base hacking challenge application with challenges categorized in web, network and ‘others’. You require creativity, resourcefulness and networking skills to solve the various challenges.<br />
<br />
== Open Source? ==<br />
<br />
First of all... sorry, but of course, we can not make the CTF and all challenges opensource.<br />
Hereby my apologies for not being as open as I want OWASP and OWASP projects to be. <br><br />
..I know you understand!<br />
<br />
Ahead of the OWASP AppSec-NY in 2009, the idea came up to supply an OWASP CTF event. This has been repeated successfully for the AppSec-EU 2009. Both developed by volunteering individuals, putting in a big amount of work, building the CTF from scratch.<br />
As the CTF event was warmly welcomed by those who participated, it was clear, the CTF has to become a event available for each OWASP event. To make this possible, the CTF project has been created!<br />
<br />
<br />
==== the CTF at your event ====<br />
<br />
Unfortunately, and I guess you understanFirst of all... sorry, but of course, we can not make the CTF and all challenges opensource. Hereby my apologies for not being as open as I want OWASP and OWASP projects to be. <br />
There is no download where to get the CTF from.<br />
<br />
..I know you understand!<br />
Nevertheless, I am sharing as much as I can. <br />
<br />
<br />
= past events = <br />
<br />
* AppSec-EU Polen<br />
* AppSec-DC<br />
* HITB Amsterdam<br />
<br />
= future events = <br />
* AppSec- Research<br />
* AppSec-Ireland<br />
<br />
==== Playing the CTF ====<br />
The rules to participate and playing the CTF might change depending to the event the CTF is organized at.<br />
What you find below is what we think, the CTF should be done.. ;-)<br />
<br />
== Participating: ==<br />
Register at the CTF organizer with your MAC address and participant name. Once you have access to the application, you register with your chosen game name and the game is started.<br />
You can join whenever you like when the game started until the declared end of the game.<br />
== Rules: ==<br />
* You play with your own laptop<br />
* The game is open during the conference time.<br />
* Attacking the CTF outside of the challenges results in disqualification<br />
* Attacking CTF competitors results in disqualification<br />
== Scoring: ==<br />
For each solved challenge you get one point. <br />
* Who has the most challenges solved wins.<br />
* By same score, first scored wins.<br />
* Groups and single player are treated the same<br />
<br />
This is a proposal of rules. Those can be changed, depending on the event where the CTF is hold!<br />
=== who can anticipate in the CTF ===<br />
* Single Players, every one can anticipate on a CTF event by him self<br />
* Groups, you can up with others and anticipate as group. Dividing the prices is the responsibility of the group members though<br />
<br />
<br />
=== pointing system ===<br />
With each challenge you can get a certain score, depending on the difficulty of the challenge. After solving a challenge, a key is gained. You will have to insert that key in your account screen and points are added to your account. In case of same number of points, who ever scores first wins!<br />
<br />
<br />
== categories ==<br />
The challenges are categorized in Web, Networking and Forensic. <br />
* Web challenges<br />
* Networking challenges<br />
* Forensic challenges<br />
The current CTF contains the following categories:<br />
* Web<br />
* Networking<br />
* Others<br />
<br />
== score board ==<br />
For each category, there will be 4 challenges in different difficulty:<br />
* 200 pointsu<br />
* 300 points<br />
* 500 points<br />
* 750 points<br />
<br />
==== Downloads ====<br />
As we can not make the current CTF and challenges available, we do release obsolete CTF's and challenges<br />
at [http://code.google.com/p/owaspctf/ its home on Google Code]<br><br />
All available downloads can be found at [http://code.google.com/p/owaspctf/downloads/list its Google Code download location]<br />
<br />
== b<br />
<br />
==== Roadmap ====<br />
<br />
* Development<br />
** Challenges<br />
<br />
* Obsolete<br />
==== Project Identification ====<br />
<br />
[[Category:OWASP Project|CTF Project]]<br />
[[Category:OWASP Document]]<br />
[[Category:OWASP Alpha Quality Document]]<br />
<br />
{{:GPC Project Details/OWASP CTF Project | OWASP Project Identification Tab}}<br />
<br />
__NOTOC__<br />
<headertabs/></div>Martinknoblochhttps://wiki.owasp.org/index.php?title=Category:OWASP_CTF_Project&diff=86475Category:OWASP CTF Project2010-07-14T21:35:54Z<p>Martinknobloch: </p>
<hr />
<div>==== Main ====<br />
<b>Welcome to the OWASP Capture The Flag (CTF) project!</b><br><br />
<br />
== What is the CTF ==<br />
<br />
The OWASP CTF project is a web base hacking challenge application with challenges categorized in web, network and ‘others’. You require creativity, resourcefulness and networking skills to solve the various challenges.<br />
<br />
== Open Source? ==<br />
<br />
First of all... sorry, but of course, we can not make the CTF and all challenges opensource.<br />
Hereby my apologies for not being as open as I want OWASP and OWASP projects to be. <br><br />
..I know you understand!<br />
<br />
Ahead of the OWASP AppSec-NY in 2009, the idea came up to supply an OWASP CTF event. This has been repeated successfully for the AppSec-EU 2009. Both developed by volunteering individuals, putting in a big amount of work, building the CTF from scratch.<br />
As the CTF event was warmly welcomed by those who participated, it was clear, the CTF has to become a event available for each OWASP event. To make this possible, the CTF project has been created!<br />
<br />
<br />
==== the CTF at your event ====<br />
<br />
Unfortunately, and I guess you understanFirst of all... sorry, but of course, we can not make the CTF and all challenges opensource. Hereby my apologies for not being as open as I want OWASP and OWASP projects to be. <br />
There is no download where to get the CTF from.<br />
<br />
..I know you understand!<br />
Nevertheless, I am sharing as much as I can. <br />
<br />
<br />
= past events = <br />
<br />
* AppSec-EU Polen<br />
* AppSec-DC<br />
<br />
<br />
= future events = <br />
* AppSec- Research<br />
* AppSec-Ireland<br />
<br />
==== Playing the CTF ====<br />
The rules to participate and playing the CTF might change depending to the event the CTF is organized at.<br />
What you find below is what we think, the CTF should be done.. ;-)<br />
<br />
== Participating: ==<br />
Register at the CTF organizer with your MAC address and participant name. Once you have access to the application, you register with your chosen game name and the game is started.<br />
You can join whenever you like when the game started until the declared end of the game.<br />
== Rules: ==<br />
* You play with your own laptop<br />
* The game is open during the conference time.<br />
* Attacking the CTF outside of the challenges results in disqualification<br />
* Attacking CTF competitors results in disqualification<br />
== Scoring: ==<br />
For each solved challenge you get one point. <br />
* Who has the most challenges solved wins.<br />
* By same score, first scored wins.<br />
* Groups and single player are treated the same<br />
<br />
This is a proposal of rules. Those can be changed, depending on the event where the CTF is hold!<br />
=== who can anticipate in the CTF ===<br />
* Single Players, every one can anticipate on a CTF event by him self<br />
* Groups, you can up with others and anticipate as group. Dividing the prices is the responsibility of the group members though<br />
<br />
<br />
=== pointing system ===<br />
With each challenge you can get a certain score, depending on the difficulty of the challenge. After solving a challenge, a key is gained. You will have to insert that key in your account screen and points are added to your account. In case of same number of points, who ever scores first wins!<br />
<br />
<br />
== categories ==<br />
The challenges are categorized in Web, Networking and Forensic. <br />
* Web challenges<br />
* Networking challenges<br />
* Forensic challenges<br />
The current CTF contains the following categories:<br />
* Web<br />
* Networking<br />
* Others<br />
<br />
== score board ==<br />
For each category, there will be 4 challenges in different difficulty:<br />
* 200 pointsu<br />
* 300 points<br />
* 500 points<br />
* 750 points<br />
<br />
==== Downloads ====<br />
As we can not make the current CTF and challenges available, we do release obsolete CTF's and challenges<br />
at [http://code.google.com/p/owaspctf/ its home on Google Code]<br><br />
All available downloads can be found at [http://code.google.com/p/owaspctf/downloads/list its Google Code download location]<br />
<br />
== b<br />
<br />
==== Roadmap ====<br />
<br />
* Development<br />
** Challenges<br />
<br />
* Obsolete<br />
==== Project Identification ====<br />
<br />
[[Category:OWASP Project|CTF Project]]<br />
[[Category:OWASP Document]]<br />
[[Category:OWASP Alpha Quality Document]]<br />
<br />
{{:GPC Project Details/OWASP CTF Project | OWASP Project Identification Tab}}<br />
<br />
__NOTOC__<br />
<headertabs/></div>Martinknoblochhttps://wiki.owasp.org/index.php?title=Category:OWASP_CTF_Project&diff=86474Category:OWASP CTF Project2010-07-14T21:30:33Z<p>Martinknobloch: </p>
<hr />
<div>==== Main ====<br />
<b>Welcome to the OWASP Capture The Flag (CTF) project!</b><br><br />
<br />
== What is the CTF ==<br />
<br />
The OWASP CTF project is a web base hacking challenge application with challenges categorized in web, network and ‘others’. You require creativity, resourcefulness and networking skills to solve the various challenges.<br />
<br />
== Open Source? ==<br />
<br />
First of all... sorry, but of course, we can not make the CTF and all challenges opensource.<br />
Hereby my apologies for not being as open as I want OWASP and OWASP projects to be. <br><br />
..I know you understand!<br />
<br />
Ahead of the OWASP AppSec-NY in 2009, the idea came up to supply an OWASP CTF event. This has been repeated successfully for the AppSec-EU 2009. Both developed by volunteering individuals, putting in a big amount of work, building the CTF from scratch.<br />
As the CTF event was warmly welcomed by those who participated, it was clear, the CTF has to become a event available for each OWASP event. To make this possible, the CTF project has been created!<br />
<br />
<br />
==== the CTF at your event ====<br />
<br />
Unfortunately, and I guess you understanFirst of all... sorry, but of course, we can not make the CTF and all challenges opensource. Hereby my apologies for not being as open as I want OWASP and OWASP projects to be. <br />
There is no download where to get the CTF from.<br />
<br />
..I know you understand!<br />
Nevertheless, I am sharing as much as I can. <br />
<br />
<br />
= past events = <br />
<br />
* AppSec-EU Polen<br />
* AppSec-DC<br />
<br />
<br />
= future events = <br />
* AppSec- Research<br />
* AppSec-Ireland<br />
<br />
==== Playing the CTF ====<br />
The rules to participate and playing the CTF might change depending to the event the CTF is organized at.<br />
What you find below is what we think, the CTF should be done.. ;-)<br />
<br />
== Participating: ==<br />
Register at the CTF organizer with your MAC address and participant name. Once you have access to the application, you register with your chosen game name and the game is started.<br />
You can join whenever you like when the game started until the declared end of the game.<br />
== Rules: ==<br />
* You play with your own laptop<br />
* The game is open during the conference time.<br />
* Attacking the CTF outside of the challenges results in disqualification<br />
* Attacking CTF competitors results in disqualification<br />
== Scoring: ==<br />
For each solved challenge you get one point. <br />
* Who has the most challenges solved wins.<br />
* By same score, first scored wins.<br />
* Groups and single player are treated the same<br />
<br />
This is a proposal of rules. Those can be changed, depending on the event where the CTF is hold!<br />
=== who can anticipate in the CTF ===<br />
* Single Players, every one can anticipate on a CTF event by him self<br />
* Groups, you can up with others and anticipate as group. Dividing the prices is the responsibility of the group members though<br />
<br />
<br />
=== pointing system ===<br />
With each challenge you can get a certain score, depending on the difficulty of the challenge. After solving a challenge, a key is gained. You will have to insert that key in your account screen and points are added to your account. In case of same number of points, who ever scores first wins!<br />
<br />
<br />
== categories ==<br />
The challenges are categorized in Web, Networking and Forensic. <br />
* Web challenges<br />
* Networking challenges<br />
* Forensic challenges<br />
The current CTF contains the following categories:<br />
* Web<br />
* Networking<br />
* Others<br />
<br />
== score board ==<br />
For each category, there will be 4 challenges in different difficulty:<br />
* 200 pointsu<br />
* 300 points<br />
* 500 points<br />
* 750 points<br />
<br />
==== Downloads ====<br />
As we can not make the current CTF and challenges available, we do release obsolete CTF's and challenges<br />
at [http://code.google.com/p/owaspctf/ its home on Google Code]<br><br />
All available downloads can be found at [http://code.google.com/p/owaspctf/downloads/list its Google Code download location]<br />
<br />
==== Roadmap ====<br />
<br />
* Development<br />
** Challenges<br />
<br />
* Obsolete<br />
==== Project Identification ====<br />
<br />
[[Category:OWASP Project|CTF Project]]<br />
[[Category:OWASP Document]]<br />
[[Category:OWASP Alpha Quality Document]]<br />
<br />
{{:GPC Project Details/OWASP CTF Project | OWASP Project Identification Tab}}<br />
<br />
__NOTOC__<br />
<headertabs/></div>Martinknoblochhttps://wiki.owasp.org/index.php?title=Category:OWASP_CTF_Project&diff=86473Category:OWASP CTF Project2010-07-14T21:00:32Z<p>Martinknobloch: </p>
<hr />
<div>==== Main ====<br />
<b>Welcome to the OWASP Capture The Flag (CTF) project!</b><br><br />
<br />
First of all... sorry, but of course, we can not make the CTF and all challenges opensource.<br />
Hereby my apologies for not being as open as I want OWASP and OWASP projects to be.<br />
..I know you understand!<br />
<br />
Ahead of the OWASP AppSec-NY in 2009, the idea came up to supply an OWASP CTF event. This has been repeated successfully for the AppSec-EU 2009. Both developed by volunteering individuals, putting in a big amount of work, building the CTF from scratch.<br />
As the CTF event was warmly welcomed by those who participated, it was clear, the CTF has to become a event available for each OWASP event. To make this possible, the CTF project has been created!<br />
<br />
== The CTF ==<br />
<br />
The OWASP CTF project is a web base hacking challenge application with challenges categorized in web, network and ‘others’. You require creativity, resourcefulness and networking skills to solve the various challenges.<br />
=== what do I nee to anticipate ===<br />
To anticipate on a CTF event, all you need is your laptop.<br />
Connection to the CTF should be able via wireless network.<br />
In some cases, it can be the conference venue disallow local wireless networks and the CTF will be accessible via LAN network.<br />
=== joining the CTF ===<br />
To anticipate in a CTF event, you can register on the online application. It's advisable the attendees have to register by the CTF organizer.<br />
<br />
<br />
== Roadmap ==<br />
<br />
* Rework framework<br />
* Developing challenges<br />
==== playing the CTF ====<br />
Playing:<br />
Register at the CTF organizer with your MAC address and participant name. Once you have access to the application, you register with your chosen game name and the game is started.<br />
You can join whenever you like when the game started until the declared end of the game.<br />
Rules:<br />
* You play with your own laptop<br />
* The game is open during the conference time.<br />
* Attacking the CTF outside of the challenges results in disqualification<br />
* Attacking CTF competitors results in disqualification<br />
Scoring:<br />
For each solved challenge you get one point. <br />
* Who has the most challenges solved wins.<br />
* By same score, first scored wins.<br />
* Groups and single player are treated the same<br />
<br />
This is a proposal of rules. Those can be changed, depending on the event where the CTF is hold!<br />
=== who can anticipate in the CTF ===<br />
* Single Players, every one can anticipate on a CTF event by him self<br />
* Groups, you can up with others and anticipate as group. Dividing the prices is the responsibility of the group members though<br />
<br />
<br />
=== pointing system ===<br />
With each challenge you can get a certain score, depending on the difficulty of the challenge. After solving a challenge, a key is gained. You will have to insert that key in your account screen and points are added to your account. In case of same number of points, who ever scores first wins!<br />
<br />
<br />
== categories ==<br />
The challenges are categorized in Web, Networking and Forensic. <br />
* Web challenges<br />
* Networking challenges<br />
* Forensic challenges<br />
<br />
== score board ==<br />
For each category, there will be 4 challenges in different difficulty:<br />
* 200 pointsu<br />
* 300 points<br />
* 500 points<br />
* 750 points<br />
<br />
==== the CTF at your event ====<br />
<br />
First of all... sorry, but of course, we can not make the CTF and all challenges opensource. Hereby my apologies for not being as open as I want OWASP and OWASP projects to be. <br />
There is no download where to get the CTF from.<br />
<br />
..I know you understand!<br />
Nevertheless, I am sharing as much as I can. <br />
<br />
<br />
= past events = <br />
<br />
* AppSec-EU Polen<br />
* AppSec-DC<br />
<br />
<br />
= future events = <br />
* AppSec- Research<br />
* AppSec-Ireland<br />
<br />
==== Downloads ====<br />
As we can not make the current CTF and challenges available, we do release obsolete CTF's and challenges<br />
at [http://code.google.com/p/owaspctf/ its home on Google Code]<br><br />
All available downloads can be found at [http://code.google.com/p/owaspctf/downloads/list its Google Code download location]<br />
<br />
==== Project Identification ====<br />
<br />
[[Category:OWASP Project|CTF Project]]<br />
[[Category:OWASP Document]]<br />
[[Category:OWASP Alpha Quality Document]]<br />
<br />
{{:GPC Project Details/OWASP CTF Project | OWASP Project Identification Tab}}<br />
<br />
__NOTOC__<br />
<headertabs/></div>Martinknoblochhttps://wiki.owasp.org/index.php?title=Netherlands&diff=85685Netherlands2010-06-30T13:22:07Z<p>Martinknobloch: /* Workshop Google Hacking */</p>
<hr />
<div>{{Chapter Template|chaptername=Netherlands|extra=|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-netherlands|emailarchives=http://lists.owasp.org/pipermail/owasp-netherlands}} <br />
<br />
<br> <br />
<br />
==== Local News ====<br />
=== Workshop Google Hacking ===<br />
We have a special OWASP meeting around HITB!<br />
<br />
Christian Heinrich, from OWASP Australia and project lead of the OWASP Google Hacking project. <br />
Chirstian is speaking at the HITB conference. He is willing to give a Google Hacks and Skipfish workshop:<br><br />
* http://www.owasp.org/index.php/Category:OWASP_Google_Hacking_Project<br />
* http://www.owasp.org/index.php/Testing:_Search_engine_discovery/reconnaissance_%28OWASP-IG-002%29<br />
* http://www.owasp.org/index.php/Testing:_Spiders,_Robots,_and_Crawlers_%28OWASP-IG-001%29<br />
<br />
Please see tab "Chapter Meetings" for more details. <br />
This will take place june 30th:<br />
<br />
Location:<br />
Sogeti Netherland<br />
Wildenborch 3 <br />
1112 xb Diemen<br />
<br />
=== HITB 2010 Amsterdam ===<br />
The FIRST EVER HITBSecConf in Europe, HITBSecConf 2010 - Amsterdam takes place at the NH Grand Krasnapolsky from the 29th of June till the 2nd of July with a QUAD TRACK line up!<br />
<br />
OWASP members get a special offer:<br><br />
OWASP MEMBERS SAVE EUR200 OFF THE CONFERENCE PRICE!!! <br><br />
EUR699 instead of EUR899.This offer is limited to the first 50 registrations.<br><br />
OWASP members are encouraged to register as soon as possible to avoid disappointment.<br><br />
Please supply your OWASP membership ID to the registration!<br><br />
<br />
Conference Website: http://conference.hitb.org/hitbsecconf2010ams/<br><br />
29th & 30th June - Hands on Technical Training Sessions <br />
<br />
==== Chapter Meetings ====<br />
<br />
== 2010 Schedule ==<br />
<br />
*March 11th, 18.00 - 21.30 Topic: Database Security<br />
*May 20th, 18.00 - 21.30 Topic: Web Application Firewalls <br />
*June 30th, 18:00 - 21:00 Workshop Google Hacks & Skipfish<br />
*September 23rd, 18.00 - 21.30 Topic: Security in Content Management Systems <br />
*November 18th, 18.00 - 21.30 Topic &nbsp;: TBD<br />
<br />
<br><br />
<br />
== REGISTRATION ==<br />
<br />
To register for a chapter meeting (first register, first serve)! Please '''send an email''' to: [mailto:netherlands@owasp.org netherlands 'at' owasp.org].<br />
<br />
== Workshop Google Hacks & Skipfish (June 30th 2010)==<br />
<br />
=== WHERE ===<br />
{|<br />
|-<br />
| width="350" | <br />
Sogeti Nederland B.V<br> <br> Sogeti Netherland Wildenborch 3 1112 xb Diemen <br> <br />
| width="650" | <br />
[[Image:Logo_Sogeti.jpg|200px]] <br />
|-<br />
| width="350" | <br> <br />
| width="650" | <br />
<br> <br />
|}<br />
<br />
=== PROGRAM ===<br />
<b>18:00 - 18:30 Check-In (catering included)</b><br><br />
<b>18:30 - 18:45 Opening (OWASP organization, projects, sponsor)</b><br><br />
<b>18:45 - 19:00 Break</b><br><br />
<b>19:00 - 21:00 Workshop Google Hacking & Skipfish</b><br><br />
<b>21:00 - 21:30 Discussion, questions and social networking</b><br />
<br />
===Bios===<br />
<br />
Christian Heinrich is the Project Leader of the OWASP "Google Hacking" Project i.e. "Download Indexed Cache" and has contributed to the "Spiders/Robots/Crawlers" and "Search Engine Reconnaissance" sections of the OWASP Testing Guide v3 and more recently to the development of the OWASP Top Ten and Application Security Verification Standard (ASVS) OWASP Projects.<br />
He has presented at OWASP Conferences in USA, Australia and Europe and OWASP Chapters in London, UK and Sydney and Melbourne, Australia.<br><br />
<br />
<u>Google Hacking:</u><br />
<br />
Google Hacks is a compilation of carefully crafted Google searches that expose novel functionality from Google's search and map services. For example, you can use it to view a timeline of your search results, view a map, search for music, search for books, and perform many other specific kinds of searches. You can also use this program to use google as a proxy.<br><br />
<br />
<u>Skipfish:</u><br />
<br />
A fully automated, active web application security reconnaissance tool.<br />
Key features:<br />
High speed: pure C code, highly optimized HTTP handling, minimal CPU footprint - easily achieving 2000 requests per second with responsive targets.<br />
Ease of use: heuristics to support a variety of quirky web frameworks and mixed-technology sites, with automatic learning capabilities, on-the-fly wordlist creation, and form autocompletion.<br />
Cutting-edge security logic: high quality, low false positive, differential security checks, capable of spotting a range of subtle flaws, including blind injection vectors.<br><br />
<br />
<u> The relevant links: </u><br />
* http://www.owasp.org/index.php/Category:OWASP_Google_Hacking_Project<br />
* http://www.owasp.org/index.php/Testing:_Search_engine_discovery/reconnaissance_%28OWASP-IG-002%29<br />
* http://www.owasp.org/index.php/Testing:_Spiders,_Robots,_and_Crawlers_%28OWASP-IG-001%29<br />
<br />
== Web Application Firewalls (May 20th 2010) ==<br />
=== WHEN ===<br />
May 2010 (18h00pm-21h30pm). <br />
<br />
=== WHERE ===<br />
{|<br />
|-<br />
| width="350" | <br />
Location: http://www.setuputrecht.nl/ <br><br />
SETUP is gevestigd aan het Neude plein in Utrecht (Neude 4) in het nieuwe kantoor van de Dutch Game Garden.<br><br />
(entrance at the back of the ABNamro building on “het Neude”) <br><br />
[[Image:lokatie_setup_google.gif|200px]] <br><br />
| width="650" | <br />
[[Image:Setup_logo.jpg|200px]] <br><br />
<br />
[[Image:itq_logo.jpg|200px]] <br />
|-<br />
| width="350" | <br> <br />
| width="650" | <br />
<br> <br />
|}<br />
<br />
=== PROGRAM ===<br />
<b>18:00 - 18:30 Check-In (catering included)</b><br><br />
<b>18:30 - 18:45 Introduction (OWASP organization, projects, sponsor)</b><br><br />
<b>18.45 - 19.45 Web Application Firewalls in dynamic environments</b>(by Alexander Meisel)<br><br />
Alexander Meisel is the CTO of 'art of defence' (AOD), a German based software vendor. The company specializes in high performance deployments of Web Application Firewalls in very dynamic environments all over the world.<br />
<br />
Abstract:<br />
The current trend towards cloud computing forces everybody to deploy services in a virtual environment. In current dedicated environments WAFs or Web Application Firewalls are mostly deployed as a hardware (black) box which is easy at first but limits them to only low performance web cluster architectures. Moving those systems virtualized into a cloud environment makes almost no sense because of the resource limitations.<br />
The is solution is a redesign which enables WAFs to be part of a true message based cloud system. This talk explains how truly virtualized and distributed web applications are architected, work and scale in high performance environments. <br><br />
<b>19.45 – 20.00 Break</b><br><br />
<b>20.00 - 21:00 Bypassing Web Application Firewalls </b>(by Sandro Gauci)<br><br />
Sandro Gauci is the owner and Founder of EnableSecurity (www.enablesecurity.com) where he performs R&D and security consultancy for mid-sized companies. Sandro has over 9 years experience in the security industry and is focused on analysis of security challenges and providing solutions to such threats. Hispassion is vulnerability research and has previously worked together with various endors such as Microsoft and Sun to fix security holes. Sandro is the author of the free VoIP security scanning suite SIPVicious (sipvicious.org) and VOIPPACK for CANVAS.<br />
<br />
Abstract:<br />
WAFs or Web Application Firewalls are being deployed to fix security issues in your web applications. The question is, are they?<br />
In this presentation we take a look at some of the issues related to making use of this solution and how it may affect the overall security posture of your web application. Finally we will describe tools to automate detection of WAFs, and also tools to help identify ways to bypass WAFs. This presentation will include updates to the open source WAF security testing tools - WAFFIT. <br><br />
([[Media:2010-05-20_WAFs-Detecting, Bypassing, Exploiting Web Application Firewalls_Sandro Gauci.pdf|the slides in pdf format]])<br><br />
<b>21.00 – 21:30 Discussion, questions and social networking</b><br><br />
<br />
The Announcement of this meeting: [[Media:Announcement_OWASP-NL_May_20th_2010.pdf]]<br> <br />
<br />
== Database Security (Mar-11-2010) ==<br />
<br />
=== WHEN ===<br />
<br />
Thurday, March 11th, 2010 (18h00pm-21h30pm). <br />
<br />
=== WHERE ===<br />
{|<br />
|-<br />
| width="350" | <br />
ASR Nederland<br> <br> MD0.60 - Auditorium<br> Smallepad 30<br> 3811MG Amersfoort<br> <br />
<br />
| width="650" | <br />
[[Image:ASR Nederland logo.jpg|200px]] <br />
<br />
|-<br />
| width="350" | <br> <br />
| width="650" | <br />
<br> <br />
<br />
<br> <br />
<br />
|}<br />
<br />
=== PROGRAM ===<br />
<b>18:00 - 18:30 Check-In (catering included)</b><br><br />
<b>18:30 - 18:45 Introduction (OWASP organization, projects, sponsor)</b><br><br />
<b>18.45 - 19.45 SQL Injection - How far does the rabbit hole go?</b> (By Justin Clarke)<br><br />
<b>Justin Clarke</b> is a co-founder and Director at Gotham Digital Science, based in the United Kingdom. He has over twelve years of experience in assessing the security of networks, web applications, and wireless networks for large financial, retail, technology and government clients in the United States, the United Kingdom and New Zealand.<br />
Justin is the the technical editor and lead author of “SQL Injection Attacks and Defense” (Syngress 2009), co-author of "Network Security Tools: Writing, Hacking, and Modifying Security Tools" (O’Reilly 2005), a contributing author to "Network Security Assessment: Know Your Network, 2nd Edition" (O’Reilly 2007), as well as a speaker at a number of conferences and events on security topics, including Black Hat USA, EuSecWest, OSCON, ISACA, RSA, SANS, OWASP, and the British Computer Society. He is the author of the open source SQLBrute blind SQL injection testing tool, and is the Chapter Leader for the London chapter of OWASP.<br />
SQl Injection - How far does the rabbit hole go? SQL Injection has been around for over 10 years, and yet it is still to this day not truly understood by many security professionals and developers. With the recent mass attacks against sites across the world it has again come to the fore of vulnerabilities under the spotlight, however many consider it to only be a data access issue, or parameterized queries to be a panacea.<br><br />
This talk starts from what was demonstrated last year at Black Hat in Las Vegas, where a self propagating SQL Injection worm was demonstrated live on stage. Explore some of the deeper, darker areas of SQL Injection, hybrid attacks, and exploiting obscure database functionality<br><br />
([[Media:OWASP-SQLInjection5nov09.pdf|the slides in pdf format]])<br><br />
<b>19.45 – 20.00 Break</b><br><br />
<b>20. 00 – 20.30 VAC Insecure Direct Object Reference</b> (By Marinus Kuivenhoven)<br><br />
<b>Marinus Kuivenhoven</b> is a Senior Technology Specialist with Sogeti Nederland B.V. specializing in service oriented architectures and secure application development. His experience include developing and administrating Oracle-based systems. At Sogeti Nederland B.V. he is also an active member of the PaSS -Software(Proactive Security Strategy) taskforce focusing on secure application development. Marinus also developed and teaches several application security courses both within and outside Sogeti. In the past years he has written for magazine such as Computable and We Love IT. And he has spoken on a number of conferences and events like OWASP, Recent OO Trends, Open Source Developer Conference and Engineering World.<br />
<b>Vulnerability:</b> Insecure Direct Object Reference is when a web application exposes an internal implementation object to the user. Some examples of internal implementation objects are database records, URLs, or files.<br><br />
<b>Attack:</b> An attacker can modify the internal implementation object in an attempt to abuse the access controls on this object. When the attacker does this they may have the ability to access functionality that the developer didn’t intend to expose access to.<br><br />
<b>Countermeasure:</b> Reference should be validated for authorization and accessed through reference maps. How this should be done will be shown.<br><br />
([[Media:20100311_VAC-IDOR_Marinus Kuivenhoven.pdf|the slides in pdf format]])<br><br />
<b>20.30 – 21.15 Overlooked Resources and Practices</b> (By Justin Clarke)<br><br />
In his second presentation, Justin Clarke discussed OWASP resources and best practices by highlighting some OWASP projects and underused security practices. He shared his experiences in his daily work as well as the known pitfalls.<br><br />
([[Media:20100311_Overlooked_Resources_and _Practices-Justin_Clarke.pdf|the slides in pdf format]])<br><br />
<b>21.15 – 21:30 Discussion, questions and social networking</b><br><br />
<br />
The Announcement of this meeting: [[Media:Announcement_OWASP-NL_March_11th_2010.pdf]]<br> <br />
The flyer of this meeting: [[Media:Owasp_NL_march2010.pdf]] <br> <br />
<br />
== Past Events ==<br />
<br />
*Events held in [[Netherlands Previous Events 2009|2009]] <br />
*Events held in [[Netherlands Previous Events 2008|2008]] <br />
*Events held in [[Netherlands Previous Events 2007|2007]] <br />
*Events held in [[Netherlands Previous Events 2006|2006]] <br />
*Events held in [[Netherlands Previous Events 2005|2005]]<br />
<br />
==== Call for Speakers ====<br />
<br />
We are continuously looking for speakers.<br>'''Presentations:''' Are you working on an interesting subject, would you like to share your experience with the OWASP community and do you have presentation skills. Please let us know! Any topic related to web application security will be appreciated!<br>'''VAC, Vulnerability, Attack, Countermeasure:''' The VAC is a re occuring part of the chapter meetings. The VAC is a half hour in-depth technical presentation about a vulnerability, how it can be exploited and how to prevent it!<br> <br />
<br />
<span style="font-weight: bold;">Links: </span> <br />
<br />
[http://www.owasp.org/index.php/Speaker_Agreement Speaker Agreement] <br />
<br />
[http://www.owasp.org/images/5/54/Presentation_template.ppt Template] <br />
<br />
==== Chapter Leaders ====<br />
<br />
The Netherlands Chapter is supported by the following board: <br />
<br />
*[mailto:bert.koelewijn@owasp.org Bert Koelewijn], ASR <br />
*[mailto:ferdinand.vroom@owasp.org Ferdinand Vroom], Nationale Nederlanden<br />
*[mailto:martin.knobloch@owasp.org Martin Knobloch], Sogeti <br />
*[mailto:peter.gouwentak@owasp.org Peter Gouwentak], ING <br />
<br />
Our goal is to professionalize the local OWASP functioning, provide in a bigger footprint to detect OWASP opportunities such as speakers/topics/sponsors/… and set a 5 year target on: Target audiences, Different events and Interactions of OWASP global – local projects.<br />
<br />
==== Chapter Sponsoring ====<br />
<br />
OWASP Netherlands is looking for organizations to sponsor our chapter. If you are interested in sponsoring the Netherlands chapter please contact via email: [mailto:netherlands@owasp.org netherlands 'at' owasp.org]. <br />
<br />
<br>If you would like to donate to our chapter, please use the PayPal link below. Thank you! <br />
<br />
<br><paypal>Netherlands</paypal> <br />
__NOTOC__<headertabs/></div>Martinknoblochhttps://wiki.owasp.org/index.php?title=Netherlands&diff=85684Netherlands2010-06-30T13:20:41Z<p>Martinknobloch: </p>
<hr />
<div>{{Chapter Template|chaptername=Netherlands|extra=|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-netherlands|emailarchives=http://lists.owasp.org/pipermail/owasp-netherlands}} <br />
<br />
<br> <br />
<br />
==== Local News ====<br />
=== Workshop Google Hacking ===<br />
We have a special OWASP meeting around HITB!<br />
<br />
Christian Heinrich, from OWASP Australia and project lead of the OWASP Google Hacking project:<br />
http://www.owasp.org/index.php/Category:OWASP_Google_Hacking_Project<br />
<br />
Chirstian, known for his effort on Google hacking, is coming to the Netherlands for the HITB conference. He is willing to give a Google Hacks and Skipfish workshop:<br><br />
* http://www.owasp.org/index.php/Category:OWASP_Google_Hacking_Project<br />
* http://www.owasp.org/index.php/Testing:_Search_engine_discovery/reconnaissance_%28OWASP-IG-002%29<br />
* http://www.owasp.org/index.php/Testing:_Spiders,_Robots,_and_Crawlers_%28OWASP-IG-001%29<br />
<br />
Please see tab "Chapter Meetings" for more details. <br />
This will take place june 30th:<br />
<br />
Location:<br />
Sogeti Netherland<br />
Wildenborch 3 <br />
1112 xb Diemen<br />
<br />
=== HITB 2010 Amsterdam ===<br />
The FIRST EVER HITBSecConf in Europe, HITBSecConf 2010 - Amsterdam takes place at the NH Grand Krasnapolsky from the 29th of June till the 2nd of July with a QUAD TRACK line up!<br />
<br />
OWASP members get a special offer:<br><br />
OWASP MEMBERS SAVE EUR200 OFF THE CONFERENCE PRICE!!! <br><br />
EUR699 instead of EUR899.This offer is limited to the first 50 registrations.<br><br />
OWASP members are encouraged to register as soon as possible to avoid disappointment.<br><br />
Please supply your OWASP membership ID to the registration!<br><br />
<br />
Conference Website: http://conference.hitb.org/hitbsecconf2010ams/<br><br />
29th & 30th June - Hands on Technical Training Sessions <br />
<br />
==== Chapter Meetings ====<br />
<br />
== 2010 Schedule ==<br />
<br />
*March 11th, 18.00 - 21.30 Topic: Database Security<br />
*May 20th, 18.00 - 21.30 Topic: Web Application Firewalls <br />
*June 30th, 18:00 - 21:00 Workshop Google Hacks & Skipfish<br />
*September 23rd, 18.00 - 21.30 Topic: Security in Content Management Systems <br />
*November 18th, 18.00 - 21.30 Topic &nbsp;: TBD<br />
<br />
<br><br />
<br />
== REGISTRATION ==<br />
<br />
To register for a chapter meeting (first register, first serve)! Please '''send an email''' to: [mailto:netherlands@owasp.org netherlands 'at' owasp.org].<br />
<br />
== Workshop Google Hacks & Skipfish (June 30th 2010)==<br />
<br />
=== WHERE ===<br />
{|<br />
|-<br />
| width="350" | <br />
Sogeti Nederland B.V<br> <br> Sogeti Netherland Wildenborch 3 1112 xb Diemen <br> <br />
| width="650" | <br />
[[Image:Logo_Sogeti.jpg|200px]] <br />
|-<br />
| width="350" | <br> <br />
| width="650" | <br />
<br> <br />
|}<br />
<br />
=== PROGRAM ===<br />
<b>18:00 - 18:30 Check-In (catering included)</b><br><br />
<b>18:30 - 18:45 Opening (OWASP organization, projects, sponsor)</b><br><br />
<b>18:45 - 19:00 Break</b><br><br />
<b>19:00 - 21:00 Workshop Google Hacking & Skipfish</b><br><br />
<b>21:00 - 21:30 Discussion, questions and social networking</b><br />
<br />
===Bios===<br />
<br />
Christian Heinrich is the Project Leader of the OWASP "Google Hacking" Project i.e. "Download Indexed Cache" and has contributed to the "Spiders/Robots/Crawlers" and "Search Engine Reconnaissance" sections of the OWASP Testing Guide v3 and more recently to the development of the OWASP Top Ten and Application Security Verification Standard (ASVS) OWASP Projects.<br />
He has presented at OWASP Conferences in USA, Australia and Europe and OWASP Chapters in London, UK and Sydney and Melbourne, Australia.<br><br />
<br />
<u>Google Hacking:</u><br />
<br />
Google Hacks is a compilation of carefully crafted Google searches that expose novel functionality from Google's search and map services. For example, you can use it to view a timeline of your search results, view a map, search for music, search for books, and perform many other specific kinds of searches. You can also use this program to use google as a proxy.<br><br />
<br />
<u>Skipfish:</u><br />
<br />
A fully automated, active web application security reconnaissance tool.<br />
Key features:<br />
High speed: pure C code, highly optimized HTTP handling, minimal CPU footprint - easily achieving 2000 requests per second with responsive targets.<br />
Ease of use: heuristics to support a variety of quirky web frameworks and mixed-technology sites, with automatic learning capabilities, on-the-fly wordlist creation, and form autocompletion.<br />
Cutting-edge security logic: high quality, low false positive, differential security checks, capable of spotting a range of subtle flaws, including blind injection vectors.<br><br />
<br />
<u> The relevant links: </u><br />
* http://www.owasp.org/index.php/Category:OWASP_Google_Hacking_Project<br />
* http://www.owasp.org/index.php/Testing:_Search_engine_discovery/reconnaissance_%28OWASP-IG-002%29<br />
* http://www.owasp.org/index.php/Testing:_Spiders,_Robots,_and_Crawlers_%28OWASP-IG-001%29<br />
<br />
== Web Application Firewalls (May 20th 2010) ==<br />
=== WHEN ===<br />
May 2010 (18h00pm-21h30pm). <br />
<br />
=== WHERE ===<br />
{|<br />
|-<br />
| width="350" | <br />
Location: http://www.setuputrecht.nl/ <br><br />
SETUP is gevestigd aan het Neude plein in Utrecht (Neude 4) in het nieuwe kantoor van de Dutch Game Garden.<br><br />
(entrance at the back of the ABNamro building on “het Neude”) <br><br />
[[Image:lokatie_setup_google.gif|200px]] <br><br />
| width="650" | <br />
[[Image:Setup_logo.jpg|200px]] <br><br />
<br />
[[Image:itq_logo.jpg|200px]] <br />
|-<br />
| width="350" | <br> <br />
| width="650" | <br />
<br> <br />
|}<br />
<br />
=== PROGRAM ===<br />
<b>18:00 - 18:30 Check-In (catering included)</b><br><br />
<b>18:30 - 18:45 Introduction (OWASP organization, projects, sponsor)</b><br><br />
<b>18.45 - 19.45 Web Application Firewalls in dynamic environments</b>(by Alexander Meisel)<br><br />
Alexander Meisel is the CTO of 'art of defence' (AOD), a German based software vendor. The company specializes in high performance deployments of Web Application Firewalls in very dynamic environments all over the world.<br />
<br />
Abstract:<br />
The current trend towards cloud computing forces everybody to deploy services in a virtual environment. In current dedicated environments WAFs or Web Application Firewalls are mostly deployed as a hardware (black) box which is easy at first but limits them to only low performance web cluster architectures. Moving those systems virtualized into a cloud environment makes almost no sense because of the resource limitations.<br />
The is solution is a redesign which enables WAFs to be part of a true message based cloud system. This talk explains how truly virtualized and distributed web applications are architected, work and scale in high performance environments. <br><br />
<b>19.45 – 20.00 Break</b><br><br />
<b>20.00 - 21:00 Bypassing Web Application Firewalls </b>(by Sandro Gauci)<br><br />
Sandro Gauci is the owner and Founder of EnableSecurity (www.enablesecurity.com) where he performs R&D and security consultancy for mid-sized companies. Sandro has over 9 years experience in the security industry and is focused on analysis of security challenges and providing solutions to such threats. Hispassion is vulnerability research and has previously worked together with various endors such as Microsoft and Sun to fix security holes. Sandro is the author of the free VoIP security scanning suite SIPVicious (sipvicious.org) and VOIPPACK for CANVAS.<br />
<br />
Abstract:<br />
WAFs or Web Application Firewalls are being deployed to fix security issues in your web applications. The question is, are they?<br />
In this presentation we take a look at some of the issues related to making use of this solution and how it may affect the overall security posture of your web application. Finally we will describe tools to automate detection of WAFs, and also tools to help identify ways to bypass WAFs. This presentation will include updates to the open source WAF security testing tools - WAFFIT. <br><br />
([[Media:2010-05-20_WAFs-Detecting, Bypassing, Exploiting Web Application Firewalls_Sandro Gauci.pdf|the slides in pdf format]])<br><br />
<b>21.00 – 21:30 Discussion, questions and social networking</b><br><br />
<br />
The Announcement of this meeting: [[Media:Announcement_OWASP-NL_May_20th_2010.pdf]]<br> <br />
<br />
== Database Security (Mar-11-2010) ==<br />
<br />
=== WHEN ===<br />
<br />
Thurday, March 11th, 2010 (18h00pm-21h30pm). <br />
<br />
=== WHERE ===<br />
{|<br />
|-<br />
| width="350" | <br />
ASR Nederland<br> <br> MD0.60 - Auditorium<br> Smallepad 30<br> 3811MG Amersfoort<br> <br />
<br />
| width="650" | <br />
[[Image:ASR Nederland logo.jpg|200px]] <br />
<br />
|-<br />
| width="350" | <br> <br />
| width="650" | <br />
<br> <br />
<br />
<br> <br />
<br />
|}<br />
<br />
=== PROGRAM ===<br />
<b>18:00 - 18:30 Check-In (catering included)</b><br><br />
<b>18:30 - 18:45 Introduction (OWASP organization, projects, sponsor)</b><br><br />
<b>18.45 - 19.45 SQL Injection - How far does the rabbit hole go?</b> (By Justin Clarke)<br><br />
<b>Justin Clarke</b> is a co-founder and Director at Gotham Digital Science, based in the United Kingdom. He has over twelve years of experience in assessing the security of networks, web applications, and wireless networks for large financial, retail, technology and government clients in the United States, the United Kingdom and New Zealand.<br />
Justin is the the technical editor and lead author of “SQL Injection Attacks and Defense” (Syngress 2009), co-author of "Network Security Tools: Writing, Hacking, and Modifying Security Tools" (O’Reilly 2005), a contributing author to "Network Security Assessment: Know Your Network, 2nd Edition" (O’Reilly 2007), as well as a speaker at a number of conferences and events on security topics, including Black Hat USA, EuSecWest, OSCON, ISACA, RSA, SANS, OWASP, and the British Computer Society. He is the author of the open source SQLBrute blind SQL injection testing tool, and is the Chapter Leader for the London chapter of OWASP.<br />
SQl Injection - How far does the rabbit hole go? SQL Injection has been around for over 10 years, and yet it is still to this day not truly understood by many security professionals and developers. With the recent mass attacks against sites across the world it has again come to the fore of vulnerabilities under the spotlight, however many consider it to only be a data access issue, or parameterized queries to be a panacea.<br><br />
This talk starts from what was demonstrated last year at Black Hat in Las Vegas, where a self propagating SQL Injection worm was demonstrated live on stage. Explore some of the deeper, darker areas of SQL Injection, hybrid attacks, and exploiting obscure database functionality<br><br />
([[Media:OWASP-SQLInjection5nov09.pdf|the slides in pdf format]])<br><br />
<b>19.45 – 20.00 Break</b><br><br />
<b>20. 00 – 20.30 VAC Insecure Direct Object Reference</b> (By Marinus Kuivenhoven)<br><br />
<b>Marinus Kuivenhoven</b> is a Senior Technology Specialist with Sogeti Nederland B.V. specializing in service oriented architectures and secure application development. His experience include developing and administrating Oracle-based systems. At Sogeti Nederland B.V. he is also an active member of the PaSS -Software(Proactive Security Strategy) taskforce focusing on secure application development. Marinus also developed and teaches several application security courses both within and outside Sogeti. In the past years he has written for magazine such as Computable and We Love IT. And he has spoken on a number of conferences and events like OWASP, Recent OO Trends, Open Source Developer Conference and Engineering World.<br />
<b>Vulnerability:</b> Insecure Direct Object Reference is when a web application exposes an internal implementation object to the user. Some examples of internal implementation objects are database records, URLs, or files.<br><br />
<b>Attack:</b> An attacker can modify the internal implementation object in an attempt to abuse the access controls on this object. When the attacker does this they may have the ability to access functionality that the developer didn’t intend to expose access to.<br><br />
<b>Countermeasure:</b> Reference should be validated for authorization and accessed through reference maps. How this should be done will be shown.<br><br />
([[Media:20100311_VAC-IDOR_Marinus Kuivenhoven.pdf|the slides in pdf format]])<br><br />
<b>20.30 – 21.15 Overlooked Resources and Practices</b> (By Justin Clarke)<br><br />
In his second presentation, Justin Clarke discussed OWASP resources and best practices by highlighting some OWASP projects and underused security practices. He shared his experiences in his daily work as well as the known pitfalls.<br><br />
([[Media:20100311_Overlooked_Resources_and _Practices-Justin_Clarke.pdf|the slides in pdf format]])<br><br />
<b>21.15 – 21:30 Discussion, questions and social networking</b><br><br />
<br />
The Announcement of this meeting: [[Media:Announcement_OWASP-NL_March_11th_2010.pdf]]<br> <br />
The flyer of this meeting: [[Media:Owasp_NL_march2010.pdf]] <br> <br />
<br />
== Past Events ==<br />
<br />
*Events held in [[Netherlands Previous Events 2009|2009]] <br />
*Events held in [[Netherlands Previous Events 2008|2008]] <br />
*Events held in [[Netherlands Previous Events 2007|2007]] <br />
*Events held in [[Netherlands Previous Events 2006|2006]] <br />
*Events held in [[Netherlands Previous Events 2005|2005]]<br />
<br />
==== Call for Speakers ====<br />
<br />
We are continuously looking for speakers.<br>'''Presentations:''' Are you working on an interesting subject, would you like to share your experience with the OWASP community and do you have presentation skills. Please let us know! Any topic related to web application security will be appreciated!<br>'''VAC, Vulnerability, Attack, Countermeasure:''' The VAC is a re occuring part of the chapter meetings. The VAC is a half hour in-depth technical presentation about a vulnerability, how it can be exploited and how to prevent it!<br> <br />
<br />
<span style="font-weight: bold;">Links: </span> <br />
<br />
[http://www.owasp.org/index.php/Speaker_Agreement Speaker Agreement] <br />
<br />
[http://www.owasp.org/images/5/54/Presentation_template.ppt Template] <br />
<br />
==== Chapter Leaders ====<br />
<br />
The Netherlands Chapter is supported by the following board: <br />
<br />
*[mailto:bert.koelewijn@owasp.org Bert Koelewijn], ASR <br />
*[mailto:ferdinand.vroom@owasp.org Ferdinand Vroom], Nationale Nederlanden<br />
*[mailto:martin.knobloch@owasp.org Martin Knobloch], Sogeti <br />
*[mailto:peter.gouwentak@owasp.org Peter Gouwentak], ING <br />
<br />
Our goal is to professionalize the local OWASP functioning, provide in a bigger footprint to detect OWASP opportunities such as speakers/topics/sponsors/… and set a 5 year target on: Target audiences, Different events and Interactions of OWASP global – local projects.<br />
<br />
==== Chapter Sponsoring ====<br />
<br />
OWASP Netherlands is looking for organizations to sponsor our chapter. If you are interested in sponsoring the Netherlands chapter please contact via email: [mailto:netherlands@owasp.org netherlands 'at' owasp.org]. <br />
<br />
<br>If you would like to donate to our chapter, please use the PayPal link below. Thank you! <br />
<br />
<br><paypal>Netherlands</paypal> <br />
__NOTOC__<headertabs/></div>Martinknoblochhttps://wiki.owasp.org/index.php?title=Category:OWASP_CTF_Project&diff=85125Category:OWASP CTF Project2010-06-18T20:35:14Z<p>Martinknobloch: </p>
<hr />
<div>==== Main ====<br />
<b>Welcome to the OWASP Capture The Flag (CTF) project!</b><br><br />
<br />
First of all... sorry, but of course, we can not make the CTF and all challenges opensource.<br />
Hereby my apologies for not being as open as I want OWASP and OWASP projects to be.<br />
..I know you understand!<br />
<br />
Ahead of the OWASP AppSec-NY in 2009, the idea came up to supply an OWASP CTF event. This has been repeated successfully for the AppSec-EU 2009. Both developed by volunteering individuals, putting in a big amount of work, building the CTF from scratch.<br />
As the CTF event was warmly welcomed by those who participated, it was clear, the CTF has to become a event available for each OWASP event. To make this possible, the CTF project has been created!<br />
<br />
== The CTF ==<br />
<br />
The OWASP CTF project is a web base hacking challenge application with challenges categorized in web, network and ‘others’. You require creativity, resourcefulness and networking skills to solve the various challenges.<br />
=== what do I nee to anticipate ===<br />
To anticipate on a CTF event, all you need is your laptop.<br />
Connection to the CTF should be able via wireless network.<br />
In some cases, it can be the conference venue disallow local wireless networks and the CTF will be accessible via LAN network.<br />
=== joining the CTF ===<br />
To anticipate in a CTF event, you can register on the online application. It's advisable the attendees have to register by the CTF organizer.<br />
<br />
<br />
== Roadmap ==<br />
<br />
* Rework framework<br />
* Developing challenges<br />
<br />
==== the CTF at your event ====<br />
<br />
First of all... sorry, but of course, we can not make the CTF and all challenges opensource. Hereby my apologies for not being as open as I want OWASP and OWASP projects to be. <br />
There is no download where to get the CTF from.<br />
<br />
..I know you understand!<br />
Nevertheless, I am sharing as much as I can. <br />
<br />
<br />
= past events = <br />
<br />
* AppSec-EU Polen<br />
* AppSec-DC<br />
<br />
<br />
= future events = <br />
* AppSec- Research<br />
* AppSec-Ireland<br />
<br />
==== playing the CTF ====<br />
Playing:<br />
Register at the CTF organizer with your MAC address and participant name. Once you have access to the application, you register with your chosen game name and the game is started.<br />
You can join whenever you like when the game started until the declared end of the game.<br />
Rules:<br />
* You play with your own laptop<br />
* The game is open during the conference time.<br />
* Attacking the CTF outside of the challenges results in disqualification<br />
* Attacking CTF competitors results in disqualification<br />
Scoring:<br />
For each solved challenge you get one point. <br />
* Who has the most challenges solved wins.<br />
* By same score, first scored wins.<br />
* Groups and single player are treated the same<br />
<br />
This is a proposal of rules. Those can be changed, depending on the event where the CTF is hold!<br />
=== who can anticipate in the CTF ===<br />
* Single Players, every one can anticipate on a CTF event by him self<br />
* Groups, you can up with others and anticipate as group. Dividing the prices is the responsibility of the group members though<br />
<br />
<br />
=== pointing system ===<br />
With each challenge you can get a certain score, depending on the difficulty of the challenge. After solving a challenge, a key is gained. You will have to insert that key in your account screen and points are added to your account. In case of same number of points, who ever scores first wins!<br />
<br />
<br />
== categories ==<br />
The challenges are categorized in Web, Networking and Forensic. <br />
* Web challenges<br />
* Networking challenges<br />
* Forensic challenges<br />
<br />
== score board ==<br />
For each category, there will be 4 challenges in different difficulty:<br />
* 200 pointsu<br />
* 300 points<br />
* 500 points<br />
* 750 points<br />
<br />
==== Project Identification ====<br />
<br />
[[Category:OWASP Project|CTF Project]]<br />
[[Category:OWASP Document]]<br />
[[Category:OWASP Alpha Quality Document]]<br />
<br />
{{:GPC Project Details/OWASP CTF Project | OWASP Project Identification Tab}}<br />
<br />
__NOTOC__<br />
<headertabs/></div>Martinknoblochhttps://wiki.owasp.org/index.php?title=Netherlands&diff=85008Netherlands2010-06-17T08:13:43Z<p>Martinknobloch: /* Workshop Google Hacking */</p>
<hr />
<div>{{Chapter Template|chaptername=Netherlands|extra=|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-netherlands|emailarchives=http://lists.owasp.org/pipermail/owasp-netherlands}} <br />
<br />
<br> <br />
<br />
==== Local News ====<br />
=== Workshop Google Hacking ===<br />
We have a special OWASP meeting around HITB!<br />
<br />
Christian Heinrich, from OWASP Australia and project lead of the OWASP Google Hacking project:<br />
http://www.owasp.org/index.php/Category:OWASP_Google_Hacking_Project<br />
<br />
Chirstian, known for his effort on Google hacking, is coming to the Netherlands for the HITB conference. He is willing to give a Google Hacks and Skipfish workshop:<br><br />
- Skipfish: http://code.google.com/p/skipfish/<br><br />
- Googlehacking: http://code.google.com/p/googlehacks/<br><br />
<br />
Please see tab "Chapter Meetings" for more details. <br />
This will take place june 30th:<br />
<br />
Location:<br />
Sogeti Netherland<br />
Wildenborch 3 <br />
1112 xb Diemen<br />
<br />
=== HITB 2010 Amsterdam ===<br />
The FIRST EVER HITBSecConf in Europe, HITBSecConf 2010 - Amsterdam takes place at the NH Grand Krasnapolsky from the 29th of June till the 2nd of July with a QUAD TRACK line up!<br />
<br />
OWASP members get a special offer:<br><br />
OWASP MEMBERS SAVE EUR200 OFF THE CONFERENCE PRICE!!! <br><br />
EUR699 instead of EUR899.This offer is limited to the first 50 registrations.<br><br />
OWASP members are encouraged to register as soon as possible to avoid disappointment.<br><br />
Please supply your OWASP membership ID to the registration!<br><br />
<br />
Conference Website: http://conference.hitb.org/hitbsecconf2010ams/<br><br />
29th & 30th June - Hands on Technical Training Sessions <br />
<br />
==== Chapter Meetings ====<br />
<br />
== 2010 Schedule ==<br />
<br />
*March 11th, 18.00 - 21.30 Topic: Database Security<br />
*May 20th, 18.00 - 21.30 Topic: Web Application Firewalls <br />
*June 30th, 18:00 - 21:00 Workshop Google Hacks & Skipfish<br />
*September 23rd, 18.00 - 21.30 Topic: Security in Content Management Systems <br />
*November 18th, 18.00 - 21.30 Topic &nbsp;: TBD<br />
<br />
<br><br />
<br />
== REGISTRATION ==<br />
<br />
To register for a chapter meeting (first register, first serve)! Please '''send an email''' to: [mailto:netherlands@owasp.org netherlands 'at' owasp.org].<br />
<br />
== Workshop Google Hacks & Skipfish (June 30th 2010)==<br />
<br />
=== WHERE ===<br />
{|<br />
|-<br />
| width="350" | <br />
Sogeti Nederland B.V<br> <br> Sogeti Netherland Wildenborch 3 1112 xb Diemen <br> <br />
| width="650" | <br />
[[Image:Logo_Sogeti.jpg|200px]] <br />
|-<br />
| width="350" | <br> <br />
| width="650" | <br />
<br> <br />
|}<br />
<br />
=== PROGRAM ===<br />
<b>18:00 - 18:30 Check-In (catering included)</b><br><br />
<b>18:30 - 18:45 Opening(OWASP organization, projects, sponsor)</b><br><br />
<b>19:00 - 21:00 Workshop Google Hacking & Skipfish</b><br />
Bios:<br><br />
Christian Heinrich is the Project Leader of the OWASP "Google Hacking" Project i.e. "Download Indexed Cache" and has contributed to the "Spiders/Robots/Crawlers" and "Search Engine Reconnaissance" sections of the OWASP Testing Guide v3 and more recently to the development of the OWASP Top Ten and Application Security Verification Standard (ASVS) OWASP Projects.<br />
He has presented at OWASP Conferences in USA, Australia and Europe and OWASP Chapters in London, UK and Sydney and Melbourne, Australia.<br><br />
<u>Google Hacking:</u><br><br />
Google Hacks is a compilation of carefully crafted Google searches that expose novel functionality from Google's search and map services. For example, you can use it to view a timeline of your search results, view a map, search for music, search for books, and perform many other specific kinds of searches. You can also use this program to use google as a proxy.<br><br />
<u>Skipfish:</u><br><br />
A fully automated, active web application security reconnaissance tool.<br><br />
Key features:<br><br />
High speed: pure C code, highly optimized HTTP handling, minimal CPU footprint - easily achieving 2000 requests per second with responsive targets.<br />
Ease of use: heuristics to support a variety of quirky web frameworks and mixed-technology sites, with automatic learning capabilities, on-the-fly wordlist creation, and form autocompletion.<br />
Cutting-edge security logic: high quality, low false positive, differential security checks, capable of spotting a range of subtle flaws, including blind injection vectors.<br><br />
<b>21.00 – 21:30 Discussion, questions and social networking</b><br><br />
<br />
== Web Application Firewalls (May 20th 2010) ==<br />
=== WHEN ===<br />
May 2010 (18h00pm-21h30pm). <br />
<br />
=== WHERE ===<br />
{|<br />
|-<br />
| width="350" | <br />
Location: http://www.setuputrecht.nl/ <br><br />
SETUP is gevestigd aan het Neude plein in Utrecht (Neude 4) in het nieuwe kantoor van de Dutch Game Garden.<br><br />
(entrance at the back of the ABNamro building on “het Neude”) <br><br />
[[Image:lokatie_setup_google.gif|200px]] <br><br />
| width="650" | <br />
[[Image:Setup_logo.jpg|200px]] <br><br />
<br />
[[Image:itq_logo.jpg|200px]] <br />
|-<br />
| width="350" | <br> <br />
| width="650" | <br />
<br> <br />
|}<br />
<br />
=== PROGRAM ===<br />
<b>18:00 - 18:30 Check-In (catering included)</b><br><br />
<b>18:30 - 18:45 Introduction (OWASP organization, projects, sponsor)</b><br><br />
<b>18.45 - 19.45 Web Application Firewalls in dynamic environments</b>(by Alexander Meisel)<br><br />
Alexander Meisel is the CTO of 'art of defence' (AOD), a German based software vendor. The company specializes in high performance deployments of Web Application Firewalls in very dynamic environments all over the world.<br />
<br />
Abstract:<br />
The current trend towards cloud computing forces everybody to deploy services in a virtual environment. In current dedicated environments WAFs or Web Application Firewalls are mostly deployed as a hardware (black) box which is easy at first but limits them to only low performance web cluster architectures. Moving those systems virtualized into a cloud environment makes almost no sense because of the resource limitations.<br />
The is solution is a redesign which enables WAFs to be part of a true message based cloud system. This talk explains how truly virtualized and distributed web applications are architected, work and scale in high performance environments. <br><br />
<b>19.45 – 20.00 Break</b><br><br />
<b>20.00 - 21:00 Bypassing Web Application Firewalls </b>(by Sandro Gauci)<br><br />
Sandro Gauci is the owner and Founder of EnableSecurity (www.enablesecurity.com) where he performs R&D and security consultancy for mid-sized companies. Sandro has over 9 years experience in the security industry and is focused on analysis of security challenges and providing solutions to such threats. Hispassion is vulnerability research and has previously worked together with various endors such as Microsoft and Sun to fix security holes. Sandro is the author of the free VoIP security scanning suite SIPVicious (sipvicious.org) and VOIPPACK for CANVAS.<br />
<br />
Abstract:<br />
WAFs or Web Application Firewalls are being deployed to fix security issues in your web applications. The question is, are they?<br />
In this presentation we take a look at some of the issues related to making use of this solution and how it may affect the overall security posture of your web application. Finally we will describe tools to automate detection of WAFs, and also tools to help identify ways to bypass WAFs. This presentation will include updates to the open source WAF security testing tools - WAFFIT. <br><br />
([[Media:2010-05-20_WAFs-Detecting, Bypassing, Exploiting Web Application Firewalls_Sandro Gauci.pdf|the slides in pdf format]])<br><br />
<b>21.00 – 21:30 Discussion, questions and social networking</b><br><br />
<br />
The Announcement of this meeting: [[Media:Announcement_OWASP-NL_May_20th_2010.pdf]]<br> <br />
<br />
== Database Security (Mar-11-2010) ==<br />
<br />
=== WHEN ===<br />
<br />
Thurday, March 11th, 2010 (18h00pm-21h30pm). <br />
<br />
=== WHERE ===<br />
{|<br />
|-<br />
| width="350" | <br />
ASR Nederland<br> <br> MD0.60 - Auditorium<br> Smallepad 30<br> 3811MG Amersfoort<br> <br />
<br />
| width="650" | <br />
[[Image:ASR Nederland logo.jpg|200px]] <br />
<br />
|-<br />
| width="350" | <br> <br />
| width="650" | <br />
<br> <br />
<br />
<br> <br />
<br />
|}<br />
<br />
=== PROGRAM ===<br />
<b>18:00 - 18:30 Check-In (catering included)</b><br><br />
<b>18:30 - 18:45 Introduction (OWASP organization, projects, sponsor)</b><br><br />
<b>18.45 - 19.45 SQL Injection - How far does the rabbit hole go?</b> (By Justin Clarke)<br><br />
<b>Justin Clarke</b> is a co-founder and Director at Gotham Digital Science, based in the United Kingdom. He has over twelve years of experience in assessing the security of networks, web applications, and wireless networks for large financial, retail, technology and government clients in the United States, the United Kingdom and New Zealand.<br />
Justin is the the technical editor and lead author of “SQL Injection Attacks and Defense” (Syngress 2009), co-author of "Network Security Tools: Writing, Hacking, and Modifying Security Tools" (O’Reilly 2005), a contributing author to "Network Security Assessment: Know Your Network, 2nd Edition" (O’Reilly 2007), as well as a speaker at a number of conferences and events on security topics, including Black Hat USA, EuSecWest, OSCON, ISACA, RSA, SANS, OWASP, and the British Computer Society. He is the author of the open source SQLBrute blind SQL injection testing tool, and is the Chapter Leader for the London chapter of OWASP.<br />
SQl Injection - How far does the rabbit hole go? SQL Injection has been around for over 10 years, and yet it is still to this day not truly understood by many security professionals and developers. With the recent mass attacks against sites across the world it has again come to the fore of vulnerabilities under the spotlight, however many consider it to only be a data access issue, or parameterized queries to be a panacea.<br><br />
This talk starts from what was demonstrated last year at Black Hat in Las Vegas, where a self propagating SQL Injection worm was demonstrated live on stage. Explore some of the deeper, darker areas of SQL Injection, hybrid attacks, and exploiting obscure database functionality<br><br />
([[Media:OWASP-SQLInjection5nov09.pdf|the slides in pdf format]])<br><br />
<b>19.45 – 20.00 Break</b><br><br />
<b>20. 00 – 20.30 VAC Insecure Direct Object Reference</b> (By Marinus Kuivenhoven)<br><br />
<b>Marinus Kuivenhoven</b> is a Senior Technology Specialist with Sogeti Nederland B.V. specializing in service oriented architectures and secure application development. His experience include developing and administrating Oracle-based systems. At Sogeti Nederland B.V. he is also an active member of the PaSS -Software(Proactive Security Strategy) taskforce focusing on secure application development. Marinus also developed and teaches several application security courses both within and outside Sogeti. In the past years he has written for magazine such as Computable and We Love IT. And he has spoken on a number of conferences and events like OWASP, Recent OO Trends, Open Source Developer Conference and Engineering World.<br />
<b>Vulnerability:</b> Insecure Direct Object Reference is when a web application exposes an internal implementation object to the user. Some examples of internal implementation objects are database records, URLs, or files.<br><br />
<b>Attack:</b> An attacker can modify the internal implementation object in an attempt to abuse the access controls on this object. When the attacker does this they may have the ability to access functionality that the developer didn’t intend to expose access to.<br><br />
<b>Countermeasure:</b> Reference should be validated for authorization and accessed through reference maps. How this should be done will be shown.<br><br />
([[Media:20100311_VAC-IDOR_Marinus Kuivenhoven.pdf|the slides in pdf format]])<br><br />
<b>20.30 – 21.15 Overlooked Resources and Practices</b> (By Justin Clarke)<br><br />
In his second presentation, Justin Clarke discussed OWASP resources and best practices by highlighting some OWASP projects and underused security practices. He shared his experiences in his daily work as well as the known pitfalls.<br><br />
([[Media:20100311_Overlooked_Resources_and _Practices-Justin_Clarke.pdf|the slides in pdf format]])<br><br />
<b>21.15 – 21:30 Discussion, questions and social networking</b><br><br />
<br />
The Announcement of this meeting: [[Media:Announcement_OWASP-NL_March_11th_2010.pdf]]<br> <br />
The flyer of this meeting: [[Media:Owasp_NL_march2010.pdf]] <br> <br />
<br />
== Past Events ==<br />
<br />
*Events held in [[Netherlands Previous Events 2009|2009]] <br />
*Events held in [[Netherlands Previous Events 2008|2008]] <br />
*Events held in [[Netherlands Previous Events 2007|2007]] <br />
*Events held in [[Netherlands Previous Events 2006|2006]] <br />
*Events held in [[Netherlands Previous Events 2005|2005]]<br />
<br />
==== Call for Speakers ====<br />
<br />
We are continuously looking for speakers.<br>'''Presentations:''' Are you working on an interesting subject, would you like to share your experience with the OWASP community and do you have presentation skills. Please let us know! Any topic related to web application security will be appreciated!<br>'''VAC, Vulnerability, Attack, Countermeasure:''' The VAC is a re occuring part of the chapter meetings. The VAC is a half hour in-depth technical presentation about a vulnerability, how it can be exploited and how to prevent it!<br> <br />
<br />
<span style="font-weight: bold;">Links: </span> <br />
<br />
[http://www.owasp.org/index.php/Speaker_Agreement Speaker Agreement] <br />
<br />
[http://www.owasp.org/images/5/54/Presentation_template.ppt Template] <br />
<br />
==== Chapter Leaders ====<br />
<br />
The Netherlands Chapter is supported by the following board: <br />
<br />
*[mailto:bert.koelewijn@owasp.org Bert Koelewijn], ASR <br />
*[mailto:peter.gouwentak@owasp.org Peter Gouwentak], ING <br />
*[mailto:martin.knobloch@owasp.org Martin Knobloch], Sogeti <br />
*[mailto:ferdinand.vroom@owasp.org Ferdinand Vroom], Nationale Nederlanden<br />
<br />
Our goal is to professionalize the local OWASP functioning, provide in a bigger footprint to detect OWASP opportunities such as speakers/topics/sponsors/… and set a 5 year target on: Target audiences, Different events and Interactions of OWASP global – local projects. <br />
<br />
==== Chapter Sponsoring ====<br />
<br />
OWASP Netherlands is looking for organizations to sponsor our chapter. If you are interested in sponsoring the Netherlands chapter please contact via email: [mailto:netherlands@owasp.org netherlands 'at' owasp.org]. <br />
<br />
<br>If you would like to donate to our chapter, please use the PayPal link below. Thank you! <br />
<br />
<br><paypal>Netherlands</paypal> <br />
__NOTOC__<headertabs/></div>Martinknoblochhttps://wiki.owasp.org/index.php?title=Netherlands&diff=85000Netherlands2010-06-16T22:32:06Z<p>Martinknobloch: </p>
<hr />
<div>{{Chapter Template|chaptername=Netherlands|extra=|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-netherlands|emailarchives=http://lists.owasp.org/pipermail/owasp-netherlands}} <br />
<br />
<br> <br />
<br />
==== Local News ====<br />
=== Workshop Google Hacking ===<br />
We have a special OWASP meeting around HITB!<br />
<br />
Christian Heinrich, from OWASP Australia and project lead of the OWASP Google Hacking project:<br />
http://www.owasp.org/index.php/Category:OWASP_Google_Hacking_Project<br />
<br />
Chirstian, known for his effort on Google hacking, is coming to the Netherlands for the HITB conference.<br />
He is willing to give a Google Hacks and Skipfish workshop:<br />
<br />
Skipfish: http://code.google.com/p/skipfish/<br />
Googlehacking: http://code.google.com/p/googlehacks/<br />
<br />
Please see the website for more details. This will take plase either june 30th:<br />
<br />
Location:<br />
Sogeti Netherland<br />
Wildenborch 3 <br />
1112 xb Diemen<br />
<br />
=== HITB 2010 Amsterdam ===<br />
The FIRST EVER HITBSecConf in Europe, HITBSecConf 2010 - Amsterdam takes place at the NH Grand Krasnapolsky from the 29th of June till the 2nd of July with a QUAD TRACK line up!<br />
<br />
OWASP members get a special offer:<br><br />
OWASP MEMBERS SAVE EUR200 OFF THE CONFERENCE PRICE!!! <br><br />
EUR699 instead of EUR899.This offer is limited to the first 50 registrations.<br><br />
OWASP members are encouraged to register as soon as possible to avoid disappointment.<br><br />
Please supply your OWASP membership ID to the registration!<br><br />
<br />
Conference Website: http://conference.hitb.org/hitbsecconf2010ams/<br><br />
29th & 30th June - Hands on Technical Training Sessions <br />
<br />
==== Chapter Meetings ====<br />
<br />
== 2010 Schedule ==<br />
<br />
*March 11th, 18.00 - 21.30 Topic: Database Security<br />
*May 20th, 18.00 - 21.30 Topic: Web Application Firewalls <br />
*June 30th, 18:00 - 21:00 Workshop Google Hacks & Skipfish<br />
*September 23rd, 18.00 - 21.30 Topic: Security in Content Management Systems <br />
*November 18th, 18.00 - 21.30 Topic &nbsp;: TBD<br />
<br />
<br><br />
<br />
== REGISTRATION ==<br />
<br />
To register for a chapter meeting (first register, first serve)! Please '''send an email''' to: [mailto:netherlands@owasp.org netherlands 'at' owasp.org].<br />
<br />
== Workshop Google Hacks & Skipfish (June 30th 2010)==<br />
<br />
=== WHERE ===<br />
{|<br />
|-<br />
| width="350" | <br />
Sogeti Nederland B.V<br> <br> Sogeti Netherland Wildenborch 3 1112 xb Diemen <br> <br />
| width="650" | <br />
[[Image:Logo_Sogeti.jpg|200px]] <br />
|-<br />
| width="350" | <br> <br />
| width="650" | <br />
<br> <br />
|}<br />
<br />
=== PROGRAM ===<br />
<b>18:00 - 18:30 Check-In (catering included)</b><br><br />
<b>18:30 - 18:45 Opening(OWASP organization, projects, sponsor)</b><br><br />
<b>19:00 - 21:00 Workshop Google Hacking & Skipfish</b><br />
Bios:<br><br />
Christian Heinrich is the Project Leader of the OWASP "Google Hacking" Project i.e. "Download Indexed Cache" and has contributed to the "Spiders/Robots/Crawlers" and "Search Engine Reconnaissance" sections of the OWASP Testing Guide v3 and more recently to the development of the OWASP Top Ten and Application Security Verification Standard (ASVS) OWASP Projects.<br />
He has presented at OWASP Conferences in USA, Australia and Europe and OWASP Chapters in London, UK and Sydney and Melbourne, Australia.<br><br />
<u>Google Hacking:</u><br><br />
Google Hacks is a compilation of carefully crafted Google searches that expose novel functionality from Google's search and map services. For example, you can use it to view a timeline of your search results, view a map, search for music, search for books, and perform many other specific kinds of searches. You can also use this program to use google as a proxy.<br><br />
<u>Skipfish:</u><br><br />
A fully automated, active web application security reconnaissance tool.<br><br />
Key features:<br><br />
High speed: pure C code, highly optimized HTTP handling, minimal CPU footprint - easily achieving 2000 requests per second with responsive targets.<br />
Ease of use: heuristics to support a variety of quirky web frameworks and mixed-technology sites, with automatic learning capabilities, on-the-fly wordlist creation, and form autocompletion.<br />
Cutting-edge security logic: high quality, low false positive, differential security checks, capable of spotting a range of subtle flaws, including blind injection vectors.<br><br />
<b>21.00 – 21:30 Discussion, questions and social networking</b><br><br />
<br />
== Web Application Firewalls (May 20th 2010) ==<br />
=== WHEN ===<br />
May 2010 (18h00pm-21h30pm). <br />
<br />
=== WHERE ===<br />
{|<br />
|-<br />
| width="350" | <br />
Location: http://www.setuputrecht.nl/ <br><br />
SETUP is gevestigd aan het Neude plein in Utrecht (Neude 4) in het nieuwe kantoor van de Dutch Game Garden.<br><br />
(entrance at the back of the ABNamro building on “het Neude”) <br><br />
[[Image:lokatie_setup_google.gif|200px]] <br><br />
| width="650" | <br />
[[Image:Setup_logo.jpg|200px]] <br><br />
<br />
[[Image:itq_logo.jpg|200px]] <br />
|-<br />
| width="350" | <br> <br />
| width="650" | <br />
<br> <br />
|}<br />
<br />
=== PROGRAM ===<br />
<b>18:00 - 18:30 Check-In (catering included)</b><br><br />
<b>18:30 - 18:45 Introduction (OWASP organization, projects, sponsor)</b><br><br />
<b>18.45 - 19.45 Web Application Firewalls in dynamic environments</b>(by Alexander Meisel)<br><br />
Alexander Meisel is the CTO of 'art of defence' (AOD), a German based software vendor. The company specializes in high performance deployments of Web Application Firewalls in very dynamic environments all over the world.<br />
<br />
Abstract:<br />
The current trend towards cloud computing forces everybody to deploy services in a virtual environment. In current dedicated environments WAFs or Web Application Firewalls are mostly deployed as a hardware (black) box which is easy at first but limits them to only low performance web cluster architectures. Moving those systems virtualized into a cloud environment makes almost no sense because of the resource limitations.<br />
The is solution is a redesign which enables WAFs to be part of a true message based cloud system. This talk explains how truly virtualized and distributed web applications are architected, work and scale in high performance environments. <br><br />
<b>19.45 – 20.00 Break</b><br><br />
<b>20.00 - 21:00 Bypassing Web Application Firewalls </b>(by Sandro Gauci)<br><br />
Sandro Gauci is the owner and Founder of EnableSecurity (www.enablesecurity.com) where he performs R&D and security consultancy for mid-sized companies. Sandro has over 9 years experience in the security industry and is focused on analysis of security challenges and providing solutions to such threats. Hispassion is vulnerability research and has previously worked together with various endors such as Microsoft and Sun to fix security holes. Sandro is the author of the free VoIP security scanning suite SIPVicious (sipvicious.org) and VOIPPACK for CANVAS.<br />
<br />
Abstract:<br />
WAFs or Web Application Firewalls are being deployed to fix security issues in your web applications. The question is, are they?<br />
In this presentation we take a look at some of the issues related to making use of this solution and how it may affect the overall security posture of your web application. Finally we will describe tools to automate detection of WAFs, and also tools to help identify ways to bypass WAFs. This presentation will include updates to the open source WAF security testing tools - WAFFIT. <br><br />
([[Media:2010-05-20_WAFs-Detecting, Bypassing, Exploiting Web Application Firewalls_Sandro Gauci.pdf|the slides in pdf format]])<br><br />
<b>21.00 – 21:30 Discussion, questions and social networking</b><br><br />
<br />
The Announcement of this meeting: [[Media:Announcement_OWASP-NL_May_20th_2010.pdf]]<br> <br />
<br />
== Database Security (Mar-11-2010) ==<br />
<br />
=== WHEN ===<br />
<br />
Thurday, March 11th, 2010 (18h00pm-21h30pm). <br />
<br />
=== WHERE ===<br />
{|<br />
|-<br />
| width="350" | <br />
ASR Nederland<br> <br> MD0.60 - Auditorium<br> Smallepad 30<br> 3811MG Amersfoort<br> <br />
<br />
| width="650" | <br />
[[Image:ASR Nederland logo.jpg|200px]] <br />
<br />
|-<br />
| width="350" | <br> <br />
| width="650" | <br />
<br> <br />
<br />
<br> <br />
<br />
|}<br />
<br />
=== PROGRAM ===<br />
<b>18:00 - 18:30 Check-In (catering included)</b><br><br />
<b>18:30 - 18:45 Introduction (OWASP organization, projects, sponsor)</b><br><br />
<b>18.45 - 19.45 SQL Injection - How far does the rabbit hole go?</b> (By Justin Clarke)<br><br />
<b>Justin Clarke</b> is a co-founder and Director at Gotham Digital Science, based in the United Kingdom. He has over twelve years of experience in assessing the security of networks, web applications, and wireless networks for large financial, retail, technology and government clients in the United States, the United Kingdom and New Zealand.<br />
Justin is the the technical editor and lead author of “SQL Injection Attacks and Defense” (Syngress 2009), co-author of "Network Security Tools: Writing, Hacking, and Modifying Security Tools" (O’Reilly 2005), a contributing author to "Network Security Assessment: Know Your Network, 2nd Edition" (O’Reilly 2007), as well as a speaker at a number of conferences and events on security topics, including Black Hat USA, EuSecWest, OSCON, ISACA, RSA, SANS, OWASP, and the British Computer Society. He is the author of the open source SQLBrute blind SQL injection testing tool, and is the Chapter Leader for the London chapter of OWASP.<br />
SQl Injection - How far does the rabbit hole go? SQL Injection has been around for over 10 years, and yet it is still to this day not truly understood by many security professionals and developers. With the recent mass attacks against sites across the world it has again come to the fore of vulnerabilities under the spotlight, however many consider it to only be a data access issue, or parameterized queries to be a panacea.<br><br />
This talk starts from what was demonstrated last year at Black Hat in Las Vegas, where a self propagating SQL Injection worm was demonstrated live on stage. Explore some of the deeper, darker areas of SQL Injection, hybrid attacks, and exploiting obscure database functionality<br><br />
([[Media:OWASP-SQLInjection5nov09.pdf|the slides in pdf format]])<br><br />
<b>19.45 – 20.00 Break</b><br><br />
<b>20. 00 – 20.30 VAC Insecure Direct Object Reference</b> (By Marinus Kuivenhoven)<br><br />
<b>Marinus Kuivenhoven</b> is a Senior Technology Specialist with Sogeti Nederland B.V. specializing in service oriented architectures and secure application development. His experience include developing and administrating Oracle-based systems. At Sogeti Nederland B.V. he is also an active member of the PaSS -Software(Proactive Security Strategy) taskforce focusing on secure application development. Marinus also developed and teaches several application security courses both within and outside Sogeti. In the past years he has written for magazine such as Computable and We Love IT. And he has spoken on a number of conferences and events like OWASP, Recent OO Trends, Open Source Developer Conference and Engineering World.<br />
<b>Vulnerability:</b> Insecure Direct Object Reference is when a web application exposes an internal implementation object to the user. Some examples of internal implementation objects are database records, URLs, or files.<br><br />
<b>Attack:</b> An attacker can modify the internal implementation object in an attempt to abuse the access controls on this object. When the attacker does this they may have the ability to access functionality that the developer didn’t intend to expose access to.<br><br />
<b>Countermeasure:</b> Reference should be validated for authorization and accessed through reference maps. How this should be done will be shown.<br><br />
([[Media:20100311_VAC-IDOR_Marinus Kuivenhoven.pdf|the slides in pdf format]])<br><br />
<b>20.30 – 21.15 Overlooked Resources and Practices</b> (By Justin Clarke)<br><br />
In his second presentation, Justin Clarke discussed OWASP resources and best practices by highlighting some OWASP projects and underused security practices. He shared his experiences in his daily work as well as the known pitfalls.<br><br />
([[Media:20100311_Overlooked_Resources_and _Practices-Justin_Clarke.pdf|the slides in pdf format]])<br><br />
<b>21.15 – 21:30 Discussion, questions and social networking</b><br><br />
<br />
The Announcement of this meeting: [[Media:Announcement_OWASP-NL_March_11th_2010.pdf]]<br> <br />
The flyer of this meeting: [[Media:Owasp_NL_march2010.pdf]] <br> <br />
<br />
== Past Events ==<br />
<br />
*Events held in [[Netherlands Previous Events 2009|2009]] <br />
*Events held in [[Netherlands Previous Events 2008|2008]] <br />
*Events held in [[Netherlands Previous Events 2007|2007]] <br />
*Events held in [[Netherlands Previous Events 2006|2006]] <br />
*Events held in [[Netherlands Previous Events 2005|2005]]<br />
<br />
==== Call for Speakers ====<br />
<br />
We are continuously looking for speakers.<br>'''Presentations:''' Are you working on an interesting subject, would you like to share your experience with the OWASP community and do you have presentation skills. Please let us know! Any topic related to web application security will be appreciated!<br>'''VAC, Vulnerability, Attack, Countermeasure:''' The VAC is a re occuring part of the chapter meetings. The VAC is a half hour in-depth technical presentation about a vulnerability, how it can be exploited and how to prevent it!<br> <br />
<br />
<span style="font-weight: bold;">Links: </span> <br />
<br />
[http://www.owasp.org/index.php/Speaker_Agreement Speaker Agreement] <br />
<br />
[http://www.owasp.org/images/5/54/Presentation_template.ppt Template] <br />
<br />
==== Chapter Leaders ====<br />
<br />
The Netherlands Chapter is supported by the following board: <br />
<br />
*[mailto:bert.koelewijn@owasp.org Bert Koelewijn], ASR <br />
*[mailto:peter.gouwentak@owasp.org Peter Gouwentak], ING <br />
*[mailto:martin.knobloch@owasp.org Martin Knobloch], Sogeti <br />
*[mailto:ferdinand.vroom@owasp.org Ferdinand Vroom], Nationale Nederlanden<br />
<br />
Our goal is to professionalize the local OWASP functioning, provide in a bigger footprint to detect OWASP opportunities such as speakers/topics/sponsors/… and set a 5 year target on: Target audiences, Different events and Interactions of OWASP global – local projects. <br />
<br />
==== Chapter Sponsoring ====<br />
<br />
OWASP Netherlands is looking for organizations to sponsor our chapter. If you are interested in sponsoring the Netherlands chapter please contact via email: [mailto:netherlands@owasp.org netherlands 'at' owasp.org]. <br />
<br />
<br>If you would like to donate to our chapter, please use the PayPal link below. Thank you! <br />
<br />
<br><paypal>Netherlands</paypal> <br />
__NOTOC__<headertabs/></div>Martinknoblochhttps://wiki.owasp.org/index.php?title=File:Logo_Sogeti.jpg&diff=84999File:Logo Sogeti.jpg2010-06-16T22:15:32Z<p>Martinknobloch: </p>
<hr />
<div></div>Martinknoblochhttps://wiki.owasp.org/index.php?title=Netherlands&diff=84998Netherlands2010-06-16T22:03:52Z<p>Martinknobloch: /* 2010 Schedule */</p>
<hr />
<div>{{Chapter Template|chaptername=Netherlands|extra=|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-netherlands|emailarchives=http://lists.owasp.org/pipermail/owasp-netherlands}} <br />
<br />
<br> <br />
<br />
==== Local News ====<br />
=== Workshop Google Hacking ===<br />
We have a special OWASP meeting around HITB!<br />
<br />
Christian Heinrich, from OWASP Australia and project lead of the OWASP Google Hacking project:<br />
http://www.owasp.org/index.php/Category:OWASP_Google_Hacking_Project<br />
<br />
Chirstian, known for his effort on Google hacking, is coming to the Netherlands for the HITB conference.<br />
He is willing to give a Google Hacks and Skipfish workshop:<br />
<br />
Skipfish: http://code.google.com/p/skipfish/<br />
Googlehacking: http://code.google.com/p/googlehacks/<br />
<br />
Please see the website for more details. This will take plase either june 30th:<br />
<br />
Location:<br />
Sogeti Netherland<br />
Wildenborch 3 <br />
1112 xb Diemen<br />
<br />
=== HITB 2010 Amsterdam ===<br />
The FIRST EVER HITBSecConf in Europe, HITBSecConf 2010 - Amsterdam takes place at the NH Grand Krasnapolsky from the 29th of June till the 2nd of July with a QUAD TRACK line up!<br />
<br />
OWASP members get a special offer:<br><br />
OWASP MEMBERS SAVE EUR200 OFF THE CONFERENCE PRICE!!! <br><br />
EUR699 instead of EUR899.This offer is limited to the first 50 registrations.<br><br />
OWASP members are encouraged to register as soon as possible to avoid disappointment.<br><br />
Please supply your OWASP membership ID to the registration!<br><br />
<br />
Conference Website: http://conference.hitb.org/hitbsecconf2010ams/<br><br />
29th & 30th June - Hands on Technical Training Sessions <br />
<br />
==== Chapter Meetings ====<br />
<br />
== 2010 Schedule ==<br />
<br />
*March 11th, 18.00 - 21.30 Topic: Database Security<br />
*May 20th, 18.00 - 21.30 Topic: Web Application Firewalls <br />
*June 30th, 18:00 - 21:00 Workshop Google Hacks & Skipfish<br />
*September 23rd, 18.00 - 21.30 Topic: Security in Content Management Systems <br />
*November 18th, 18.00 - 21.30 Topic &nbsp;: TBD<br />
<br />
<br><br />
<br />
== REGISTRATION ==<br />
<br />
To register for a chapter meeting (first register, first serve)! Please '''send an email''' to: [mailto:netherlands@owasp.org netherlands 'at' owasp.org].<br />
<br />
== Next Meeting (May 2010) ==<br />
=== WHEN ===<br />
May 2010 (18h00pm-21h30pm). <br />
<br />
=== WHERE ===<br />
{|<br />
|-<br />
| width="350" | <br />
Location: http://www.setuputrecht.nl/ <br><br />
SETUP is gevestigd aan het Neude plein in Utrecht (Neude 4) in het nieuwe kantoor van de Dutch Game Garden.<br><br />
(entrance at the back of the ABNamro building on “het Neude”) <br><br />
[[Image:lokatie_setup_google.gif|200px]] <br><br />
| width="650" | <br />
[[Image:Setup_logo.jpg|200px]] <br><br />
<br />
[[Image:itq_logo.jpg|200px]] <br />
|-<br />
| width="350" | <br> <br />
| width="650" | <br />
<br> <br />
|}<br />
<br />
=== PROGRAM ===<br />
<b>18:00 - 18:30 Check-In (catering included)</b><br><br />
<b>18:30 - 18:45 Introduction (OWASP organization, projects, sponsor)</b><br><br />
<b>18.45 - 19.45 Web Application Firewalls in dynamic environments</b>(by Alexander Meisel)<br><br />
Alexander Meisel is the CTO of 'art of defence' (AOD), a German based software vendor. The company specializes in high performance deployments of Web Application Firewalls in very dynamic environments all over the world.<br />
<br />
Abstract:<br />
The current trend towards cloud computing forces everybody to deploy services in a virtual environment. In current dedicated environments WAFs or Web Application Firewalls are mostly deployed as a hardware (black) box which is easy at first but limits them to only low performance web cluster architectures. Moving those systems virtualized into a cloud environment makes almost no sense because of the resource limitations.<br />
The is solution is a redesign which enables WAFs to be part of a true message based cloud system. This talk explains how truly virtualized and distributed web applications are architected, work and scale in high performance environments. <br><br />
<b>19.45 – 20.00 Break</b><br><br />
<b>20.00 - 21:00 Bypassing Web Application Firewalls </b>(by Sandro Gauci)<br><br />
Sandro Gauci is the owner and Founder of EnableSecurity (www.enablesecurity.com) where he performs R&D and security consultancy for mid-sized companies. Sandro has over 9 years experience in the security industry and is focused on analysis of security challenges and providing solutions to such threats. Hispassion is vulnerability research and has previously worked together with various endors such as Microsoft and Sun to fix security holes. Sandro is the author of the free VoIP security scanning suite SIPVicious (sipvicious.org) and VOIPPACK for CANVAS.<br />
<br />
Abstract:<br />
WAFs or Web Application Firewalls are being deployed to fix security issues in your web applications. The question is, are they?<br />
In this presentation we take a look at some of the issues related to making use of this solution and how it may affect the overall security posture of your web application. Finally we will describe tools to automate detection of WAFs, and also tools to help identify ways to bypass WAFs. This presentation will include updates to the open source WAF security testing tools - WAFFIT. <br><br />
([[Media:2010-05-20_WAFs-Detecting, Bypassing, Exploiting Web Application Firewalls_Sandro Gauci.pdf|the slides in pdf format]])<br><br />
<b>21.00 – 21:30 Discussion, questions and social networking</b><br><br />
<br />
The Announcement of this meeting: [[Media:Announcement_OWASP-NL_May_20th_2010.pdf]]<br> <br />
<br />
== Database Security (Mar-11-2010) ==<br />
<br />
=== WHEN ===<br />
<br />
Thurday, March 11th, 2010 (18h00pm-21h30pm). <br />
<br />
=== WHERE ===<br />
{|<br />
|-<br />
| width="350" | <br />
ASR Nederland<br> <br> MD0.60 - Auditorium<br> Smallepad 30<br> 3811MG Amersfoort<br> <br />
<br />
| width="650" | <br />
[[Image:ASR Nederland logo.jpg|200px]] <br />
<br />
|-<br />
| width="350" | <br> <br />
| width="650" | <br />
<br> <br />
<br />
<br> <br />
<br />
|}<br />
<br />
=== PROGRAM ===<br />
<b>18:00 - 18:30 Check-In (catering included)</b><br><br />
<b>18:30 - 18:45 Introduction (OWASP organization, projects, sponsor)</b><br><br />
<b>18.45 - 19.45 SQL Injection - How far does the rabbit hole go?</b> (By Justin Clarke)<br><br />
<b>Justin Clarke</b> is a co-founder and Director at Gotham Digital Science, based in the United Kingdom. He has over twelve years of experience in assessing the security of networks, web applications, and wireless networks for large financial, retail, technology and government clients in the United States, the United Kingdom and New Zealand.<br />
Justin is the the technical editor and lead author of “SQL Injection Attacks and Defense” (Syngress 2009), co-author of "Network Security Tools: Writing, Hacking, and Modifying Security Tools" (O’Reilly 2005), a contributing author to "Network Security Assessment: Know Your Network, 2nd Edition" (O’Reilly 2007), as well as a speaker at a number of conferences and events on security topics, including Black Hat USA, EuSecWest, OSCON, ISACA, RSA, SANS, OWASP, and the British Computer Society. He is the author of the open source SQLBrute blind SQL injection testing tool, and is the Chapter Leader for the London chapter of OWASP.<br />
SQl Injection - How far does the rabbit hole go? SQL Injection has been around for over 10 years, and yet it is still to this day not truly understood by many security professionals and developers. With the recent mass attacks against sites across the world it has again come to the fore of vulnerabilities under the spotlight, however many consider it to only be a data access issue, or parameterized queries to be a panacea.<br><br />
This talk starts from what was demonstrated last year at Black Hat in Las Vegas, where a self propagating SQL Injection worm was demonstrated live on stage. Explore some of the deeper, darker areas of SQL Injection, hybrid attacks, and exploiting obscure database functionality<br><br />
([[Media:OWASP-SQLInjection5nov09.pdf|the slides in pdf format]])<br><br />
<b>19.45 – 20.00 Break</b><br><br />
<b>20. 00 – 20.30 VAC Insecure Direct Object Reference</b> (By Marinus Kuivenhoven)<br><br />
<b>Marinus Kuivenhoven</b> is a Senior Technology Specialist with Sogeti Nederland B.V. specializing in service oriented architectures and secure application development. His experience include developing and administrating Oracle-based systems. At Sogeti Nederland B.V. he is also an active member of the PaSS -Software(Proactive Security Strategy) taskforce focusing on secure application development. Marinus also developed and teaches several application security courses both within and outside Sogeti. In the past years he has written for magazine such as Computable and We Love IT. And he has spoken on a number of conferences and events like OWASP, Recent OO Trends, Open Source Developer Conference and Engineering World.<br />
<b>Vulnerability:</b> Insecure Direct Object Reference is when a web application exposes an internal implementation object to the user. Some examples of internal implementation objects are database records, URLs, or files.<br><br />
<b>Attack:</b> An attacker can modify the internal implementation object in an attempt to abuse the access controls on this object. When the attacker does this they may have the ability to access functionality that the developer didn’t intend to expose access to.<br><br />
<b>Countermeasure:</b> Reference should be validated for authorization and accessed through reference maps. How this should be done will be shown.<br><br />
([[Media:20100311_VAC-IDOR_Marinus Kuivenhoven.pdf|the slides in pdf format]])<br><br />
<b>20.30 – 21.15 Overlooked Resources and Practices</b> (By Justin Clarke)<br><br />
In his second presentation, Justin Clarke discussed OWASP resources and best practices by highlighting some OWASP projects and underused security practices. He shared his experiences in his daily work as well as the known pitfalls.<br><br />
([[Media:20100311_Overlooked_Resources_and _Practices-Justin_Clarke.pdf|the slides in pdf format]])<br><br />
<b>21.15 – 21:30 Discussion, questions and social networking</b><br><br />
<br />
The Announcement of this meeting: [[Media:Announcement_OWASP-NL_March_11th_2010.pdf]]<br> <br />
The flyer of this meeting: [[Media:Owasp_NL_march2010.pdf]] <br> <br />
<br />
== Past Events ==<br />
<br />
*Events held in [[Netherlands Previous Events 2009|2009]] <br />
*Events held in [[Netherlands Previous Events 2008|2008]] <br />
*Events held in [[Netherlands Previous Events 2007|2007]] <br />
*Events held in [[Netherlands Previous Events 2006|2006]] <br />
*Events held in [[Netherlands Previous Events 2005|2005]]<br />
<br />
==== Call for Speakers ====<br />
<br />
We are continuously looking for speakers.<br>'''Presentations:''' Are you working on an interesting subject, would you like to share your experience with the OWASP community and do you have presentation skills. Please let us know! Any topic related to web application security will be appreciated!<br>'''VAC, Vulnerability, Attack, Countermeasure:''' The VAC is a re occuring part of the chapter meetings. The VAC is a half hour in-depth technical presentation about a vulnerability, how it can be exploited and how to prevent it!<br> <br />
<br />
<span style="font-weight: bold;">Links: </span> <br />
<br />
[http://www.owasp.org/index.php/Speaker_Agreement Speaker Agreement] <br />
<br />
[http://www.owasp.org/images/5/54/Presentation_template.ppt Template] <br />
<br />
==== Chapter Leaders ====<br />
<br />
The Netherlands Chapter is supported by the following board: <br />
<br />
*[mailto:bert.koelewijn@owasp.org Bert Koelewijn], ASR <br />
*[mailto:peter.gouwentak@owasp.org Peter Gouwentak], ING <br />
*[mailto:martin.knobloch@owasp.org Martin Knobloch], Sogeti <br />
*[mailto:ferdinand.vroom@owasp.org Ferdinand Vroom], Nationale Nederlanden<br />
<br />
Our goal is to professionalize the local OWASP functioning, provide in a bigger footprint to detect OWASP opportunities such as speakers/topics/sponsors/… and set a 5 year target on: Target audiences, Different events and Interactions of OWASP global – local projects. <br />
<br />
==== Chapter Sponsoring ====<br />
<br />
OWASP Netherlands is looking for organizations to sponsor our chapter. If you are interested in sponsoring the Netherlands chapter please contact via email: [mailto:netherlands@owasp.org netherlands 'at' owasp.org]. <br />
<br />
<br>If you would like to donate to our chapter, please use the PayPal link below. Thank you! <br />
<br />
<br><paypal>Netherlands</paypal> <br />
__NOTOC__<headertabs/></div>Martinknoblochhttps://wiki.owasp.org/index.php?title=Netherlands&diff=84997Netherlands2010-06-16T21:59:12Z<p>Martinknobloch: /* Workshop Google Hacking */</p>
<hr />
<div>{{Chapter Template|chaptername=Netherlands|extra=|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-netherlands|emailarchives=http://lists.owasp.org/pipermail/owasp-netherlands}} <br />
<br />
<br> <br />
<br />
==== Local News ====<br />
=== Workshop Google Hacking ===<br />
We have a special OWASP meeting around HITB!<br />
<br />
Christian Heinrich, from OWASP Australia and project lead of the OWASP Google Hacking project:<br />
http://www.owasp.org/index.php/Category:OWASP_Google_Hacking_Project<br />
<br />
Chirstian, known for his effort on Google hacking, is coming to the Netherlands for the HITB conference.<br />
He is willing to give a Google Hacks and Skipfish workshop:<br />
<br />
Skipfish: http://code.google.com/p/skipfish/<br />
Googlehacking: http://code.google.com/p/googlehacks/<br />
<br />
Please see the website for more details. This will take plase either june 30th:<br />
<br />
Location:<br />
Sogeti Netherland<br />
Wildenborch 3 <br />
1112 xb Diemen<br />
<br />
=== HITB 2010 Amsterdam ===<br />
The FIRST EVER HITBSecConf in Europe, HITBSecConf 2010 - Amsterdam takes place at the NH Grand Krasnapolsky from the 29th of June till the 2nd of July with a QUAD TRACK line up!<br />
<br />
OWASP members get a special offer:<br><br />
OWASP MEMBERS SAVE EUR200 OFF THE CONFERENCE PRICE!!! <br><br />
EUR699 instead of EUR899.This offer is limited to the first 50 registrations.<br><br />
OWASP members are encouraged to register as soon as possible to avoid disappointment.<br><br />
Please supply your OWASP membership ID to the registration!<br><br />
<br />
Conference Website: http://conference.hitb.org/hitbsecconf2010ams/<br><br />
29th & 30th June - Hands on Technical Training Sessions <br />
<br />
==== Chapter Meetings ====<br />
<br />
== 2010 Schedule ==<br />
<br />
*March 11th, 18.00 - 21.30 Topic: Database Security<br> <br />
*May 20th, 18.00 - 21.30 Topic: Web Application Firewalls <br />
*September 23rd, 18.00 - 21.30 Topic: Security in Content Management Systems <br />
*November 18th, 18.00 - 21.30 Topic &nbsp;: TBD<br />
<br />
<br><br />
== REGISTRATION ==<br />
<br />
To register for a chapter meeting (first register, first serve)! Please '''send an email''' to: [mailto:netherlands@owasp.org netherlands 'at' owasp.org].<br />
<br />
== Next Meeting (May 2010) ==<br />
=== WHEN ===<br />
May 2010 (18h00pm-21h30pm). <br />
<br />
=== WHERE ===<br />
{|<br />
|-<br />
| width="350" | <br />
Location: http://www.setuputrecht.nl/ <br><br />
SETUP is gevestigd aan het Neude plein in Utrecht (Neude 4) in het nieuwe kantoor van de Dutch Game Garden.<br><br />
(entrance at the back of the ABNamro building on “het Neude”) <br><br />
[[Image:lokatie_setup_google.gif|200px]] <br><br />
| width="650" | <br />
[[Image:Setup_logo.jpg|200px]] <br><br />
<br />
[[Image:itq_logo.jpg|200px]] <br />
|-<br />
| width="350" | <br> <br />
| width="650" | <br />
<br> <br />
|}<br />
<br />
=== PROGRAM ===<br />
<b>18:00 - 18:30 Check-In (catering included)</b><br><br />
<b>18:30 - 18:45 Introduction (OWASP organization, projects, sponsor)</b><br><br />
<b>18.45 - 19.45 Web Application Firewalls in dynamic environments</b>(by Alexander Meisel)<br><br />
Alexander Meisel is the CTO of 'art of defence' (AOD), a German based software vendor. The company specializes in high performance deployments of Web Application Firewalls in very dynamic environments all over the world.<br />
<br />
Abstract:<br />
The current trend towards cloud computing forces everybody to deploy services in a virtual environment. In current dedicated environments WAFs or Web Application Firewalls are mostly deployed as a hardware (black) box which is easy at first but limits them to only low performance web cluster architectures. Moving those systems virtualized into a cloud environment makes almost no sense because of the resource limitations.<br />
The is solution is a redesign which enables WAFs to be part of a true message based cloud system. This talk explains how truly virtualized and distributed web applications are architected, work and scale in high performance environments. <br><br />
<b>19.45 – 20.00 Break</b><br><br />
<b>20.00 - 21:00 Bypassing Web Application Firewalls </b>(by Sandro Gauci)<br><br />
Sandro Gauci is the owner and Founder of EnableSecurity (www.enablesecurity.com) where he performs R&D and security consultancy for mid-sized companies. Sandro has over 9 years experience in the security industry and is focused on analysis of security challenges and providing solutions to such threats. Hispassion is vulnerability research and has previously worked together with various endors such as Microsoft and Sun to fix security holes. Sandro is the author of the free VoIP security scanning suite SIPVicious (sipvicious.org) and VOIPPACK for CANVAS.<br />
<br />
Abstract:<br />
WAFs or Web Application Firewalls are being deployed to fix security issues in your web applications. The question is, are they?<br />
In this presentation we take a look at some of the issues related to making use of this solution and how it may affect the overall security posture of your web application. Finally we will describe tools to automate detection of WAFs, and also tools to help identify ways to bypass WAFs. This presentation will include updates to the open source WAF security testing tools - WAFFIT. <br><br />
([[Media:2010-05-20_WAFs-Detecting, Bypassing, Exploiting Web Application Firewalls_Sandro Gauci.pdf|the slides in pdf format]])<br><br />
<b>21.00 – 21:30 Discussion, questions and social networking</b><br><br />
<br />
The Announcement of this meeting: [[Media:Announcement_OWASP-NL_May_20th_2010.pdf]]<br> <br />
<br />
== Database Security (Mar-11-2010) ==<br />
<br />
=== WHEN ===<br />
<br />
Thurday, March 11th, 2010 (18h00pm-21h30pm). <br />
<br />
=== WHERE ===<br />
{|<br />
|-<br />
| width="350" | <br />
ASR Nederland<br> <br> MD0.60 - Auditorium<br> Smallepad 30<br> 3811MG Amersfoort<br> <br />
<br />
| width="650" | <br />
[[Image:ASR Nederland logo.jpg|200px]] <br />
<br />
|-<br />
| width="350" | <br> <br />
| width="650" | <br />
<br> <br />
<br />
<br> <br />
<br />
|}<br />
<br />
=== PROGRAM ===<br />
<b>18:00 - 18:30 Check-In (catering included)</b><br><br />
<b>18:30 - 18:45 Introduction (OWASP organization, projects, sponsor)</b><br><br />
<b>18.45 - 19.45 SQL Injection - How far does the rabbit hole go?</b> (By Justin Clarke)<br><br />
<b>Justin Clarke</b> is a co-founder and Director at Gotham Digital Science, based in the United Kingdom. He has over twelve years of experience in assessing the security of networks, web applications, and wireless networks for large financial, retail, technology and government clients in the United States, the United Kingdom and New Zealand.<br />
Justin is the the technical editor and lead author of “SQL Injection Attacks and Defense” (Syngress 2009), co-author of "Network Security Tools: Writing, Hacking, and Modifying Security Tools" (O’Reilly 2005), a contributing author to "Network Security Assessment: Know Your Network, 2nd Edition" (O’Reilly 2007), as well as a speaker at a number of conferences and events on security topics, including Black Hat USA, EuSecWest, OSCON, ISACA, RSA, SANS, OWASP, and the British Computer Society. He is the author of the open source SQLBrute blind SQL injection testing tool, and is the Chapter Leader for the London chapter of OWASP.<br />
SQl Injection - How far does the rabbit hole go? SQL Injection has been around for over 10 years, and yet it is still to this day not truly understood by many security professionals and developers. With the recent mass attacks against sites across the world it has again come to the fore of vulnerabilities under the spotlight, however many consider it to only be a data access issue, or parameterized queries to be a panacea.<br><br />
This talk starts from what was demonstrated last year at Black Hat in Las Vegas, where a self propagating SQL Injection worm was demonstrated live on stage. Explore some of the deeper, darker areas of SQL Injection, hybrid attacks, and exploiting obscure database functionality<br><br />
([[Media:OWASP-SQLInjection5nov09.pdf|the slides in pdf format]])<br><br />
<b>19.45 – 20.00 Break</b><br><br />
<b>20. 00 – 20.30 VAC Insecure Direct Object Reference</b> (By Marinus Kuivenhoven)<br><br />
<b>Marinus Kuivenhoven</b> is a Senior Technology Specialist with Sogeti Nederland B.V. specializing in service oriented architectures and secure application development. His experience include developing and administrating Oracle-based systems. At Sogeti Nederland B.V. he is also an active member of the PaSS -Software(Proactive Security Strategy) taskforce focusing on secure application development. Marinus also developed and teaches several application security courses both within and outside Sogeti. In the past years he has written for magazine such as Computable and We Love IT. And he has spoken on a number of conferences and events like OWASP, Recent OO Trends, Open Source Developer Conference and Engineering World.<br />
<b>Vulnerability:</b> Insecure Direct Object Reference is when a web application exposes an internal implementation object to the user. Some examples of internal implementation objects are database records, URLs, or files.<br><br />
<b>Attack:</b> An attacker can modify the internal implementation object in an attempt to abuse the access controls on this object. When the attacker does this they may have the ability to access functionality that the developer didn’t intend to expose access to.<br><br />
<b>Countermeasure:</b> Reference should be validated for authorization and accessed through reference maps. How this should be done will be shown.<br><br />
([[Media:20100311_VAC-IDOR_Marinus Kuivenhoven.pdf|the slides in pdf format]])<br><br />
<b>20.30 – 21.15 Overlooked Resources and Practices</b> (By Justin Clarke)<br><br />
In his second presentation, Justin Clarke discussed OWASP resources and best practices by highlighting some OWASP projects and underused security practices. He shared his experiences in his daily work as well as the known pitfalls.<br><br />
([[Media:20100311_Overlooked_Resources_and _Practices-Justin_Clarke.pdf|the slides in pdf format]])<br><br />
<b>21.15 – 21:30 Discussion, questions and social networking</b><br><br />
<br />
The Announcement of this meeting: [[Media:Announcement_OWASP-NL_March_11th_2010.pdf]]<br> <br />
The flyer of this meeting: [[Media:Owasp_NL_march2010.pdf]] <br> <br />
<br />
== Past Events ==<br />
<br />
*Events held in [[Netherlands Previous Events 2009|2009]] <br />
*Events held in [[Netherlands Previous Events 2008|2008]] <br />
*Events held in [[Netherlands Previous Events 2007|2007]] <br />
*Events held in [[Netherlands Previous Events 2006|2006]] <br />
*Events held in [[Netherlands Previous Events 2005|2005]]<br />
<br />
==== Call for Speakers ====<br />
<br />
We are continuously looking for speakers.<br>'''Presentations:''' Are you working on an interesting subject, would you like to share your experience with the OWASP community and do you have presentation skills. Please let us know! Any topic related to web application security will be appreciated!<br>'''VAC, Vulnerability, Attack, Countermeasure:''' The VAC is a re occuring part of the chapter meetings. The VAC is a half hour in-depth technical presentation about a vulnerability, how it can be exploited and how to prevent it!<br> <br />
<br />
<span style="font-weight: bold;">Links: </span> <br />
<br />
[http://www.owasp.org/index.php/Speaker_Agreement Speaker Agreement] <br />
<br />
[http://www.owasp.org/images/5/54/Presentation_template.ppt Template] <br />
<br />
==== Chapter Leaders ====<br />
<br />
The Netherlands Chapter is supported by the following board: <br />
<br />
*[mailto:bert.koelewijn@owasp.org Bert Koelewijn], ASR <br />
*[mailto:peter.gouwentak@owasp.org Peter Gouwentak], ING <br />
*[mailto:martin.knobloch@owasp.org Martin Knobloch], Sogeti <br />
*[mailto:ferdinand.vroom@owasp.org Ferdinand Vroom], Nationale Nederlanden<br />
<br />
Our goal is to professionalize the local OWASP functioning, provide in a bigger footprint to detect OWASP opportunities such as speakers/topics/sponsors/… and set a 5 year target on: Target audiences, Different events and Interactions of OWASP global – local projects. <br />
<br />
==== Chapter Sponsoring ====<br />
<br />
OWASP Netherlands is looking for organizations to sponsor our chapter. If you are interested in sponsoring the Netherlands chapter please contact via email: [mailto:netherlands@owasp.org netherlands 'at' owasp.org]. <br />
<br />
<br>If you would like to donate to our chapter, please use the PayPal link below. Thank you! <br />
<br />
<br><paypal>Netherlands</paypal> <br />
__NOTOC__<headertabs/></div>Martinknoblochhttps://wiki.owasp.org/index.php?title=Netherlands&diff=84908Netherlands2010-06-15T11:24:04Z<p>Martinknobloch: /* Workshop Google Hacking */</p>
<hr />
<div>{{Chapter Template|chaptername=Netherlands|extra=|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-netherlands|emailarchives=http://lists.owasp.org/pipermail/owasp-netherlands}} <br />
<br />
<br> <br />
<br />
==== Local News ====<br />
=== Workshop Google Hacking ===<br />
We have a special OWASP meeting around HITB!<br />
<br />
Christian Heinrich, from OWASP Australia and project lead of the OWASP Google Hacking project:<br />
http://www.owasp.org/index.php/Category:OWASP_Google_Hacking_Project<br />
<br />
Chirstian, known for his effort on Google hacking, is coming to the Netherlands for the HITB conference.<br />
He is willing to give a Google Hacks and Skipfish workshop:<br />
<br />
Skipfish: http://code.google.com/p/skipfish/<br />
Googlehacking: http://code.google.com/p/googlehacks/<br />
<br />
Please see the website for more details. This will take plase either june 30th or July 1st:<br />
Date will be make definite a.s.a.p.!<br />
<br />
Location:<br />
Sogeti Netherland<br />
Wildenborch 3 <br />
1112 xb Diemen<br />
<br />
=== HITB 2010 Amsterdam ===<br />
The FIRST EVER HITBSecConf in Europe, HITBSecConf 2010 - Amsterdam takes place at the NH Grand Krasnapolsky from the 29th of June till the 2nd of July with a QUAD TRACK line up!<br />
<br />
OWASP members get a special offer:<br><br />
OWASP MEMBERS SAVE EUR200 OFF THE CONFERENCE PRICE!!! <br><br />
EUR699 instead of EUR899.This offer is limited to the first 50 registrations.<br><br />
OWASP members are encouraged to register as soon as possible to avoid disappointment.<br><br />
Please supply your OWASP membership ID to the registration!<br><br />
<br />
Conference Website: http://conference.hitb.org/hitbsecconf2010ams/<br><br />
29th & 30th June - Hands on Technical Training Sessions <br />
<br />
==== Chapter Meetings ====<br />
<br />
== 2010 Schedule ==<br />
<br />
*March 11th, 18.00 - 21.30 Topic: Database Security<br> <br />
*May 20th, 18.00 - 21.30 Topic: Web Application Firewalls <br />
*September 23rd, 18.00 - 21.30 Topic: Security in Content Management Systems <br />
*November 18th, 18.00 - 21.30 Topic &nbsp;: TBD<br />
<br />
<br><br />
== REGISTRATION ==<br />
<br />
To register for a chapter meeting (first register, first serve)! Please '''send an email''' to: [mailto:netherlands@owasp.org netherlands 'at' owasp.org].<br />
<br />
== Next Meeting (May 2010) ==<br />
=== WHEN ===<br />
May 2010 (18h00pm-21h30pm). <br />
<br />
=== WHERE ===<br />
{|<br />
|-<br />
| width="350" | <br />
Location: http://www.setuputrecht.nl/ <br><br />
SETUP is gevestigd aan het Neude plein in Utrecht (Neude 4) in het nieuwe kantoor van de Dutch Game Garden.<br><br />
(entrance at the back of the ABNamro building on “het Neude”) <br><br />
[[Image:lokatie_setup_google.gif|200px]] <br><br />
| width="650" | <br />
[[Image:Setup_logo.jpg|200px]] <br><br />
<br />
[[Image:itq_logo.jpg|200px]] <br />
|-<br />
| width="350" | <br> <br />
| width="650" | <br />
<br> <br />
|}<br />
<br />
=== PROGRAM ===<br />
<b>18:00 - 18:30 Check-In (catering included)</b><br><br />
<b>18:30 - 18:45 Introduction (OWASP organization, projects, sponsor)</b><br><br />
<b>18.45 - 19.45 Web Application Firewalls in dynamic environments</b>(by Alexander Meisel)<br><br />
Alexander Meisel is the CTO of 'art of defence' (AOD), a German based software vendor. The company specializes in high performance deployments of Web Application Firewalls in very dynamic environments all over the world.<br />
<br />
Abstract:<br />
The current trend towards cloud computing forces everybody to deploy services in a virtual environment. In current dedicated environments WAFs or Web Application Firewalls are mostly deployed as a hardware (black) box which is easy at first but limits them to only low performance web cluster architectures. Moving those systems virtualized into a cloud environment makes almost no sense because of the resource limitations.<br />
The is solution is a redesign which enables WAFs to be part of a true message based cloud system. This talk explains how truly virtualized and distributed web applications are architected, work and scale in high performance environments. <br><br />
<b>19.45 – 20.00 Break</b><br><br />
<b>20.00 - 21:00 Bypassing Web Application Firewalls </b>(by Sandro Gauci)<br><br />
Sandro Gauci is the owner and Founder of EnableSecurity (www.enablesecurity.com) where he performs R&D and security consultancy for mid-sized companies. Sandro has over 9 years experience in the security industry and is focused on analysis of security challenges and providing solutions to such threats. Hispassion is vulnerability research and has previously worked together with various endors such as Microsoft and Sun to fix security holes. Sandro is the author of the free VoIP security scanning suite SIPVicious (sipvicious.org) and VOIPPACK for CANVAS.<br />
<br />
Abstract:<br />
WAFs or Web Application Firewalls are being deployed to fix security issues in your web applications. The question is, are they?<br />
In this presentation we take a look at some of the issues related to making use of this solution and how it may affect the overall security posture of your web application. Finally we will describe tools to automate detection of WAFs, and also tools to help identify ways to bypass WAFs. This presentation will include updates to the open source WAF security testing tools - WAFFIT. <br><br />
([[Media:2010-05-20_WAFs-Detecting, Bypassing, Exploiting Web Application Firewalls_Sandro Gauci.pdf|the slides in pdf format]])<br><br />
<b>21.00 – 21:30 Discussion, questions and social networking</b><br><br />
<br />
The Announcement of this meeting: [[Media:Announcement_OWASP-NL_May_20th_2010.pdf]]<br> <br />
<br />
== Database Security (Mar-11-2010) ==<br />
<br />
=== WHEN ===<br />
<br />
Thurday, March 11th, 2010 (18h00pm-21h30pm). <br />
<br />
=== WHERE ===<br />
{|<br />
|-<br />
| width="350" | <br />
ASR Nederland<br> <br> MD0.60 - Auditorium<br> Smallepad 30<br> 3811MG Amersfoort<br> <br />
<br />
| width="650" | <br />
[[Image:ASR Nederland logo.jpg|200px]] <br />
<br />
|-<br />
| width="350" | <br> <br />
| width="650" | <br />
<br> <br />
<br />
<br> <br />
<br />
|}<br />
<br />
=== PROGRAM ===<br />
<b>18:00 - 18:30 Check-In (catering included)</b><br><br />
<b>18:30 - 18:45 Introduction (OWASP organization, projects, sponsor)</b><br><br />
<b>18.45 - 19.45 SQL Injection - How far does the rabbit hole go?</b> (By Justin Clarke)<br><br />
<b>Justin Clarke</b> is a co-founder and Director at Gotham Digital Science, based in the United Kingdom. He has over twelve years of experience in assessing the security of networks, web applications, and wireless networks for large financial, retail, technology and government clients in the United States, the United Kingdom and New Zealand.<br />
Justin is the the technical editor and lead author of “SQL Injection Attacks and Defense” (Syngress 2009), co-author of "Network Security Tools: Writing, Hacking, and Modifying Security Tools" (O’Reilly 2005), a contributing author to "Network Security Assessment: Know Your Network, 2nd Edition" (O’Reilly 2007), as well as a speaker at a number of conferences and events on security topics, including Black Hat USA, EuSecWest, OSCON, ISACA, RSA, SANS, OWASP, and the British Computer Society. He is the author of the open source SQLBrute blind SQL injection testing tool, and is the Chapter Leader for the London chapter of OWASP.<br />
SQl Injection - How far does the rabbit hole go? SQL Injection has been around for over 10 years, and yet it is still to this day not truly understood by many security professionals and developers. With the recent mass attacks against sites across the world it has again come to the fore of vulnerabilities under the spotlight, however many consider it to only be a data access issue, or parameterized queries to be a panacea.<br><br />
This talk starts from what was demonstrated last year at Black Hat in Las Vegas, where a self propagating SQL Injection worm was demonstrated live on stage. Explore some of the deeper, darker areas of SQL Injection, hybrid attacks, and exploiting obscure database functionality<br><br />
([[Media:OWASP-SQLInjection5nov09.pdf|the slides in pdf format]])<br><br />
<b>19.45 – 20.00 Break</b><br><br />
<b>20. 00 – 20.30 VAC Insecure Direct Object Reference</b> (By Marinus Kuivenhoven)<br><br />
<b>Marinus Kuivenhoven</b> is a Senior Technology Specialist with Sogeti Nederland B.V. specializing in service oriented architectures and secure application development. His experience include developing and administrating Oracle-based systems. At Sogeti Nederland B.V. he is also an active member of the PaSS -Software(Proactive Security Strategy) taskforce focusing on secure application development. Marinus also developed and teaches several application security courses both within and outside Sogeti. In the past years he has written for magazine such as Computable and We Love IT. And he has spoken on a number of conferences and events like OWASP, Recent OO Trends, Open Source Developer Conference and Engineering World.<br />
<b>Vulnerability:</b> Insecure Direct Object Reference is when a web application exposes an internal implementation object to the user. Some examples of internal implementation objects are database records, URLs, or files.<br><br />
<b>Attack:</b> An attacker can modify the internal implementation object in an attempt to abuse the access controls on this object. When the attacker does this they may have the ability to access functionality that the developer didn’t intend to expose access to.<br><br />
<b>Countermeasure:</b> Reference should be validated for authorization and accessed through reference maps. How this should be done will be shown.<br><br />
([[Media:20100311_VAC-IDOR_Marinus Kuivenhoven.pdf|the slides in pdf format]])<br><br />
<b>20.30 – 21.15 Overlooked Resources and Practices</b> (By Justin Clarke)<br><br />
In his second presentation, Justin Clarke discussed OWASP resources and best practices by highlighting some OWASP projects and underused security practices. He shared his experiences in his daily work as well as the known pitfalls.<br><br />
([[Media:20100311_Overlooked_Resources_and _Practices-Justin_Clarke.pdf|the slides in pdf format]])<br><br />
<b>21.15 – 21:30 Discussion, questions and social networking</b><br><br />
<br />
The Announcement of this meeting: [[Media:Announcement_OWASP-NL_March_11th_2010.pdf]]<br> <br />
The flyer of this meeting: [[Media:Owasp_NL_march2010.pdf]] <br> <br />
<br />
== Past Events ==<br />
<br />
*Events held in [[Netherlands Previous Events 2009|2009]] <br />
*Events held in [[Netherlands Previous Events 2008|2008]] <br />
*Events held in [[Netherlands Previous Events 2007|2007]] <br />
*Events held in [[Netherlands Previous Events 2006|2006]] <br />
*Events held in [[Netherlands Previous Events 2005|2005]]<br />
<br />
==== Call for Speakers ====<br />
<br />
We are continuously looking for speakers.<br>'''Presentations:''' Are you working on an interesting subject, would you like to share your experience with the OWASP community and do you have presentation skills. Please let us know! Any topic related to web application security will be appreciated!<br>'''VAC, Vulnerability, Attack, Countermeasure:''' The VAC is a re occuring part of the chapter meetings. The VAC is a half hour in-depth technical presentation about a vulnerability, how it can be exploited and how to prevent it!<br> <br />
<br />
<span style="font-weight: bold;">Links: </span> <br />
<br />
[http://www.owasp.org/index.php/Speaker_Agreement Speaker Agreement] <br />
<br />
[http://www.owasp.org/images/5/54/Presentation_template.ppt Template] <br />
<br />
==== Chapter Leaders ====<br />
<br />
The Netherlands Chapter is supported by the following board: <br />
<br />
*[mailto:bert.koelewijn@owasp.org Bert Koelewijn], ASR <br />
*[mailto:peter.gouwentak@owasp.org Peter Gouwentak], ING <br />
*[mailto:martin.knobloch@owasp.org Martin Knobloch], Sogeti <br />
*[mailto:ferdinand.vroom@owasp.org Ferdinand Vroom], Nationale Nederlanden<br />
<br />
Our goal is to professionalize the local OWASP functioning, provide in a bigger footprint to detect OWASP opportunities such as speakers/topics/sponsors/… and set a 5 year target on: Target audiences, Different events and Interactions of OWASP global – local projects. <br />
<br />
==== Chapter Sponsoring ====<br />
<br />
OWASP Netherlands is looking for organizations to sponsor our chapter. If you are interested in sponsoring the Netherlands chapter please contact via email: [mailto:netherlands@owasp.org netherlands 'at' owasp.org]. <br />
<br />
<br>If you would like to donate to our chapter, please use the PayPal link below. Thank you! <br />
<br />
<br><paypal>Netherlands</paypal> <br />
__NOTOC__<headertabs/></div>Martinknoblochhttps://wiki.owasp.org/index.php?title=Netherlands&diff=84895Netherlands2010-06-15T10:18:52Z<p>Martinknobloch: /* HITB 2010 Amsterdam */</p>
<hr />
<div>{{Chapter Template|chaptername=Netherlands|extra=|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-netherlands|emailarchives=http://lists.owasp.org/pipermail/owasp-netherlands}} <br />
<br />
<br> <br />
<br />
==== Local News ====<br />
=== Workshop Google Hacking ===<br />
We have a special OWASP meeting around HITB!<br />
<br />
Christian Heinrich, from OWASP Australia and project lead of the OWASP Google Hacking project:<br />
http://www.owasp.org/index.php/Category:OWASP_Google_Hacking_Project<br />
<br />
Chirstian know for his effort on Google hacking is coming to the Netherlands for the HITB conference.<br />
He is willing to give a Google Hacks and Skipfish workshop:<br />
<br />
Skipfish: http://code.google.com/p/skipfish/<br />
Googlehacking: http://code.google.com/p/googlehacks/<br />
<br />
Please see the website for more details. This will take plase either june 30th or July 1st:<br />
Date will be make definite a.s.a.p.!<br />
<br />
Location:<br />
Sogeti Netherland<br />
Wildenborch 3 <br />
1112 xb Diemen <br />
<br />
=== HITB 2010 Amsterdam ===<br />
The FIRST EVER HITBSecConf in Europe, HITBSecConf 2010 - Amsterdam takes place at the NH Grand Krasnapolsky from the 29th of June till the 2nd of July with a QUAD TRACK line up!<br />
<br />
OWASP members get a special offer:<br><br />
OWASP MEMBERS SAVE EUR200 OFF THE CONFERENCE PRICE!!! <br><br />
EUR699 instead of EUR899.This offer is limited to the first 50 registrations.<br><br />
OWASP members are encouraged to register as soon as possible to avoid disappointment.<br><br />
Please supply your OWASP membership ID to the registration!<br><br />
<br />
Conference Website: http://conference.hitb.org/hitbsecconf2010ams/<br><br />
29th & 30th June - Hands on Technical Training Sessions <br />
<br />
==== Chapter Meetings ====<br />
<br />
== 2010 Schedule ==<br />
<br />
*March 11th, 18.00 - 21.30 Topic: Database Security<br> <br />
*May 20th, 18.00 - 21.30 Topic: Web Application Firewalls <br />
*September 23rd, 18.00 - 21.30 Topic: Security in Content Management Systems <br />
*November 18th, 18.00 - 21.30 Topic &nbsp;: TBD<br />
<br />
<br><br />
== REGISTRATION ==<br />
<br />
To register for a chapter meeting (first register, first serve)! Please '''send an email''' to: [mailto:netherlands@owasp.org netherlands 'at' owasp.org].<br />
<br />
== Next Meeting (May 2010) ==<br />
=== WHEN ===<br />
May 2010 (18h00pm-21h30pm). <br />
<br />
=== WHERE ===<br />
{|<br />
|-<br />
| width="350" | <br />
Location: http://www.setuputrecht.nl/ <br><br />
SETUP is gevestigd aan het Neude plein in Utrecht (Neude 4) in het nieuwe kantoor van de Dutch Game Garden.<br><br />
(entrance at the back of the ABNamro building on “het Neude”) <br><br />
[[Image:lokatie_setup_google.gif|200px]] <br><br />
| width="650" | <br />
[[Image:Setup_logo.jpg|200px]] <br><br />
<br />
[[Image:itq_logo.jpg|200px]] <br />
|-<br />
| width="350" | <br> <br />
| width="650" | <br />
<br> <br />
|}<br />
<br />
=== PROGRAM ===<br />
<b>18:00 - 18:30 Check-In (catering included)</b><br><br />
<b>18:30 - 18:45 Introduction (OWASP organization, projects, sponsor)</b><br><br />
<b>18.45 - 19.45 Web Application Firewalls in dynamic environments</b>(by Alexander Meisel)<br><br />
Alexander Meisel is the CTO of 'art of defence' (AOD), a German based software vendor. The company specializes in high performance deployments of Web Application Firewalls in very dynamic environments all over the world.<br />
<br />
Abstract:<br />
The current trend towards cloud computing forces everybody to deploy services in a virtual environment. In current dedicated environments WAFs or Web Application Firewalls are mostly deployed as a hardware (black) box which is easy at first but limits them to only low performance web cluster architectures. Moving those systems virtualized into a cloud environment makes almost no sense because of the resource limitations.<br />
The is solution is a redesign which enables WAFs to be part of a true message based cloud system. This talk explains how truly virtualized and distributed web applications are architected, work and scale in high performance environments. <br><br />
<b>19.45 – 20.00 Break</b><br><br />
<b>20.00 - 21:00 Bypassing Web Application Firewalls </b>(by Sandro Gauci)<br><br />
Sandro Gauci is the owner and Founder of EnableSecurity (www.enablesecurity.com) where he performs R&D and security consultancy for mid-sized companies. Sandro has over 9 years experience in the security industry and is focused on analysis of security challenges and providing solutions to such threats. Hispassion is vulnerability research and has previously worked together with various endors such as Microsoft and Sun to fix security holes. Sandro is the author of the free VoIP security scanning suite SIPVicious (sipvicious.org) and VOIPPACK for CANVAS.<br />
<br />
Abstract:<br />
WAFs or Web Application Firewalls are being deployed to fix security issues in your web applications. The question is, are they?<br />
In this presentation we take a look at some of the issues related to making use of this solution and how it may affect the overall security posture of your web application. Finally we will describe tools to automate detection of WAFs, and also tools to help identify ways to bypass WAFs. This presentation will include updates to the open source WAF security testing tools - WAFFIT. <br><br />
([[Media:2010-05-20_WAFs-Detecting, Bypassing, Exploiting Web Application Firewalls_Sandro Gauci.pdf|the slides in pdf format]])<br><br />
<b>21.00 – 21:30 Discussion, questions and social networking</b><br><br />
<br />
The Announcement of this meeting: [[Media:Announcement_OWASP-NL_May_20th_2010.pdf]]<br> <br />
<br />
== Database Security (Mar-11-2010) ==<br />
<br />
=== WHEN ===<br />
<br />
Thurday, March 11th, 2010 (18h00pm-21h30pm). <br />
<br />
=== WHERE ===<br />
{|<br />
|-<br />
| width="350" | <br />
ASR Nederland<br> <br> MD0.60 - Auditorium<br> Smallepad 30<br> 3811MG Amersfoort<br> <br />
<br />
| width="650" | <br />
[[Image:ASR Nederland logo.jpg|200px]] <br />
<br />
|-<br />
| width="350" | <br> <br />
| width="650" | <br />
<br> <br />
<br />
<br> <br />
<br />
|}<br />
<br />
=== PROGRAM ===<br />
<b>18:00 - 18:30 Check-In (catering included)</b><br><br />
<b>18:30 - 18:45 Introduction (OWASP organization, projects, sponsor)</b><br><br />
<b>18.45 - 19.45 SQL Injection - How far does the rabbit hole go?</b> (By Justin Clarke)<br><br />
<b>Justin Clarke</b> is a co-founder and Director at Gotham Digital Science, based in the United Kingdom. He has over twelve years of experience in assessing the security of networks, web applications, and wireless networks for large financial, retail, technology and government clients in the United States, the United Kingdom and New Zealand.<br />
Justin is the the technical editor and lead author of “SQL Injection Attacks and Defense” (Syngress 2009), co-author of "Network Security Tools: Writing, Hacking, and Modifying Security Tools" (O’Reilly 2005), a contributing author to "Network Security Assessment: Know Your Network, 2nd Edition" (O’Reilly 2007), as well as a speaker at a number of conferences and events on security topics, including Black Hat USA, EuSecWest, OSCON, ISACA, RSA, SANS, OWASP, and the British Computer Society. He is the author of the open source SQLBrute blind SQL injection testing tool, and is the Chapter Leader for the London chapter of OWASP.<br />
SQl Injection - How far does the rabbit hole go? SQL Injection has been around for over 10 years, and yet it is still to this day not truly understood by many security professionals and developers. With the recent mass attacks against sites across the world it has again come to the fore of vulnerabilities under the spotlight, however many consider it to only be a data access issue, or parameterized queries to be a panacea.<br><br />
This talk starts from what was demonstrated last year at Black Hat in Las Vegas, where a self propagating SQL Injection worm was demonstrated live on stage. Explore some of the deeper, darker areas of SQL Injection, hybrid attacks, and exploiting obscure database functionality<br><br />
([[Media:OWASP-SQLInjection5nov09.pdf|the slides in pdf format]])<br><br />
<b>19.45 – 20.00 Break</b><br><br />
<b>20. 00 – 20.30 VAC Insecure Direct Object Reference</b> (By Marinus Kuivenhoven)<br><br />
<b>Marinus Kuivenhoven</b> is a Senior Technology Specialist with Sogeti Nederland B.V. specializing in service oriented architectures and secure application development. His experience include developing and administrating Oracle-based systems. At Sogeti Nederland B.V. he is also an active member of the PaSS -Software(Proactive Security Strategy) taskforce focusing on secure application development. Marinus also developed and teaches several application security courses both within and outside Sogeti. In the past years he has written for magazine such as Computable and We Love IT. And he has spoken on a number of conferences and events like OWASP, Recent OO Trends, Open Source Developer Conference and Engineering World.<br />
<b>Vulnerability:</b> Insecure Direct Object Reference is when a web application exposes an internal implementation object to the user. Some examples of internal implementation objects are database records, URLs, or files.<br><br />
<b>Attack:</b> An attacker can modify the internal implementation object in an attempt to abuse the access controls on this object. When the attacker does this they may have the ability to access functionality that the developer didn’t intend to expose access to.<br><br />
<b>Countermeasure:</b> Reference should be validated for authorization and accessed through reference maps. How this should be done will be shown.<br><br />
([[Media:20100311_VAC-IDOR_Marinus Kuivenhoven.pdf|the slides in pdf format]])<br><br />
<b>20.30 – 21.15 Overlooked Resources and Practices</b> (By Justin Clarke)<br><br />
In his second presentation, Justin Clarke discussed OWASP resources and best practices by highlighting some OWASP projects and underused security practices. He shared his experiences in his daily work as well as the known pitfalls.<br><br />
([[Media:20100311_Overlooked_Resources_and _Practices-Justin_Clarke.pdf|the slides in pdf format]])<br><br />
<b>21.15 – 21:30 Discussion, questions and social networking</b><br><br />
<br />
The Announcement of this meeting: [[Media:Announcement_OWASP-NL_March_11th_2010.pdf]]<br> <br />
The flyer of this meeting: [[Media:Owasp_NL_march2010.pdf]] <br> <br />
<br />
== Past Events ==<br />
<br />
*Events held in [[Netherlands Previous Events 2009|2009]] <br />
*Events held in [[Netherlands Previous Events 2008|2008]] <br />
*Events held in [[Netherlands Previous Events 2007|2007]] <br />
*Events held in [[Netherlands Previous Events 2006|2006]] <br />
*Events held in [[Netherlands Previous Events 2005|2005]]<br />
<br />
==== Call for Speakers ====<br />
<br />
We are continuously looking for speakers.<br>'''Presentations:''' Are you working on an interesting subject, would you like to share your experience with the OWASP community and do you have presentation skills. Please let us know! Any topic related to web application security will be appreciated!<br>'''VAC, Vulnerability, Attack, Countermeasure:''' The VAC is a re occuring part of the chapter meetings. The VAC is a half hour in-depth technical presentation about a vulnerability, how it can be exploited and how to prevent it!<br> <br />
<br />
<span style="font-weight: bold;">Links: </span> <br />
<br />
[http://www.owasp.org/index.php/Speaker_Agreement Speaker Agreement] <br />
<br />
[http://www.owasp.org/images/5/54/Presentation_template.ppt Template] <br />
<br />
==== Chapter Leaders ====<br />
<br />
The Netherlands Chapter is supported by the following board: <br />
<br />
*[mailto:bert.koelewijn@owasp.org Bert Koelewijn], ASR <br />
*[mailto:peter.gouwentak@owasp.org Peter Gouwentak], ING <br />
*[mailto:martin.knobloch@owasp.org Martin Knobloch], Sogeti <br />
*[mailto:ferdinand.vroom@owasp.org Ferdinand Vroom], Nationale Nederlanden<br />
<br />
Our goal is to professionalize the local OWASP functioning, provide in a bigger footprint to detect OWASP opportunities such as speakers/topics/sponsors/… and set a 5 year target on: Target audiences, Different events and Interactions of OWASP global – local projects. <br />
<br />
==== Chapter Sponsoring ====<br />
<br />
OWASP Netherlands is looking for organizations to sponsor our chapter. If you are interested in sponsoring the Netherlands chapter please contact via email: [mailto:netherlands@owasp.org netherlands 'at' owasp.org]. <br />
<br />
<br>If you would like to donate to our chapter, please use the PayPal link below. Thank you! <br />
<br />
<br><paypal>Netherlands</paypal> <br />
__NOTOC__<headertabs/></div>Martinknoblochhttps://wiki.owasp.org/index.php?title=Netherlands&diff=84446Netherlands2010-06-04T08:39:18Z<p>Martinknobloch: </p>
<hr />
<div>{{Chapter Template|chaptername=Netherlands|extra=|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-netherlands|emailarchives=http://lists.owasp.org/pipermail/owasp-netherlands}} <br />
<br />
<br> <br />
<br />
==== Local News ====<br />
=== HITB 2010 Amsterdam ===<br />
The FIRST EVER HITBSecConf in Europe, HITBSecConf 2010 - Amsterdam takes place at the NH Grand Krasnapolsky from the 29th of June till the 2nd of July with a QUAD TRACK line up!<br />
<br />
OWASP members get a special offer:<br><br />
OWASP MEMBERS SAVE EUR200 OFF THE CONFERENCE PRICE!!! <br><br />
EUR699 instead of EUR899.This offer is limited to the first 50 registrations.<br><br />
OWASP members are encouraged to register as soon as possible to avoid disappointment.<br><br />
Please supply your OWASP membership ID to the registration!<br><br />
<br />
Conference Website: http://conference.hitb.org/hitbsecconf2010ams/<br><br />
29th & 30th June - Hands on Technical Training Sessions <br />
<br />
==== Chapter Meetings ====<br />
<br />
== 2010 Schedule ==<br />
<br />
*March 11th, 18.00 - 21.30 Topic: Database Security<br> <br />
*May 20th, 18.00 - 21.30 Topic: Web Application Firewalls <br />
*September 23rd, 18.00 - 21.30 Topic: Security in Content Management Systems <br />
*November 18th, 18.00 - 21.30 Topic &nbsp;: TBD<br />
<br />
<br><br />
== REGISTRATION ==<br />
<br />
To register for a chapter meeting (first register, first serve)! Please '''send an email''' to: [mailto:netherlands@owasp.org netherlands 'at' owasp.org].<br />
<br />
== Next Meeting (May 2010) ==<br />
=== WHEN ===<br />
May 2010 (18h00pm-21h30pm). <br />
<br />
=== WHERE ===<br />
{|<br />
|-<br />
| width="350" | <br />
Location: http://www.setuputrecht.nl/ <br><br />
SETUP is gevestigd aan het Neude plein in Utrecht (Neude 4) in het nieuwe kantoor van de Dutch Game Garden.<br><br />
(entrance at the back of the ABNamro building on “het Neude”) <br><br />
[[Image:lokatie_setup_google.gif|200px]] <br><br />
| width="650" | <br />
[[Image:Setup_logo.jpg|200px]] <br><br />
<br />
[[Image:itq_logo.jpg|200px]] <br />
|-<br />
| width="350" | <br> <br />
| width="650" | <br />
<br> <br />
|}<br />
<br />
=== PROGRAM ===<br />
<b>18:00 - 18:30 Check-In (catering included)</b><br><br />
<b>18:30 - 18:45 Introduction (OWASP organization, projects, sponsor)</b><br><br />
<b>18.45 - 19.45 Web Application Firewalls in dynamic environments</b>(by Alexander Meisel)<br><br />
Alexander Meisel is the CTO of 'art of defence' (AOD), a German based software vendor. The company specializes in high performance deployments of Web Application Firewalls in very dynamic environments all over the world.<br />
<br />
Abstract:<br />
The current trend towards cloud computing forces everybody to deploy services in a virtual environment. In current dedicated environments WAFs or Web Application Firewalls are mostly deployed as a hardware (black) box which is easy at first but limits them to only low performance web cluster architectures. Moving those systems virtualized into a cloud environment makes almost no sense because of the resource limitations.<br />
The is solution is a redesign which enables WAFs to be part of a true message based cloud system. This talk explains how truly virtualized and distributed web applications are architected, work and scale in high performance environments. <br><br />
<b>19.45 – 20.00 Break</b><br><br />
<b>20.00 - 21:00 Bypassing Web Application Firewalls </b>(by Sandro Gauci)<br><br />
Sandro Gauci is the owner and Founder of EnableSecurity (www.enablesecurity.com) where he performs R&D and security consultancy for mid-sized companies. Sandro has over 9 years experience in the security industry and is focused on analysis of security challenges and providing solutions to such threats. Hispassion is vulnerability research and has previously worked together with various endors such as Microsoft and Sun to fix security holes. Sandro is the author of the free VoIP security scanning suite SIPVicious (sipvicious.org) and VOIPPACK for CANVAS.<br />
<br />
Abstract:<br />
WAFs or Web Application Firewalls are being deployed to fix security issues in your web applications. The question is, are they?<br />
In this presentation we take a look at some of the issues related to making use of this solution and how it may affect the overall security posture of your web application. Finally we will describe tools to automate detection of WAFs, and also tools to help identify ways to bypass WAFs. This presentation will include updates to the open source WAF security testing tools - WAFFIT. <br><br />
([[Media:2010-05-20_WAFs-Detecting, Bypassing, Exploiting Web Application Firewalls_Sandro Gauci.pdf|the slides in pdf format]])<br><br />
<b>21.00 – 21:30 Discussion, questions and social networking</b><br><br />
<br />
The Announcement of this meeting: [[Media:Announcement_OWASP-NL_May_20th_2010.pdf]]<br> <br />
<br />
== Database Security (Mar-11-2010) ==<br />
<br />
=== WHEN ===<br />
<br />
Thurday, March 11th, 2010 (18h00pm-21h30pm). <br />
<br />
=== WHERE ===<br />
{|<br />
|-<br />
| width="350" | <br />
ASR Nederland<br> <br> MD0.60 - Auditorium<br> Smallepad 30<br> 3811MG Amersfoort<br> <br />
<br />
| width="650" | <br />
[[Image:ASR Nederland logo.jpg|200px]] <br />
<br />
|-<br />
| width="350" | <br> <br />
| width="650" | <br />
<br> <br />
<br />
<br> <br />
<br />
|}<br />
<br />
=== PROGRAM ===<br />
<b>18:00 - 18:30 Check-In (catering included)</b><br><br />
<b>18:30 - 18:45 Introduction (OWASP organization, projects, sponsor)</b><br><br />
<b>18.45 - 19.45 SQL Injection - How far does the rabbit hole go?</b> (By Justin Clarke)<br><br />
<b>Justin Clarke</b> is a co-founder and Director at Gotham Digital Science, based in the United Kingdom. He has over twelve years of experience in assessing the security of networks, web applications, and wireless networks for large financial, retail, technology and government clients in the United States, the United Kingdom and New Zealand.<br />
Justin is the the technical editor and lead author of “SQL Injection Attacks and Defense” (Syngress 2009), co-author of "Network Security Tools: Writing, Hacking, and Modifying Security Tools" (O’Reilly 2005), a contributing author to "Network Security Assessment: Know Your Network, 2nd Edition" (O’Reilly 2007), as well as a speaker at a number of conferences and events on security topics, including Black Hat USA, EuSecWest, OSCON, ISACA, RSA, SANS, OWASP, and the British Computer Society. He is the author of the open source SQLBrute blind SQL injection testing tool, and is the Chapter Leader for the London chapter of OWASP.<br />
SQl Injection - How far does the rabbit hole go? SQL Injection has been around for over 10 years, and yet it is still to this day not truly understood by many security professionals and developers. With the recent mass attacks against sites across the world it has again come to the fore of vulnerabilities under the spotlight, however many consider it to only be a data access issue, or parameterized queries to be a panacea.<br><br />
This talk starts from what was demonstrated last year at Black Hat in Las Vegas, where a self propagating SQL Injection worm was demonstrated live on stage. Explore some of the deeper, darker areas of SQL Injection, hybrid attacks, and exploiting obscure database functionality<br><br />
([[Media:OWASP-SQLInjection5nov09.pdf|the slides in pdf format]])<br><br />
<b>19.45 – 20.00 Break</b><br><br />
<b>20. 00 – 20.30 VAC Insecure Direct Object Reference</b> (By Marinus Kuivenhoven)<br><br />
<b>Marinus Kuivenhoven</b> is a Senior Technology Specialist with Sogeti Nederland B.V. specializing in service oriented architectures and secure application development. His experience include developing and administrating Oracle-based systems. At Sogeti Nederland B.V. he is also an active member of the PaSS -Software(Proactive Security Strategy) taskforce focusing on secure application development. Marinus also developed and teaches several application security courses both within and outside Sogeti. In the past years he has written for magazine such as Computable and We Love IT. And he has spoken on a number of conferences and events like OWASP, Recent OO Trends, Open Source Developer Conference and Engineering World.<br />
<b>Vulnerability:</b> Insecure Direct Object Reference is when a web application exposes an internal implementation object to the user. Some examples of internal implementation objects are database records, URLs, or files.<br><br />
<b>Attack:</b> An attacker can modify the internal implementation object in an attempt to abuse the access controls on this object. When the attacker does this they may have the ability to access functionality that the developer didn’t intend to expose access to.<br><br />
<b>Countermeasure:</b> Reference should be validated for authorization and accessed through reference maps. How this should be done will be shown.<br><br />
([[Media:20100311_VAC-IDOR_Marinus Kuivenhoven.pdf|the slides in pdf format]])<br><br />
<b>20.30 – 21.15 Overlooked Resources and Practices</b> (By Justin Clarke)<br><br />
In his second presentation, Justin Clarke discussed OWASP resources and best practices by highlighting some OWASP projects and underused security practices. He shared his experiences in his daily work as well as the known pitfalls.<br><br />
([[Media:20100311_Overlooked_Resources_and _Practices-Justin_Clarke.pdf|the slides in pdf format]])<br><br />
<b>21.15 – 21:30 Discussion, questions and social networking</b><br><br />
<br />
The Announcement of this meeting: [[Media:Announcement_OWASP-NL_March_11th_2010.pdf]]<br> <br />
The flyer of this meeting: [[Media:Owasp_NL_march2010.pdf]] <br> <br />
<br />
== Past Events ==<br />
<br />
*Events held in [[Netherlands Previous Events 2009|2009]] <br />
*Events held in [[Netherlands Previous Events 2008|2008]] <br />
*Events held in [[Netherlands Previous Events 2007|2007]] <br />
*Events held in [[Netherlands Previous Events 2006|2006]] <br />
*Events held in [[Netherlands Previous Events 2005|2005]]<br />
<br />
==== Call for Speakers ====<br />
<br />
We are continuously looking for speakers.<br>'''Presentations:''' Are you working on an interesting subject, would you like to share your experience with the OWASP community and do you have presentation skills. Please let us know! Any topic related to web application security will be appreciated!<br>'''VAC, Vulnerability, Attack, Countermeasure:''' The VAC is a re occuring part of the chapter meetings. The VAC is a half hour in-depth technical presentation about a vulnerability, how it can be exploited and how to prevent it!<br> <br />
<br />
<span style="font-weight: bold;">Links: </span> <br />
<br />
[http://www.owasp.org/index.php/Speaker_Agreement Speaker Agreement] <br />
<br />
[http://www.owasp.org/images/5/54/Presentation_template.ppt Template] <br />
<br />
==== Chapter Leaders ====<br />
<br />
The Netherlands Chapter is supported by the following board: <br />
<br />
*[mailto:bert.koelewijn@owasp.org Bert Koelewijn], ASR <br />
*[mailto:peter.gouwentak@owasp.org Peter Gouwentak], ING <br />
*[mailto:martin.knobloch@owasp.org Martin Knobloch], Sogeti <br />
*[mailto:ferdinand.vroom@owasp.org Ferdinand Vroom], Nationale Nederlanden<br />
<br />
Our goal is to professionalize the local OWASP functioning, provide in a bigger footprint to detect OWASP opportunities such as speakers/topics/sponsors/… and set a 5 year target on: Target audiences, Different events and Interactions of OWASP global – local projects. <br />
<br />
==== Chapter Sponsoring ====<br />
<br />
OWASP Netherlands is looking for organizations to sponsor our chapter. If you are interested in sponsoring the Netherlands chapter please contact via email: [mailto:netherlands@owasp.org netherlands 'at' owasp.org]. <br />
<br />
<br>If you would like to donate to our chapter, please use the PayPal link below. Thank you! <br />
<br />
<br><paypal>Netherlands</paypal> <br />
__NOTOC__<headertabs/></div>Martinknoblochhttps://wiki.owasp.org/index.php?title=Netherlands&diff=84445Netherlands2010-06-04T08:35:57Z<p>Martinknobloch: </p>
<hr />
<div>{{Chapter Template|chaptername=Netherlands|extra=|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-netherlands|emailarchives=http://lists.owasp.org/pipermail/owasp-netherlands}} <br />
<br />
<br> <br />
<br />
==== Local News ====<br />
The FIRST EVER HITBSecConf in Europe, HITBSecConf 2010 - Amsterdam takes place at the NH Grand Krasnapolsky from the 29th of June till the 2nd of July with a QUAD TRACK line up!<br />
<br />
OWASP members get a special offer:<br><br />
OWASP MEMBERS SAVE EUR200 OFF THE CONFERENCE PRICE!!! <br><br />
EUR699 instead of EUR899.This offer is limited to the first 50 registrations.<br><br />
OWASP members are encouraged to register as soon as possible to avoid disappointment.<br><br />
Please supply your OWASP membership ID to the registration!<br><br />
<br />
Conference Website: http://conference.hitb.org/hitbsecconf2010ams/<br><br />
29th & 30th June - Hands on Technical Training Sessions <br />
<br />
==== Chapter Meetings ====<br />
<br />
== 2010 Schedule ==<br />
<br />
*March 11th, 18.00 - 21.30 Topic: Database Security<br> <br />
*May 20th, 18.00 - 21.30 Topic: Web Application Firewalls <br />
*September 23rd, 18.00 - 21.30 Topic: Security in Content Management Systems <br />
*November 18th, 18.00 - 21.30 Topic &nbsp;: TBD<br />
<br />
<br><br />
== REGISTRATION ==<br />
<br />
To register for a chapter meeting (first register, first serve)! Please '''send an email''' to: [mailto:netherlands@owasp.org netherlands 'at' owasp.org].<br />
<br />
== Next Meeting (May 2010) ==<br />
=== WHEN ===<br />
May 2010 (18h00pm-21h30pm). <br />
<br />
=== WHERE ===<br />
{|<br />
|-<br />
| width="350" | <br />
Location: http://www.setuputrecht.nl/ <br><br />
SETUP is gevestigd aan het Neude plein in Utrecht (Neude 4) in het nieuwe kantoor van de Dutch Game Garden.<br><br />
(entrance at the back of the ABNamro building on “het Neude”) <br><br />
[[Image:lokatie_setup_google.gif|200px]] <br><br />
| width="650" | <br />
[[Image:Setup_logo.jpg|200px]] <br><br />
<br />
[[Image:itq_logo.jpg|200px]] <br />
|-<br />
| width="350" | <br> <br />
| width="650" | <br />
<br> <br />
|}<br />
<br />
=== PROGRAM ===<br />
<b>18:00 - 18:30 Check-In (catering included)</b><br><br />
<b>18:30 - 18:45 Introduction (OWASP organization, projects, sponsor)</b><br><br />
<b>18.45 - 19.45 Web Application Firewalls in dynamic environments</b>(by Alexander Meisel)<br><br />
Alexander Meisel is the CTO of 'art of defence' (AOD), a German based software vendor. The company specializes in high performance deployments of Web Application Firewalls in very dynamic environments all over the world.<br />
<br />
Abstract:<br />
The current trend towards cloud computing forces everybody to deploy services in a virtual environment. In current dedicated environments WAFs or Web Application Firewalls are mostly deployed as a hardware (black) box which is easy at first but limits them to only low performance web cluster architectures. Moving those systems virtualized into a cloud environment makes almost no sense because of the resource limitations.<br />
The is solution is a redesign which enables WAFs to be part of a true message based cloud system. This talk explains how truly virtualized and distributed web applications are architected, work and scale in high performance environments. <br><br />
<b>19.45 – 20.00 Break</b><br><br />
<b>20.00 - 21:00 Bypassing Web Application Firewalls </b>(by Sandro Gauci)<br><br />
Sandro Gauci is the owner and Founder of EnableSecurity (www.enablesecurity.com) where he performs R&D and security consultancy for mid-sized companies. Sandro has over 9 years experience in the security industry and is focused on analysis of security challenges and providing solutions to such threats. Hispassion is vulnerability research and has previously worked together with various endors such as Microsoft and Sun to fix security holes. Sandro is the author of the free VoIP security scanning suite SIPVicious (sipvicious.org) and VOIPPACK for CANVAS.<br />
<br />
Abstract:<br />
WAFs or Web Application Firewalls are being deployed to fix security issues in your web applications. The question is, are they?<br />
In this presentation we take a look at some of the issues related to making use of this solution and how it may affect the overall security posture of your web application. Finally we will describe tools to automate detection of WAFs, and also tools to help identify ways to bypass WAFs. This presentation will include updates to the open source WAF security testing tools - WAFFIT. <br><br />
([[Media:2010-05-20_WAFs-Detecting, Bypassing, Exploiting Web Application Firewalls_Sandro Gauci.pdf|the slides in pdf format]])<br><br />
<b>21.00 – 21:30 Discussion, questions and social networking</b><br><br />
<br />
The Announcement of this meeting: [[Media:Announcement_OWASP-NL_May_20th_2010.pdf]]<br> <br />
<br />
== Database Security (Mar-11-2010) ==<br />
<br />
=== WHEN ===<br />
<br />
Thurday, March 11th, 2010 (18h00pm-21h30pm). <br />
<br />
=== WHERE ===<br />
{|<br />
|-<br />
| width="350" | <br />
ASR Nederland<br> <br> MD0.60 - Auditorium<br> Smallepad 30<br> 3811MG Amersfoort<br> <br />
<br />
| width="650" | <br />
[[Image:ASR Nederland logo.jpg|200px]] <br />
<br />
|-<br />
| width="350" | <br> <br />
| width="650" | <br />
<br> <br />
<br />
<br> <br />
<br />
|}<br />
<br />
=== PROGRAM ===<br />
<b>18:00 - 18:30 Check-In (catering included)</b><br><br />
<b>18:30 - 18:45 Introduction (OWASP organization, projects, sponsor)</b><br><br />
<b>18.45 - 19.45 SQL Injection - How far does the rabbit hole go?</b> (By Justin Clarke)<br><br />
<b>Justin Clarke</b> is a co-founder and Director at Gotham Digital Science, based in the United Kingdom. He has over twelve years of experience in assessing the security of networks, web applications, and wireless networks for large financial, retail, technology and government clients in the United States, the United Kingdom and New Zealand.<br />
Justin is the the technical editor and lead author of “SQL Injection Attacks and Defense” (Syngress 2009), co-author of "Network Security Tools: Writing, Hacking, and Modifying Security Tools" (O’Reilly 2005), a contributing author to "Network Security Assessment: Know Your Network, 2nd Edition" (O’Reilly 2007), as well as a speaker at a number of conferences and events on security topics, including Black Hat USA, EuSecWest, OSCON, ISACA, RSA, SANS, OWASP, and the British Computer Society. He is the author of the open source SQLBrute blind SQL injection testing tool, and is the Chapter Leader for the London chapter of OWASP.<br />
SQl Injection - How far does the rabbit hole go? SQL Injection has been around for over 10 years, and yet it is still to this day not truly understood by many security professionals and developers. With the recent mass attacks against sites across the world it has again come to the fore of vulnerabilities under the spotlight, however many consider it to only be a data access issue, or parameterized queries to be a panacea.<br><br />
This talk starts from what was demonstrated last year at Black Hat in Las Vegas, where a self propagating SQL Injection worm was demonstrated live on stage. Explore some of the deeper, darker areas of SQL Injection, hybrid attacks, and exploiting obscure database functionality<br><br />
([[Media:OWASP-SQLInjection5nov09.pdf|the slides in pdf format]])<br><br />
<b>19.45 – 20.00 Break</b><br><br />
<b>20. 00 – 20.30 VAC Insecure Direct Object Reference</b> (By Marinus Kuivenhoven)<br><br />
<b>Marinus Kuivenhoven</b> is a Senior Technology Specialist with Sogeti Nederland B.V. specializing in service oriented architectures and secure application development. His experience include developing and administrating Oracle-based systems. At Sogeti Nederland B.V. he is also an active member of the PaSS -Software(Proactive Security Strategy) taskforce focusing on secure application development. Marinus also developed and teaches several application security courses both within and outside Sogeti. In the past years he has written for magazine such as Computable and We Love IT. And he has spoken on a number of conferences and events like OWASP, Recent OO Trends, Open Source Developer Conference and Engineering World.<br />
<b>Vulnerability:</b> Insecure Direct Object Reference is when a web application exposes an internal implementation object to the user. Some examples of internal implementation objects are database records, URLs, or files.<br><br />
<b>Attack:</b> An attacker can modify the internal implementation object in an attempt to abuse the access controls on this object. When the attacker does this they may have the ability to access functionality that the developer didn’t intend to expose access to.<br><br />
<b>Countermeasure:</b> Reference should be validated for authorization and accessed through reference maps. How this should be done will be shown.<br><br />
([[Media:20100311_VAC-IDOR_Marinus Kuivenhoven.pdf|the slides in pdf format]])<br><br />
<b>20.30 – 21.15 Overlooked Resources and Practices</b> (By Justin Clarke)<br><br />
In his second presentation, Justin Clarke discussed OWASP resources and best practices by highlighting some OWASP projects and underused security practices. He shared his experiences in his daily work as well as the known pitfalls.<br><br />
([[Media:20100311_Overlooked_Resources_and _Practices-Justin_Clarke.pdf|the slides in pdf format]])<br><br />
<b>21.15 – 21:30 Discussion, questions and social networking</b><br><br />
<br />
The Announcement of this meeting: [[Media:Announcement_OWASP-NL_March_11th_2010.pdf]]<br> <br />
The flyer of this meeting: [[Media:Owasp_NL_march2010.pdf]] <br> <br />
<br />
== Past Events ==<br />
<br />
*Events held in [[Netherlands Previous Events 2009|2009]] <br />
*Events held in [[Netherlands Previous Events 2008|2008]] <br />
*Events held in [[Netherlands Previous Events 2007|2007]] <br />
*Events held in [[Netherlands Previous Events 2006|2006]] <br />
*Events held in [[Netherlands Previous Events 2005|2005]]<br />
<br />
==== Call for Speakers ====<br />
<br />
We are continuously looking for speakers.<br>'''Presentations:''' Are you working on an interesting subject, would you like to share your experience with the OWASP community and do you have presentation skills. Please let us know! Any topic related to web application security will be appreciated!<br>'''VAC, Vulnerability, Attack, Countermeasure:''' The VAC is a re occuring part of the chapter meetings. The VAC is a half hour in-depth technical presentation about a vulnerability, how it can be exploited and how to prevent it!<br> <br />
<br />
<span style="font-weight: bold;">Links: </span> <br />
<br />
[http://www.owasp.org/index.php/Speaker_Agreement Speaker Agreement] <br />
<br />
[http://www.owasp.org/images/5/54/Presentation_template.ppt Template] <br />
<br />
==== Chapter Leaders ====<br />
<br />
The Netherlands Chapter is supported by the following board: <br />
<br />
*[mailto:bert.koelewijn@owasp.org Bert Koelewijn], ASR <br />
*[mailto:peter.gouwentak@owasp.org Peter Gouwentak], ING <br />
*[mailto:martin.knobloch@owasp.org Martin Knobloch], Sogeti <br />
*[mailto:ferdinand.vroom@owasp.org Ferdinand Vroom], Nationale Nederlanden<br />
<br />
Our goal is to professionalize the local OWASP functioning, provide in a bigger footprint to detect OWASP opportunities such as speakers/topics/sponsors/… and set a 5 year target on: Target audiences, Different events and Interactions of OWASP global – local projects. <br />
<br />
==== Chapter Sponsoring ====<br />
<br />
OWASP Netherlands is looking for organizations to sponsor our chapter. If you are interested in sponsoring the Netherlands chapter please contact via email: [mailto:netherlands@owasp.org netherlands 'at' owasp.org]. <br />
<br />
<br>If you would like to donate to our chapter, please use the PayPal link below. Thank you! <br />
<br />
<br><paypal>Netherlands</paypal> <br />
__NOTOC__<headertabs/></div>Martinknoblochhttps://wiki.owasp.org/index.php?title=File:2010-05-20_WAFs-Detecting,_Bypassing,_Exploiting_Web_Application_Firewalls_Sandro_Gauci.pdf&diff=83815File:2010-05-20 WAFs-Detecting, Bypassing, Exploiting Web Application Firewalls Sandro Gauci.pdf2010-05-22T08:27:50Z<p>Martinknobloch: </p>
<hr />
<div></div>Martinknoblochhttps://wiki.owasp.org/index.php?title=Netherlands&diff=83814Netherlands2010-05-22T08:23:22Z<p>Martinknobloch: </p>
<hr />
<div>{{Chapter Template|chaptername=Netherlands|extra=|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-netherlands|emailarchives=http://lists.owasp.org/pipermail/owasp-netherlands}} <br />
<br />
<br> <br />
<br />
==== Local News ====<br />
<br />
Please block your agendas on Thursday, March 11th, 18h-21:30h for the next Netherlands chapter meeting.<br>Subject will be: Database Security! <br />
<br />
==== Chapter Meetings ====<br />
<br />
== 2010 Schedule ==<br />
<br />
*March 11th, 18.00 - 21.30 Topic: Database Security<br> <br />
*May 20th, 18.00 - 21.30 Topic: Web Application Firewalls <br />
*September 23rd, 18.00 - 21.30 Topic: Security in Content Management Systems <br />
*November 18th, 18.00 - 21.30 Topic &nbsp;: TBD<br />
<br />
<br><br />
== REGISTRATION ==<br />
<br />
To register for a chapter meeting (first register, first serve)! Please '''send an email''' to: [mailto:netherlands@owasp.org netherlands 'at' owasp.org].<br />
<br />
== Next Meeting (May 2010) ==<br />
=== WHEN ===<br />
May 2010 (18h00pm-21h30pm). <br />
<br />
=== WHERE ===<br />
{|<br />
|-<br />
| width="350" | <br />
Location: http://www.setuputrecht.nl/ <br><br />
SETUP is gevestigd aan het Neude plein in Utrecht (Neude 4) in het nieuwe kantoor van de Dutch Game Garden.<br><br />
(entrance at the back of the ABNamro building on “het Neude”) <br><br />
[[Image:lokatie_setup_google.gif|200px]] <br><br />
| width="650" | <br />
[[Image:Setup_logo.jpg|200px]] <br><br />
<br />
[[Image:itq_logo.jpg|200px]] <br />
|-<br />
| width="350" | <br> <br />
| width="650" | <br />
<br> <br />
|}<br />
<br />
=== PROGRAM ===<br />
<b>18:00 - 18:30 Check-In (catering included)</b><br><br />
<b>18:30 - 18:45 Introduction (OWASP organization, projects, sponsor)</b><br><br />
<b>18.45 - 19.45 Web Application Firewalls in dynamic environments</b>(by Alexander Meisel)<br><br />
Alexander Meisel is the CTO of 'art of defence' (AOD), a German based software vendor. The company specializes in high performance deployments of Web Application Firewalls in very dynamic environments all over the world.<br />
<br />
Abstract:<br />
The current trend towards cloud computing forces everybody to deploy services in a virtual environment. In current dedicated environments WAFs or Web Application Firewalls are mostly deployed as a hardware (black) box which is easy at first but limits them to only low performance web cluster architectures. Moving those systems virtualized into a cloud environment makes almost no sense because of the resource limitations.<br />
The is solution is a redesign which enables WAFs to be part of a true message based cloud system. This talk explains how truly virtualized and distributed web applications are architected, work and scale in high performance environments. <br><br />
<b>19.45 – 20.00 Break</b><br><br />
<b>20.00 - 21:00 Bypassing Web Application Firewalls </b>(by Sandro Gauci)<br><br />
Sandro Gauci is the owner and Founder of EnableSecurity (www.enablesecurity.com) where he performs R&D and security consultancy for mid-sized companies. Sandro has over 9 years experience in the security industry and is focused on analysis of security challenges and providing solutions to such threats. Hispassion is vulnerability research and has previously worked together with various endors such as Microsoft and Sun to fix security holes. Sandro is the author of the free VoIP security scanning suite SIPVicious (sipvicious.org) and VOIPPACK for CANVAS.<br />
<br />
Abstract:<br />
WAFs or Web Application Firewalls are being deployed to fix security issues in your web applications. The question is, are they?<br />
In this presentation we take a look at some of the issues related to making use of this solution and how it may affect the overall security posture of your web application. Finally we will describe tools to automate detection of WAFs, and also tools to help identify ways to bypass WAFs. This presentation will include updates to the open source WAF security testing tools - WAFFIT. <br><br />
([[Media:2010-05-20_WAFs-Detecting, Bypassing, Exploiting Web Application Firewalls_Sandro Gauci.pdf|the slides in pdf format]])<br><br />
<b>21.00 – 21:30 Discussion, questions and social networking</b><br><br />
<br />
The Announcement of this meeting: [[Media:Announcement_OWASP-NL_May_20th_2010.pdf]]<br> <br />
<br />
== Database Security (Mar-11-2010) ==<br />
<br />
=== WHEN ===<br />
<br />
Thurday, March 11th, 2010 (18h00pm-21h30pm). <br />
<br />
=== WHERE ===<br />
{|<br />
|-<br />
| width="350" | <br />
ASR Nederland<br> <br> MD0.60 - Auditorium<br> Smallepad 30<br> 3811MG Amersfoort<br> <br />
<br />
| width="650" | <br />
[[Image:ASR Nederland logo.jpg|200px]] <br />
<br />
|-<br />
| width="350" | <br> <br />
| width="650" | <br />
<br> <br />
<br />
<br> <br />
<br />
|}<br />
<br />
=== PROGRAM ===<br />
<b>18:00 - 18:30 Check-In (catering included)</b><br><br />
<b>18:30 - 18:45 Introduction (OWASP organization, projects, sponsor)</b><br><br />
<b>18.45 - 19.45 SQL Injection - How far does the rabbit hole go?</b> (By Justin Clarke)<br><br />
<b>Justin Clarke</b> is a co-founder and Director at Gotham Digital Science, based in the United Kingdom. He has over twelve years of experience in assessing the security of networks, web applications, and wireless networks for large financial, retail, technology and government clients in the United States, the United Kingdom and New Zealand.<br />
Justin is the the technical editor and lead author of “SQL Injection Attacks and Defense” (Syngress 2009), co-author of "Network Security Tools: Writing, Hacking, and Modifying Security Tools" (O’Reilly 2005), a contributing author to "Network Security Assessment: Know Your Network, 2nd Edition" (O’Reilly 2007), as well as a speaker at a number of conferences and events on security topics, including Black Hat USA, EuSecWest, OSCON, ISACA, RSA, SANS, OWASP, and the British Computer Society. He is the author of the open source SQLBrute blind SQL injection testing tool, and is the Chapter Leader for the London chapter of OWASP.<br />
SQl Injection - How far does the rabbit hole go? SQL Injection has been around for over 10 years, and yet it is still to this day not truly understood by many security professionals and developers. With the recent mass attacks against sites across the world it has again come to the fore of vulnerabilities under the spotlight, however many consider it to only be a data access issue, or parameterized queries to be a panacea.<br><br />
This talk starts from what was demonstrated last year at Black Hat in Las Vegas, where a self propagating SQL Injection worm was demonstrated live on stage. Explore some of the deeper, darker areas of SQL Injection, hybrid attacks, and exploiting obscure database functionality<br><br />
([[Media:OWASP-SQLInjection5nov09.pdf|the slides in pdf format]])<br><br />
<b>19.45 – 20.00 Break</b><br><br />
<b>20. 00 – 20.30 VAC Insecure Direct Object Reference</b> (By Marinus Kuivenhoven)<br><br />
<b>Marinus Kuivenhoven</b> is a Senior Technology Specialist with Sogeti Nederland B.V. specializing in service oriented architectures and secure application development. His experience include developing and administrating Oracle-based systems. At Sogeti Nederland B.V. he is also an active member of the PaSS -Software(Proactive Security Strategy) taskforce focusing on secure application development. Marinus also developed and teaches several application security courses both within and outside Sogeti. In the past years he has written for magazine such as Computable and We Love IT. And he has spoken on a number of conferences and events like OWASP, Recent OO Trends, Open Source Developer Conference and Engineering World.<br />
<b>Vulnerability:</b> Insecure Direct Object Reference is when a web application exposes an internal implementation object to the user. Some examples of internal implementation objects are database records, URLs, or files.<br><br />
<b>Attack:</b> An attacker can modify the internal implementation object in an attempt to abuse the access controls on this object. When the attacker does this they may have the ability to access functionality that the developer didn’t intend to expose access to.<br><br />
<b>Countermeasure:</b> Reference should be validated for authorization and accessed through reference maps. How this should be done will be shown.<br><br />
([[Media:20100311_VAC-IDOR_Marinus Kuivenhoven.pdf|the slides in pdf format]])<br><br />
<b>20.30 – 21.15 Overlooked Resources and Practices</b> (By Justin Clarke)<br><br />
In his second presentation, Justin Clarke discussed OWASP resources and best practices by highlighting some OWASP projects and underused security practices. He shared his experiences in his daily work as well as the known pitfalls.<br><br />
([[Media:20100311_Overlooked_Resources_and _Practices-Justin_Clarke.pdf|the slides in pdf format]])<br><br />
<b>21.15 – 21:30 Discussion, questions and social networking</b><br><br />
<br />
The Announcement of this meeting: [[Media:Announcement_OWASP-NL_March_11th_2010.pdf]]<br> <br />
The flyer of this meeting: [[Media:Owasp_NL_march2010.pdf]] <br> <br />
<br />
== Past Events ==<br />
<br />
*Events held in [[Netherlands Previous Events 2009|2009]] <br />
*Events held in [[Netherlands Previous Events 2008|2008]] <br />
*Events held in [[Netherlands Previous Events 2007|2007]] <br />
*Events held in [[Netherlands Previous Events 2006|2006]] <br />
*Events held in [[Netherlands Previous Events 2005|2005]]<br />
<br />
==== Call for Speakers ====<br />
<br />
We are continuously looking for speakers.<br>'''Presentations:''' Are you working on an interesting subject, would you like to share your experience with the OWASP community and do you have presentation skills. Please let us know! Any topic related to web application security will be appreciated!<br>'''VAC, Vulnerability, Attack, Countermeasure:''' The VAC is a re occuring part of the chapter meetings. The VAC is a half hour in-depth technical presentation about a vulnerability, how it can be exploited and how to prevent it!<br> <br />
<br />
<span style="font-weight: bold;">Links: </span> <br />
<br />
[http://www.owasp.org/index.php/Speaker_Agreement Speaker Agreement] <br />
<br />
[http://www.owasp.org/images/5/54/Presentation_template.ppt Template] <br />
<br />
==== Chapter Leaders ====<br />
<br />
The Netherlands Chapter is supported by the following board: <br />
<br />
*[mailto:bert.koelewijn@owasp.org Bert Koelewijn], ASR <br />
*[mailto:peter.gouwentak@owasp.org Peter Gouwentak], ING <br />
*[mailto:martin.knobloch@owasp.org Martin Knobloch], Sogeti <br />
*[mailto:ferdinand.vroom@owasp.org Ferdinand Vroom], Nationale Nederlanden<br />
<br />
Our goal is to professionalize the local OWASP functioning, provide in a bigger footprint to detect OWASP opportunities such as speakers/topics/sponsors/… and set a 5 year target on: Target audiences, Different events and Interactions of OWASP global – local projects. <br />
<br />
==== Chapter Sponsoring ====<br />
<br />
OWASP Netherlands is looking for organizations to sponsor our chapter. If you are interested in sponsoring the Netherlands chapter please contact via email: [mailto:netherlands@owasp.org netherlands 'at' owasp.org]. <br />
<br />
<br>If you would like to donate to our chapter, please use the PayPal link below. Thank you! <br />
<br />
<br><paypal>Netherlands</paypal> <br />
__NOTOC__<headertabs/></div>Martinknoblochhttps://wiki.owasp.org/index.php?title=User:Knoblochmartin&diff=83650User:Knoblochmartin2010-05-18T11:51:07Z<p>Martinknobloch: </p>
<hr />
<div>Hi, I am member of the Dutch OWASP chapter. <br />
<br />
Martin Knobloch's [http://www. profile], [mailto:martin.knobloch(at)owasp.org email address] and [[:Special:Contributions/Knoblochmartin|wiki contributions]].<br />
<br />
Martin Knobloch employed as Security Consultant at Sogeti Nederland B.V. He is founder and chair of the taskforce Proactive Security Strategy (PaSS), focussing on Information Security within organisation, infrastructure and software.<br> <br />
Martin's main working area is application security, PaSS-Software does address of the whole application lifecycle. In his daily work, Martin is responsible for education in application security matters, advise and implementation of application security measures.<br><br />
At OWASP he is member of the Dutch Chapter Board. Next to this he contributes to several projects as the OWASP Capture The Flag (CTF), OWASP Education Project, OWASP Speaker Project and is chair of the OWASP Global Education Committee.</div>Martinknoblochhttps://wiki.owasp.org/index.php?title=Netherlands&diff=83199Netherlands2010-05-10T12:00:49Z<p>Martinknobloch: </p>
<hr />
<div>{{Chapter Template|chaptername=Netherlands|extra=|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-netherlands|emailarchives=http://lists.owasp.org/pipermail/owasp-netherlands}} <br />
<br />
<br> <br />
<br />
==== Local News ====<br />
<br />
Please block your agendas on Thursday, March 11th, 18h-21:30h for the next Netherlands chapter meeting.<br>Subject will be: Database Security! <br />
<br />
==== Chapter Meetings ====<br />
<br />
== 2010 Schedule ==<br />
<br />
*March 11th, 18.00 - 21.30 Topic: Database Security<br> <br />
*May 20th, 18.00 - 21.30 Topic: Web Application Firewalls <br />
*September 23rd, 18.00 - 21.30 Topic: Security in Content Management Systems <br />
*November 18th, 18.00 - 21.30 Topic &nbsp;: TBD<br />
<br />
<br><br />
== REGISTRATION ==<br />
<br />
To register for a chapter meeting (first register, first serve)! Please '''send an email''' to: [mailto:netherlands@owasp.org netherlands 'at' owasp.org].<br />
<br />
== Next Meeting (May 2010) ==<br />
=== WHEN ===<br />
May 2010 (18h00pm-21h30pm). <br />
<br />
=== WHERE ===<br />
{|<br />
|-<br />
| width="350" | <br />
Location: http://www.setuputrecht.nl/ <br><br />
SETUP is gevestigd aan het Neude plein in Utrecht (Neude 4) in het nieuwe kantoor van de Dutch Game Garden.<br><br />
(entrance at the back of the ABNamro building on “het Neude”) <br><br />
[[Image:lokatie_setup_google.gif|200px]] <br><br />
| width="650" | <br />
[[Image:Setup_logo.jpg|200px]] <br><br />
<br />
[[Image:iqt_logo.gif|200px]] <br />
|-<br />
| width="350" | <br> <br />
| width="650" | <br />
<br> <br />
|}<br />
<br />
=== PROGRAM ===<br />
<b>18:00 - 18:30 Check-In (catering included)</b><br><br />
<b>18:30 - 18:45 Introduction (OWASP organization, projects, sponsor)</b><br><br />
<b>18.45 - 19.45 Web Application Firewalls in dynamic environments</b>(by Alexander Meisel)<br><br />
Alexander Meisel is the CTO of 'art of defence' (AOD), a German based software vendor. The company specializes in high performance deployments of Web Application Firewalls in very dynamic environments all over the world.<br />
<br />
Abstract:<br />
The current trend towards cloud computing forces everybody to deploy services in a virtual environment. In current dedicated environments WAFs or Web Application Firewalls are mostly deployed as a hardware (black) box which is easy at first but limits them to only low performance web cluster architectures. Moving those systems virtualized into a cloud environment makes almost no sense because of the resource limitations.<br />
The is solution is a redesign which enables WAFs to be part of a true message based cloud system. This talk explains how truly virtualized and distributed web applications are architected, work and scale in high performance environments. <br><br />
<b>19.45 – 20.00 Break</b><br><br />
<b>20.00 - 21:00 Bypassing Web Application Firewalls </b>(by Sandro Gauci)<br><br />
Sandro Gauci is the owner and Founder of EnableSecurity (www.enablesecurity.com) where he performs R&D and securityconsultancy for mid-sized companies. Sandro has over 9 years experience in the security industry and is focused on analysis of security challenges and providing solutions to such threats. Hispassion is vulnerability research and has previously worked together with various endors such as Microsoft and Sun to fix security holes. Sandro is the author of the free VoIP security scanning suite SIPVicious (sipvicious.org) and VOIPPACK for CANVAS.<br />
<br />
Abstract:<br />
WAFs or Web Application Firewalls are being deployed to fix security issues in your web applications. The question is, are they?<br />
In this presentation we take a look at some of the issues related to making use of this solution and how it may affect the overall security posture of your web application. Finally we will describe tools to automate detection of WAFs, and also tools to help identify ways to bypass WAFs. This presentation will include updates to the open source WAF security testing tools - WAFFIT. <br><br />
<b>21.00 – 21:30 Discussion, questions and social networking</b><br><br />
<br />
The Announcement of this meeting: [[Media:Announcement_OWASP-NL_May_20th_2010.pdf]]<br> <br />
<br />
== Database Security (Mar-11-2010) ==<br />
<br />
=== WHEN ===<br />
<br />
Thurday, March 11th, 2010 (18h00pm-21h30pm). <br />
<br />
=== WHERE ===<br />
{|<br />
|-<br />
| width="350" | <br />
ASR Nederland<br> <br> MD0.60 - Auditorium<br> Smallepad 30<br> 3811MG Amersfoort<br> <br />
<br />
| width="650" | <br />
[[Image:ASR Nederland logo.jpg|200px]] <br />
<br />
|-<br />
| width="350" | <br> <br />
| width="650" | <br />
<br> <br />
<br />
<br> <br />
<br />
|}<br />
<br />
=== PROGRAM ===<br />
<b>18:00 - 18:30 Check-In (catering included)</b><br><br />
<b>18:30 - 18:45 Introduction (OWASP organization, projects, sponsor)</b><br><br />
<b>18.45 - 19.45 SQL Injection - How far does the rabbit hole go?</b> (By Justin Clarke)<br><br />
<b>Justin Clarke</b> is a co-founder and Director at Gotham Digital Science, based in the United Kingdom. He has over twelve years of experience in assessing the security of networks, web applications, and wireless networks for large financial, retail, technology and government clients in the United States, the United Kingdom and New Zealand.<br />
Justin is the the technical editor and lead author of “SQL Injection Attacks and Defense” (Syngress 2009), co-author of "Network Security Tools: Writing, Hacking, and Modifying Security Tools" (O’Reilly 2005), a contributing author to "Network Security Assessment: Know Your Network, 2nd Edition" (O’Reilly 2007), as well as a speaker at a number of conferences and events on security topics, including Black Hat USA, EuSecWest, OSCON, ISACA, RSA, SANS, OWASP, and the British Computer Society. He is the author of the open source SQLBrute blind SQL injection testing tool, and is the Chapter Leader for the London chapter of OWASP.<br />
SQl Injection - How far does the rabbit hole go? SQL Injection has been around for over 10 years, and yet it is still to this day not truly understood by many security professionals and developers. With the recent mass attacks against sites across the world it has again come to the fore of vulnerabilities under the spotlight, however many consider it to only be a data access issue, or parameterized queries to be a panacea.<br><br />
This talk starts from what was demonstrated last year at Black Hat in Las Vegas, where a self propagating SQL Injection worm was demonstrated live on stage. Explore some of the deeper, darker areas of SQL Injection, hybrid attacks, and exploiting obscure database functionality<br><br />
([[Media:OWASP-SQLInjection5nov09.pdf|the slides in pdf format]])<br><br />
<b>19.45 – 20.00 Break</b><br><br />
<b>20. 00 – 20.30 VAC Insecure Direct Object Reference</b> (By Marinus Kuivenhoven)<br><br />
<b>Marinus Kuivenhoven</b> is a Senior Technology Specialist with Sogeti Nederland B.V. specializing in service oriented architectures and secure application development. His experience include developing and administrating Oracle-based systems. At Sogeti Nederland B.V. he is also an active member of the PaSS -Software(Proactive Security Strategy) taskforce focusing on secure application development. Marinus also developed and teaches several application security courses both within and outside Sogeti. In the past years he has written for magazine such as Computable and We Love IT. And he has spoken on a number of conferences and events like OWASP, Recent OO Trends, Open Source Developer Conference and Engineering World.<br />
<b>Vulnerability:</b> Insecure Direct Object Reference is when a web application exposes an internal implementation object to the user. Some examples of internal implementation objects are database records, URLs, or files.<br><br />
<b>Attack:</b> An attacker can modify the internal implementation object in an attempt to abuse the access controls on this object. When the attacker does this they may have the ability to access functionality that the developer didn’t intend to expose access to.<br><br />
<b>Countermeasure:</b> Reference should be validated for authorization and accessed through reference maps. How this should be done will be shown.<br><br />
([[Media:20100311_VAC-IDOR_Marinus Kuivenhoven.pdf|the slides in pdf format]])<br><br />
<b>20.30 – 21.15 Overlooked Resources and Practices</b> (By Justin Clarke)<br><br />
In his second presentation, Justin Clarke discussed OWASP resources and best practices by highlighting some OWASP projects and underused security practices. He shared his experiences in his daily work as well as the known pitfalls.<br><br />
([[Media:20100311_Overlooked_Resources_and _Practices-Justin_Clarke.pdf|the slides in pdf format]])<br><br />
<b>21.15 – 21:30 Discussion, questions and social networking</b><br><br />
<br />
The Announcement of this meeting: [[Media:Announcement_OWASP-NL_March_11th_2010.pdf]]<br> <br />
The flyer of this meeting: [[Media:Owasp_NL_march2010.pdf]] <br> <br />
<br />
== Past Events ==<br />
<br />
*Events held in [[Netherlands Previous Events 2009|2009]] <br />
*Events held in [[Netherlands Previous Events 2008|2008]] <br />
*Events held in [[Netherlands Previous Events 2007|2007]] <br />
*Events held in [[Netherlands Previous Events 2006|2006]] <br />
*Events held in [[Netherlands Previous Events 2005|2005]]<br />
<br />
==== Call for Speakers ====<br />
<br />
We are continuously looking for speakers.<br>'''Presentations:''' Are you working on an interesting subject, would you like to share your experience with the OWASP community and do you have presentation skills. Please let us know! Any topic related to web application security will be appreciated!<br>'''VAC, Vulnerability, Attack, Countermeasure:''' The VAC is a re occuring part of the chapter meetings. The VAC is a half hour in-depth technical presentation about a vulnerability, how it can be exploited and how to prevent it!<br> <br />
<br />
<span style="font-weight: bold;">Links: </span> <br />
<br />
[http://www.owasp.org/index.php/Speaker_Agreement Speaker Agreement] <br />
<br />
[http://www.owasp.org/images/5/54/Presentation_template.ppt Template] <br />
<br />
==== Chapter Leaders ====<br />
<br />
The Netherlands Chapter is supported by the following board: <br />
<br />
*[mailto:bert.koelewijn@owasp.org Bert Koelewijn], ASR <br />
*[mailto:peter.gouwentak@owasp.org Peter Gouwentak], ING <br />
*[mailto:martin.knobloch@owasp.org Martin Knobloch], Sogeti <br />
*[mailto:ferdinand.vroom@owasp.org Ferdinand Vroom], Nationale Nederlanden<br />
<br />
Our goal is to professionalize the local OWASP functioning, provide in a bigger footprint to detect OWASP opportunities such as speakers/topics/sponsors/… and set a 5 year target on: Target audiences, Different events and Interactions of OWASP global – local projects. <br />
<br />
==== Chapter Sponsoring ====<br />
<br />
OWASP Netherlands is looking for organizations to sponsor our chapter. If you are interested in sponsoring the Netherlands chapter please contact via email: [mailto:netherlands@owasp.org netherlands 'at' owasp.org]. <br />
<br />
<br>If you would like to donate to our chapter, please use the PayPal link below. Thank you! <br />
<br />
<br><paypal>Netherlands</paypal> <br />
__NOTOC__<headertabs/></div>Martinknobloch