This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "OWASP Newsletter 14"

From OWASP
Jump to: navigation, search
m (Updated pages)
(Featured Item: Proposed OWASP Project Assessment)
 
(24 intermediate revisions by 3 users not shown)
Line 1: Line 1:
==  OWASP Newsletter #14 (xx-Feb-2008) ==
+
==  OWASP Newsletter #14 (29-Feb-2008) ==
Welcome to the 14th edition of the OWASP Newsletter, featuring TBD and the TBD Project.
+
Welcome to the 14th edition of the OWASP Newsletter, featuring OWASP Employee #2 - Paulo Coimbra, the Proposed OWASP Project Assessment and the OWASP Summer of Code 2008 Project.
  
  
Line 8: Line 8:
 
Alison McNamee - OWASP Operations Director - [email protected]
 
Alison McNamee - OWASP Operations Director - [email protected]
  
== Featured Item: TBD==
+
== Featured Item: OWASP Employee #2, Paulo Coimbra==
 +
* Paulo Coimbra (following his recent sucess of managing Spoc 07) as accepted to become the 2nd OWASP employee (he will be working part-time until June and full time from then on). Paulo will take on the role of OWASP Project Management, and here are his first short-term action plan:
 +
# To launch and manage the new season of code – OWASP Summer of Code 2008.
 +
# To contribute to and stabilize OWASP’s new Project Assessment Criteria.
 +
# To contribute to the assessment, and re-assessment, of all OWASP projects.
 +
# To build and maintain a wiki page with the status of all OWASP projects and their assessments.
 +
# To welcome new developers who are interested in joining OWASP community.
 +
# To help project leaders and participants with their projects in any way that I can.
  
 +
== Featured Item: Proposed OWASP Project Assessment==
 +
* OWASP has begun the process of stabilization its [[:Category:OWASP Project Assessment|'''PROJECT ASSESSMENT CRITERIA''']]. The objective is to have clear and objective requirements for OWASP project's (for both tools and documentation).
 +
** The current structure is still in flux, so please spend some time reviewing it and send us your comments.
 +
** The objective is to map all [[:Category:OWASP_Project|OWASP Projects]] to the proposed 3 project modes (Release Quality, Beta Quality and Alpha Quality) in the next couple months.
  
== Featured Project: TBD ==
+
== Featured Project: OWASP Spring of Code 2008 is about to be launched - March 3rd ==
 
 
  
 +
* OWASP is about to launch the [[OWASP Summer of Code 2008|''''OWASP SUMMER OF CODE 2008'''']] (SoC 2008). This follows the successfull OWASP Spring of Code 2007 (SpoC 07), in which 21 projects were sponsored with a budget of US$117,500, and the OWASP Autumn of Code 2006 (AoC 06), in which 9 projects were sponsored with a budget of US$20,000.
 +
* The SoC 2008 is an open sponsorship program were participants/developers are paid to work on OWASP (and web security) related projects.
 +
* The SoC 2008 is also an opportunity for external individual or company sponsors to challenge the participants/developers to work in areas in which they are willing to invest additional funding.
 +
* For more details see:
 +
** [[OWASP Summer of Code 2008|OWASP Summer of Code 2008]]  - Main page of SoC 08
 +
** [[OWASP Summer of Code 2008 Press Release]] - Press release.
 +
** [[OWASP Summer of Code 2008 Applications]] - To submit applications.
 +
** [[OWASP Summer 0f Code 2008 : Selection]] - Jury's evaluation of applications. 
 +
** [[OWASP Summer of Code 2008#Who Can Apply?|Who Can Apply?]]
 +
** [[OWASP Summer of Code 2008#How To Participate (To Developers)|How To Participate (To Developers)]]
 +
** [[OWASP Summer of Code 2008#Schedule|Schedule]]
 +
** [[OWASP Summer of Code 2008#Jury and Selection Criteria|Jury and Selection Criteria]]
 +
** [[OWASP Summer of Code 2008#Operational Rules|Operational Rules]]
 +
** [[OWASP Summer of Code 2008#General Rules|General Rules]]
 +
** [[OWASP Summer of Code 2008#SoC 2008 Budget|SoC 2008 Budget]]
  
 
== Latest additions to the WIKI ==
 
== Latest additions to the WIKI ==
Line 20: Line 45:
 
==== New Pages====
 
==== New Pages====
  
* [https://www.owasp.org/index.php?title=OWASP_Summer_0f_Code_2008_:_Selection&rcid=25823 OWASP Summer of Code 2008 - Selection]
+
* [https://www.owasp.org/index.php?title=OWASP_Summer_of_Code_2008&rcid=25795 OWASP Summer of Code 2008]
 
* [https://www.owasp.org/index.php?title=OWASP_Summer_of_Code_2008_Press_Release&rcid=25817 OWASP Summer of Code 2008 Press Release]
 
* [https://www.owasp.org/index.php?title=OWASP_Summer_of_Code_2008_Press_Release&rcid=25817 OWASP Summer of Code 2008 Press Release]
 +
* [https://www.owasp.org/index.php?title=OWASP_Summer_of_Code_2008_Applications&rcid=25813 OWASP Summer of Code 2008 Applications]
 
* [https://www.owasp.org/index.php?title=OWASP_Summer_of_Code_2008_Applications_-_Proposal_Type&rcid=25815 OWASP Summer of Code 2008 Applications - Proposal Type]
 
* [https://www.owasp.org/index.php?title=OWASP_Summer_of_Code_2008_Applications_-_Proposal_Type&rcid=25815 OWASP Summer of Code 2008 Applications - Proposal Type]
* [https://www.owasp.org/index.php?title=OWASP_Summer_of_Code_2008_Applications&rcid=25813 OWASP Summer of Code 2008 Applications]
+
* [https://www.owasp.org/index.php?title=OWASP_Summer_0f_Code_2008_:_Selection&rcid=25823 OWASP Summer of Code 2008 - Selection]
* [https://www.owasp.org/index.php?title=OWASP_Summer_of_Code_2008&rcid=25795 OWASP Summer of Code 2008]
 
* [http://www.owasp.org/index.php/OWASP_Winter_Of_Code_2008_Press_Release OWASP Winter of Code 2008 Press Release]
 
* [http://www.owasp.org/index.php/OWASP_Winter_Of_Code_2008_Applications_-_Proposal_Type OWASP Winter of Code 2008 Applications - Proposal Type]
 
 
* [http://www.owasp.org/index.php/Control_template Control Template]
 
* [http://www.owasp.org/index.php/Control_template Control Template]
 
* [http://www.owasp.org/index.php/JSP_JSTL JSP JSTL]
 
* [http://www.owasp.org/index.php/JSP_JSTL JSP JSTL]
Line 57: Line 80:
 
* [[San Jose]]
 
* [[San Jose]]
 
* [[San Francisco Bay Area]]
 
* [[San Francisco Bay Area]]
 +
* [[Boulder]]
 +
* [[Denver]]
 +
* [[Spain]]
 +
* [[Latvia]]
 +
* [[New Zealand]]
 +
* [[Eugene]]
 +
* [[Helsinki]]
 +
* [[South Africa]]
 +
* [[Greece]]
 +
* [[Austin]]
 +
* [[Memphis]]
 +
* [[NYNJMetro]]
  
 
==== New Documents & Presentations from chapters====  
 
==== New Documents & Presentations from chapters====  
 +
 +
* [https://www.owasp.org/images/c/ce/OWASP_Top_10_2007_-_French.pdf French Translation of OWASP Top 10]
  
 
For a complete list of chapter presentations see [[OWASP_Education_Presentation|the online table of presentations]].
 
For a complete list of chapter presentations see [[OWASP_Education_Presentation|the online table of presentations]].
 
  
 
== OWASP references in the Media==
 
== OWASP references in the Media==
  
* [http://www.linkedin.com/answers/hiring-human-resources/staffing-recruiting/HRH_SFF/170101-170718 The best way to recruit IT security professionals]
+
* [http://grutztopia.jingojango.net/2008/02/your-client-side-security-sucks.html Your Client-Side Security Sucks]
 +
* [http://www.contractoruk.com/003675.html The Changed Face of Cybercrime]
 +
* [http://denimgroup.typepad.com/denim_group/2008/02/authentication.html Authentication & Authorization Assumptions]
 
* [http://cincinnatirecruiter.wordpress.com/2008/02/09/locks-are-to-keep-the-honest-people-out/ Locks are to keep the honest people out]
 
* [http://cincinnatirecruiter.wordpress.com/2008/02/09/locks-are-to-keep-the-honest-people-out/ Locks are to keep the honest people out]
 +
 +
 +
=='''[https://www.owasp.org/index.php/Template:Application_Security_News Application Security News Feed]'''==
 +
 +
* Feb 28 - [http://www.cafeconleche.org/#February_27_2008_69626| The W3C Web API Working Group has posted the first public working draft of XMLHttpRequest Level 2. "XMLHttpRequest Level 2 enhances XMLHttpRequest with new features, such as cross-site requests, progress events, and the handling of byte streams for both sending and receiving." I'm afraid I'm not familiar enough with XMLHttpRequest Level 1 to tell immediately what's new here]. (by [http://www.cafeconleche.org/today.rss undefined]) - The W3C Web API Working Group has posted the first public working draft of XMLHttpRequest Level 2. "XMLHttpRequest Level 2 enhances XMLHttpRequest with new features, such as cross-site requests, progress events, and the handling of byte streams for ...
 +
 +
* Feb 25 - [http://feeds.feedburner.com/~r/developer_center_tutorials/~3/242450087/introduction_to_air_security.html| Introducing the Adobe AIR security model] (by [http://feeds.feedburner.com/developer_center_tutorials?format=xml| Lucas Adamski]) - Learn more about the rationale behind the AIR security model and what you should consider when building AIR applications.
 +
 +
* Feb 28 - [http://feeds.feedburner.com/~r/tssci/~3/242517957/| OWASP Hartford tomorrow] (by [http://feeds.feedburner.com/tssci| Marcin]) - Tomorrow, February 28th, is the first ever meeting for the brand new Hartford Owasp chapter. James McGovern, the chapter lead has been putting some effort into starting it off with a bang, so I hope everyone in the NY/CT/Mass area can make it. Agenda ...
 +
 +
* Feb 27 - [http://www.net-security.org/news.php?id=15778 Off the wire: Extended validation certificates and XSS considered harmful] (by [http://feeds.feedburner.com/HelpNetSecurity Undefined]) - A cross-site scripting vulnerability on the popular SourceForge.net website shows how Extended Validation SSL certificates could be exploited by fraudsters.
 +
 +
* Feb 27 - [http://mcpmag.com/columns/article.asp?EditorialsID=950 Security is Everybody's Business - Microsoft Certified Professional] (by [http://news.google.com/news?svnum=10&as_scoring=r&ie=UTF-8&oe=utf8&hl=en&q=%22application+security%22+OR+%22software+security%22&output=rss Undefined]) - Security is Everybody’s Business Microsoft Certified Professional - 17 hours ago It seems like all of us really need to understand *application security*, whether or not that was part of our original training. Fortunately, a pair of new...
 +
 +
* Feb 27 - [http://blog.ivanristic.com/2008/02/extended-valida.html Extended Validation SSL certificates not going anywhere, as predicted] (by [http://blog.ivanristic.com/atom.xml ivanr]) - According to Netcraft, there are around 4,500 web sites using Extended Validation (EV) SSL certificates, one year after this new type of certificate was introduced. At the same time, over 800,000 sites continue to use the old-style certificates...
 +
 +
* Feb 27 - [http://www.thespanner.co.uk/2008/02/27/polymorphic-javascript/ Polymorphic Javascript] (by [http://www.thespanner.co.uk/feed/ Gareth Heyes]) - Finding a pattern in malicious javascript is difficult, it’s possible to selectively change the source code yet still execute the same payload. There are many ways to morph Javascript and I shall go through a few of the possibilities and provide...
 +
 +
* Feb 26 - [http://i8jesus.com/?p=15 Improving Hackvertor: Polymorphic Javascript Payloads] (by [http://i8jesus.com/?feed=atom Arshan Dabirsiaghi]) - One of the cooler tools in the webappsec hacker’s handbook is Hackvertor. It’s a smart encoding tool written by Gareth Heyes that helps you craft XSS vectors that pass whatever filters you’re trying to evade. Rather than wasting 3 paragraphs ...

Latest revision as of 19:18, 3 March 2008

OWASP Newsletter #14 (29-Feb-2008)

Welcome to the 14th edition of the OWASP Newsletter, featuring OWASP Employee #2 - Paulo Coimbra, the Proposed OWASP Project Assessment and the OWASP Summer of Code 2008 Project.


As always, if you have any content to add to the next edition, please feel free to add it directly to its WIKI page OWASP Newsletter 15.


Alison McNamee - OWASP Operations Director - [email protected]

Featured Item: OWASP Employee #2, Paulo Coimbra

  • Paulo Coimbra (following his recent sucess of managing Spoc 07) as accepted to become the 2nd OWASP employee (he will be working part-time until June and full time from then on). Paulo will take on the role of OWASP Project Management, and here are his first short-term action plan:
  1. To launch and manage the new season of code – OWASP Summer of Code 2008.
  2. To contribute to and stabilize OWASP’s new Project Assessment Criteria.
  3. To contribute to the assessment, and re-assessment, of all OWASP projects.
  4. To build and maintain a wiki page with the status of all OWASP projects and their assessments.
  5. To welcome new developers who are interested in joining OWASP community.
  6. To help project leaders and participants with their projects in any way that I can.

Featured Item: Proposed OWASP Project Assessment

  • OWASP has begun the process of stabilization its PROJECT ASSESSMENT CRITERIA. The objective is to have clear and objective requirements for OWASP project's (for both tools and documentation).
    • The current structure is still in flux, so please spend some time reviewing it and send us your comments.
    • The objective is to map all OWASP Projects to the proposed 3 project modes (Release Quality, Beta Quality and Alpha Quality) in the next couple months.

Featured Project: OWASP Spring of Code 2008 is about to be launched - March 3rd

Latest additions to the WIKI

New Pages

New Chapter Pages

Updated Pages


Updated chapter pages:

New Documents & Presentations from chapters

For a complete list of chapter presentations see the online table of presentations.

OWASP references in the Media


Application Security News Feed

  • Feb 28 - OWASP Hartford tomorrow (by Marcin) - Tomorrow, February 28th, is the first ever meeting for the brand new Hartford Owasp chapter. James McGovern, the chapter lead has been putting some effort into starting it off with a bang, so I hope everyone in the NY/CT/Mass area can make it. Agenda ...
  • Feb 27 - Polymorphic Javascript (by Gareth Heyes) - Finding a pattern in malicious javascript is difficult, it’s possible to selectively change the source code yet still execute the same payload. There are many ways to morph Javascript and I shall go through a few of the possibilities and provide...