Difference between revisions of "OWASP Newsletter 4"

Revision as of 11:24, 31 January 2007

Using the same format as used in OWASP Newsletter's 1, 2 and 3 this is the page that will be used for the next Newsletter

1 OWASP Newsletter #4

OWASP projects that need your help

• OWASP Top 10 2007 RC1 - We are opening review of the Top 10 2007 until February 28, 2007. Please review the document and provide feedback to the [email protected] mail list. If you cannot make public submissions or feedback but still wish to make your voice heard, please mail vanderaj (at) owasp.org. Please note: This document is not to be used or referenced until after its release.
• OWASP Testing Project v2.0 - Now that the The OWASP Testing Guide v2.0 has reached the 'Release Candidate 1 milestone, the time has come to make sure that everything is 100% and that there is nothing major missing (review process ends on the 10th of Feb).
• Online Questionaires: I (Dinis) want to do a OWASP wide survey, what solution should I use to create, deploy and manage it?
• WordPress guru needed: Our blogs (http://blogs.owasp.org/) still looks miserable. We need somebody to help Mide de Libero to sort it out (and while you're there get a feed to put on owasp.org and the next version of the OWASP newsletter)
• This is not from an OWASP project, but a request I received from an MBA Student who is doing a survey on Open Source (http://www.surveymonkey.com/s.asp?u=387523013251])

4 Featured Project: WebGoat 5.0 RC1

WebGoat Overview

WebGoat is a deliberately insecure J2EE web application maintained by OWASP designed to teach web application security lessons. In each lesson, users must demonstrate their understanding of a security issue by exploiting a real vulnerability in the WebGoat application. For example, in one of the lessons the user must use SQL injection to steal fake credit card numbers. The application is a realistic teaching environment, providing users with hints and code to further explain the lesson.

To get started, read the User and Install Guide

WebGoat 5.0 Release Candidate 1

Thursday January 17th, WebGoat 5.0 Release Candidate 1 was released. Special thanks to the many people who have sent comments and suggestions and those who have put in the effort to contribute their time to this release.

The 5.0 release would not have been possible without the efforts of Sherif Koussa and OWASP Autumn of Code 2006.

This version can be downloaded from OWASP's Sourceforce repository: WebGoat 5.0 RC1

Please send all comments to webgoat AT g2-inc DOT com regarding this release candidate. A final release is scheduled for the end of January

3 Featured Project: {TBD}

5 Latest additions to the WIKI

5.1 New Pages

• Top 10 2007 - Top 10 2007 RC1 Public Comments & Review page
• Guide to SQL Injection - Article examining the possibility of tampered SQL query data exploiting your database and/or application.
• Member Offers - New offers available for all individual OWASP Members and employees of OWASP Corporate Members.
• Announce:Web Honeynet - Web Honeynet project announcement by SecuriTeam and the ISOTF.
• Code Auditor Workbench Tool - Ideas about a source code analysis tool to aid security consultants
• OWASP News 2006, OWASP Community 2006 - These pages contains OWASP news stories and community events from 2006.

5.2 Updated pages

• Membership - Add reference to the Member Offers page and changed the 'Educational Members' category to be 'Educational and Non-Profit Members'
• Installer details for ORG - Information on how to build an installer for ORG using WiX
• SQL Injection - Updated with links to the SQL Injection pages in the OWASP Guide, OWASP Code Review and OWASP Testing Guide
• OWASP Stinger Project‎ - Updated with new release information (2.4 RC1)
• .Net Research Links - Several new CLR links
• Fuzzing
• Testing for SQL Injection , Testing: Information Gathering , Reviewing Code for SQL Injection
• minor edits or comments: Talk:JAAS Tomcat Login Module , (added link to Orizon Blog) , OWASP Stinger 3 Ideas

New Documents & Presentations from chapters

• OWASP Testing Guide Presentation
• OWASP Top 10 2007 RC1.pdf or OWASP Top 10 2007 RC1.doc - the new version of the OWASP Top 10 (Release Candidate 1)
• From the Belgium chapter:
  • Jan 07:
    • OWASP BE 2007-01-23 OWASP Update.zip - OWASP Update including 2006 poll results
    • File:OWASP BE 2007-01-23 AOP security.zip - AOP Security presentation
• From the Israel chapter
  • Jan 07
    • of the Universal XSS PDF vulnerability - Cause, Solutions and Fun Stuff
  • Nov 06 (OWASP IL mini conference):
    • Malicious content in enterprise portals
    • Real vs. Virtual Patching
    • "The Core Rule Set": Generic detection of application layer attacks
    • The OWASP Top Ten Backdoors
    • Hacking The Framework
  • Jul 06:
    • Exposing cryptography for software developers
    • Preventing Spoofing, Phishing and Spamming by Secure Usability and Cryptography
• ValidationQuestionnaire.doc

5.3 Latest Blog entries

5.4 Interesting Discussion Threads

5.5 OWASP Community

• Feb 26-Mar 1 - Black Hat DC

OWASP members receive a $100 Briefings discount by inserting BH7DCASSOC in the box marked “Coupon Codes”

• Feb 20 (18:00h) - Rochester chapter meeting
• Feb 15 (18:00h) - Seattle chapter meeting
• Feb 15 (18:00h) - Washington DC (MD) chapter meeting
• Feb 15 (18:00h) - Washington DC (N. VA) chapter meeting
• Feb 15 (18:00h) - Seattle chapter meeting
• Feb 14 (18:00h) - Toronto chapter meeting
• Feb 13 (18:00h) - Ireland chapter meeting
• Feb 12 (18:30h) - Switzerland chapter meeting
• Feb 7 (18:30h) - Boston chapter meeting
• Feb 6-7 - Italy@InfoSecurity
• Feb 6 (18:00h) - Melbourne chapter meeting
• Feb 2 (14:00h) - Chennai chapter meeting
• Jan 31 (15:00h) - Mumbai chapter meeting
• Jan 30 (11:30h) - Austin chapter meeting

5.6 Application Security News

6 OWASP references in the Media