This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "OWASP Newsletter 4"

From OWASP
Jump to: navigation, search
(OWASP Newsletter #4 (31-Jan-07): OWASP Top 10 RC1, Web Goat, OWASP Documentation Projects)
 
(8 intermediate revisions by 3 users not shown)
Line 1: Line 1:
Sent to owasp-all mailing list on 31st Jan 2007
+
''Sent to owasp-all mailing list on 31st Jan 2007''
== OWASP Newsletter #4 (31-Jan-07): OWASP Top 10 RC1, Web Goat, OWASP Documentation Projects==
 
Welcome to OWASP Newsletter #4, as mentioned last week, we finally got the new version RC1 (Release Candidate 1) of the OWASP Top 10 out for review, criticism and comment (we will take all comments very seriously (like for example [http://sylvanvonstuppe.blogspot.com/2007/01/owasp-top-10-2007-update-rc1.html Sylvan von Stuppe] post) so please do spend the time to check this version and speak up your mind)
 
  
This week I am featuring one of our longest and most famous projects, [[OWASP WebGoat Project|Web Goat]], who has release the WebGoat 5.0 RC 1  containing new lessons created via an [http://www.owasp.org/index.php/OWASP_Autumn_of_Code_2006_-_Projects:_Web_Goat Owasp Autumn of Code] sponsorship. I also featured a good list and descriptions of the best OWASP Documentation projects (just in case you were not aware of them :)  )
+
==OWASP Newsletter #4 (31-Jan-07)==
  
Talking about the AoC (Autumn of Code), if all goes well we will close it officially next week, and will announce the SpoC. SpoC has you must be guessing by now, is the OWASP Spring of Code (still with no connection with Google's Summer of Code) :)
+
Welcome to OWASP Newsletter #4
  
As you can see on the updated pages section, we also made a small change in our membership criteria, where we changed the 'Educational Members' category to be 'Educational and Non-Profit Members'.
+
; '''[[Top 10 2007|OWASP Top 10 2007 RC1]]'''
 +
: As mentioned last week, we finally got the new version RC1 (Release Candidate 1) of the OWASP Top 10 out for review, criticism and comment. We take all comments very seriously (see[http://sylvanvonstuppe.blogspot.com/2007/01/owasp-top-10-2007-update-rc1.html Sylvan von Stuppe], so please do spend the time to check this version and speak up your mind.
  
As normal you can find below the links to the latest WIKI changes and at the end you can see a couple OWASP references in the media that are not really compliant with the [[OWASP brand usage rules]].  
+
; '''[[OWASP WebGoat Project|WebGoat]]'''
 +
: See below for a feature on one of our longest and most famous projects, which has released WebGoat 5.0 RC1  containing a bunch of new lessons created via an [[Owasp_Autumn_Of_Code_2006|OWASP Autumn of Code]] sponsorship.
  
If you don't have much time this week, apart from the new OWASP Top 10 RC1, you should also check out the briliant [[:Image:OWASP Testing Guide Presentation.zip|OWASP Testing Guide Presentation]] and the blog posts [http://blogs.owasp.org/seba/2007/01/29/sdlc-for-the-geek/ SDLC for the “Geek”],[http://blogs.owasp.org/seba/2007/01/23/cross-chapter-cooperation/ Cross-Chapter cooperation] and [http://blogs.owasp.org/dacort/2007/01/31/reporting-web-vulns/ Reporting Web Vulns]
+
; '''OWASP Grants'''
 +
: Talking about the AoC (Autumn of Code), if all goes well we will close it officially next week, and will announce the SpoC. SpoC has you must be guessing by now, is the OWASP Spring of Code (still with no connection with Google's Summer of Code) :)
  
And if you are going to the RSA conference next week, drop a line to Brian Bertacini from the San Jose OWASP Chapter for details on an OWASP get-together.
+
; '''Support for Non-Profits'''
 +
: As you can see on the updated pages section, we also made a small change in our membership criteria, where we changed the 'Educational Members' category to be 'Educational and Non-Profit Members'.
 +
 
 +
; '''RSA Meetup'''
 +
: If you are going to the RSA conference next week, drop a line to Brian Bertacini from the San Jose OWASP Chapter for details on an OWASP get-together.
 +
 
 +
'''Recommended Reading'''
 +
* The brilliant [[:Image:OWASP Testing Guide Presentation.zip|OWASP Testing Guide Presentation]]
 +
* [http://blogs.owasp.org/seba/2007/01/29/sdlc-for-the-geek/ SDLC for the “Geek”],[http://blogs.owasp.org/seba/2007/01/23/cross-chapter-cooperation/ Cross-Chapter cooperation]
 +
* [http://blogs.owasp.org/dacort/2007/01/31/reporting-web-vulns/ Reporting Web Vulns]
 +
* the [http://www.waterfall2006.com/ Waterfall 2006] conference (I think next year I will be doing a presentation on 'Security by Obscurity, don't advertise (or link to) your site' :)
 +
* http://www.securitybullshit.com - ''"Humorous look at an industry spinning out of control"'' by the uncompromising Mark Curphey
  
 
Don't forget, if you want something to appear in the next version, please add it to [[OWASP Newsletter 5]].  
 
Don't forget, if you want something to appear in the next version, please add it to [[OWASP Newsletter 5]].  
 
To end on a high note, check out:
 
* the [http://www.waterfall2006.com/ Waterfall 2006] conference (I think next year I will be doing a presentation on 'Security by Obscurity, don't advertize (or link to) your site' :)
 
* http://www.securitybullshit.com - ''"Humorous look at an industry spinning out of control"'' by the uncompromizing Mark Curphey
 
  
 
Dinis Cruz  
 
Dinis Cruz  
Line 28: Line 36:
  
 
== OWASP projects that need your help ==
 
== OWASP projects that need your help ==
* [[Top 10 2007|OWASP Top 10 2007 RC1]] - Convert the Word (or PDF) file to WIKI pages on owasp.org (open to all since anybody can edit the owasp.org website).
+
* [[Top 10 2007|OWASP Top 10 2007 RC1]] - Convert the Word (or PDF) file to wiki pages on owasp.org (open to all since anybody can edit the owasp.org website).
 
* [[Top 10 2007|OWASP Top 10 2007 RC1]] - We are opening review of the Top 10 2007 until February 28, 2007. Please review the document and provide feedback to the [email protected] mail list. If you cannot make public submissions or feedback but still wish to make your voice heard, please mail vanderaj (at) owasp.org. '''Please note: This document is not to be used or referenced until after its release.'''
 
* [[Top 10 2007|OWASP Top 10 2007 RC1]] - We are opening review of the Top 10 2007 until February 28, 2007. Please review the document and provide feedback to the [email protected] mail list. If you cannot make public submissions or feedback but still wish to make your voice heard, please mail vanderaj (at) owasp.org. '''Please note: This document is not to be used or referenced until after its release.'''
 
* [[OWASP Testing Project v2.0 - Review Guidelines| OWASP Testing Project v2.0]] - Now that the The OWASP Testing Guide v2.0 has reached the 'Release Candidate 1 milestone, the time has come to make sure that everything is 100% and that there is nothing major missing (review process ends on the 10th of Feb).
 
* [[OWASP Testing Project v2.0 - Review Guidelines| OWASP Testing Project v2.0]] - Now that the The OWASP Testing Guide v2.0 has reached the 'Release Candidate 1 milestone, the time has come to make sure that everything is 100% and that there is nothing major missing (review process ends on the 10th of Feb).
 
* Online Questionaires: I (Dinis) want to do a OWASP wide survey, what solution should I use to create, deploy and manage it?
 
* Online Questionaires: I (Dinis) want to do a OWASP wide survey, what solution should I use to create, deploy and manage it?
* WordPress guru needed: Our blogs (http://blogs.owasp.org/) still looks miserable. We need somebody to help Mide de Libero to sort it out (and while you're there get a feed to put on owasp.org and the next version of the OWASP newsletter)
+
* WordPress guru needed: Our blogs (http://blogs.owasp.org/) still looks miserable. We need somebody to help Mike de Libero to sort it out (and while you're there get a feed to put on owasp.org and the next version of the OWASP newsletter)
* This is not from an OWASP project, but a request I received from an MBA Student who is doing a survey on Open Source (http://www.surveymonkey.com/s.asp?u=387523013251])
 
  
 
== Featured Project: WebGoat 5.0 RC1 ==
 
== Featured Project: WebGoat 5.0 RC1 ==
Line 55: Line 62:
 
== Featured Item: OWASP Documentation Projects ==
 
== Featured Item: OWASP Documentation Projects ==
  
I wrote this on an email the other day, and realized that it was a good list of our best documenation projects:  
+
I wrote this on an email the other day, and realized that it was a good list of our best documentation projects:  
  
 
* [[:Category:OWASP Top Ten Project|OWASP Top Ten Project]] "The OWASP Top Ten provides a powerful awareness document for web application security. The OWASP Top Ten represents a broad consensus about what the most critical web application security flaws are. Project members include a variety of security experts from around the world who have shared their expertise to produce this list"
 
* [[:Category:OWASP Top Ten Project|OWASP Top Ten Project]] "The OWASP Top Ten provides a powerful awareness document for web application security. The OWASP Top Ten represents a broad consensus about what the most critical web application security flaws are. Project members include a variety of security experts from around the world who have shared their expertise to produce this list"
Line 65: Line 72:
 
* [[:Category:OWASP Application Security Assessment Standards Project|OWASP Application Security Assessment Standards Project]] "Currently there is a lack of standardization over what constitutes an application security assessment. With no single set of criteria being referenced, it is suggested that OWASP establish a set of standards defining and establishing a baseline approach to conducting differing types/levels of application security assessment. The standards should be flexible in design to accommodate a range of security assurance levels. The standards should not be viewed as placing requirements on any party. Rather, the standards should make recommendations about what should be done to be consistent with what the OWASP community believes is best practice. Adhering to the standards should help increase end user organization confidence that assessments meet an industry agreed-upon approach.?"
 
* [[:Category:OWASP Application Security Assessment Standards Project|OWASP Application Security Assessment Standards Project]] "Currently there is a lack of standardization over what constitutes an application security assessment. With no single set of criteria being referenced, it is suggested that OWASP establish a set of standards defining and establishing a baseline approach to conducting differing types/levels of application security assessment. The standards should be flexible in design to accommodate a range of security assurance levels. The standards should not be viewed as placing requirements on any party. Rather, the standards should make recommendations about what should be done to be consistent with what the OWASP community believes is best practice. Adhering to the standards should help increase end user organization confidence that assessments meet an industry agreed-upon approach.?"
 
* [[:Category:OWASP Application Security Metrics Project|OWASP Application Security Metrics Project]] "This OWASP Project will first identify and provide the OWASP community a set of application security metrics that have been found by contributors to be effective in measuring application security. This will be followed by the development of new metrics that build on the initial metrics foundation to fulfill unmet metrics requirements. The goals of this Project are to make a baseline set of application security metrics available to the OWASP community and subsequently to provide a forum for the community to contribute metrics back into the baseline."
 
* [[:Category:OWASP Application Security Metrics Project|OWASP Application Security Metrics Project]] "This OWASP Project will first identify and provide the OWASP community a set of application security metrics that have been found by contributors to be effective in measuring application security. This will be followed by the development of new metrics that build on the initial metrics foundation to fulfill unmet metrics requirements. The goals of this Project are to make a baseline set of application security metrics available to the OWASP community and subsequently to provide a forum for the community to contribute metrics back into the baseline."
* [[:Category:OWASP WASS Project|OWASP WASS Guide]] "The WASS, or Web Application Security Standards project, aims at creating a proposed set of minimum requirements a web application must exhibit if it is to be considered "secure". There currently exists a similar set of standard requirements focused at the network level in the Cardholder Information"
 
  
 
== Latest additions to the WIKI ==  
 
== Latest additions to the WIKI ==  
Line 83: Line 89:
 
* [[.Net Research Links]] - Several new CLR links
 
* [[.Net Research Links]] - Several new CLR links
 
* [[Fuzzing]]
 
* [[Fuzzing]]
* [[Testing for SQL Injection]] , [[Testing: Information Gathering]] , [[Reviewing Code for SQL Injection]]
+
* [[Testing for SQL Injection (OWASP-DV-005)|Testing for SQL Injection]] , [[Testing: Information Gathering]] , [[Reviewing Code for SQL Injection]]
 
* minor edits or comments: [[Talk:JAAS Tomcat Login Module]] , [[Category:OWASP Orizon Project]] (added link to Orizon Blog) , [[OWASP Stinger 3 Ideas]]
 
* minor edits or comments: [[Talk:JAAS Tomcat Login Module]] , [[Category:OWASP Orizon Project]] (added link to Orizon Blog) , [[OWASP Stinger 3 Ideas]]
  
Line 92: Line 98:
 
** Jan 07:  
 
** Jan 07:  
 
*** [[:Image:OWASP BE 2007-01-23 OWASP Update.zip|OWASP BE 2007-01-23 OWASP Update.zip]] - OWASP Update including 2006 poll results  
 
*** [[:Image:OWASP BE 2007-01-23 OWASP Update.zip|OWASP BE 2007-01-23 OWASP Update.zip]] - OWASP Update including 2006 poll results  
 +
*** [[:Image:OWASP BE 2007-01-23 WebGoat-Pantera.zip|OWASP BE 2007-01-23 WebGoat-Pantera.zip]] - OWASP WebGoat and Pantera presentation
 
*** [[:Image:OWASP BE 2007-01-23 AOP security.zip|OWASP BE 2007-01-23 AOP security.zip]] - AOP Security presentation
 
*** [[:Image:OWASP BE 2007-01-23 AOP security.zip|OWASP BE 2007-01-23 AOP security.zip]] - AOP Security presentation
 
* From the [[Israel]] chapter
 
* From the [[Israel]] chapter
Line 151: Line 158:
 
* Jan 23 - [[Announce:Web Honeynet|Web Honeynet Project Announcement]] -  The newly formed Web Honeynet Project from SecuriTeam and the ISOTF will in the next few months announce research on real-world web server attacks which infect web servers with: Tools, connect-back shells, bots, downloaders, malware, etc. which are all cross-platform (for web servers) and currently exploited in the wild.
 
* Jan 23 - [[Announce:Web Honeynet|Web Honeynet Project Announcement]] -  The newly formed Web Honeynet Project from SecuriTeam and the ISOTF will in the next few months announce research on real-world web server attacks which infect web servers with: Tools, connect-back shells, bots, downloaders, malware, etc. which are all cross-platform (for web servers) and currently exploited in the wild.
  
== OWASP references in the Media ==
+
== OWASP References in the Media ==
  
This week we have two examples of non complience with [[OWASP brand usage rules]], namely the #''8. The OWASP Brand must not be used in any materials that could mislead readers by narrowly interpreting a broad application security category. For example, a vendor product that can find or protect against forced browsing must not claim that they address all of the access control category.''
+
This week we have two examples of non compliance with the [[OWASP brand usage rules]], namely the #''8. The OWASP Brand must not be used in any materials that could mislead readers by narrowly interpreting a broad application security category. For example, a vendor product that can find or protect against forced browsing must not claim that they address all of the access control category.''
  
 
* [http://www.embedded-computing.com/news/db/?5197 Java Source Code Analysis Available for Developers to Improve Software Security and Quality] - quote ''"Java Security Analysis Aligned with OWASP -- KDJ's vulnerability analysis provides excellent coverage of the vulnerabilities from the OWASP Top 10 list."''
 
* [http://www.embedded-computing.com/news/db/?5197 Java Source Code Analysis Available for Developers to Improve Software Security and Quality] - quote ''"Java Security Analysis Aligned with OWASP -- KDJ's vulnerability analysis provides excellent coverage of the vulnerabilities from the OWASP Top 10 list."''
 
* [http://www.marketwire.com/mw/release_html_b1?release_id=208677 Ounce Labs Simplifies Regulatory and Policy Compliance With New SmartAudit] - quote : ''"1. OWASP Top Ten: Identifies the existence and location in the source code of any of the Top 10 most critical web application security vulnerabilities, a list complied by the Open Web Application Security Project."''
 
* [http://www.marketwire.com/mw/release_html_b1?release_id=208677 Ounce Labs Simplifies Regulatory and Policy Compliance With New SmartAudit] - quote : ''"1. OWASP Top Ten: Identifies the existence and location in the source code of any of the Top 10 most critical web application security vulnerabilities, a list complied by the Open Web Application Security Project."''
  
The problem with these claims is that it is very hard to know what exactly do they mean. At least in KDJ's case they say ''"...excelent coverage..."'' versus Ounce Labs' ''"...any of the Top 10..."''.
+
The problem with these claims is that it is very hard to know what exactly do they mean. At least in KDJ's case they say ''"...excellent coverage..."'' versus Ounce Labs' ''"...any of the Top 10..."''.
  
 
One idea that is currently being debated is if OWASP brand usage rules should state that if a company makes claims such as the ones above in relation with the OWASP Top 10 (or other OWASP materials), they MUST include a reference to a publicly accessible page that ‘explains’ how well they ‘think’ each element of the Top 10 is covered.
 
One idea that is currently being debated is if OWASP brand usage rules should state that if a company makes claims such as the ones above in relation with the OWASP Top 10 (or other OWASP materials), they MUST include a reference to a publicly accessible page that ‘explains’ how well they ‘think’ each element of the Top 10 is covered.
 +
 +
__NOEDITSECTION__

Latest revision as of 22:40, 14 December 2008

Sent to owasp-all mailing list on 31st Jan 2007

OWASP Newsletter #4 (31-Jan-07)

Welcome to OWASP Newsletter #4

OWASP Top 10 2007 RC1
As mentioned last week, we finally got the new version RC1 (Release Candidate 1) of the OWASP Top 10 out for review, criticism and comment. We take all comments very seriously (seeSylvan von Stuppe, so please do spend the time to check this version and speak up your mind.
WebGoat
See below for a feature on one of our longest and most famous projects, which has released WebGoat 5.0 RC1 containing a bunch of new lessons created via an OWASP Autumn of Code sponsorship.
OWASP Grants
Talking about the AoC (Autumn of Code), if all goes well we will close it officially next week, and will announce the SpoC. SpoC has you must be guessing by now, is the OWASP Spring of Code (still with no connection with Google's Summer of Code) :)
Support for Non-Profits
As you can see on the updated pages section, we also made a small change in our membership criteria, where we changed the 'Educational Members' category to be 'Educational and Non-Profit Members'.
RSA Meetup
If you are going to the RSA conference next week, drop a line to Brian Bertacini from the San Jose OWASP Chapter for details on an OWASP get-together.

Recommended Reading

Don't forget, if you want something to appear in the next version, please add it to OWASP Newsletter 5.

Dinis Cruz

Chief OWASP Evangelist

London, UK

OWASP projects that need your help

  • OWASP Top 10 2007 RC1 - Convert the Word (or PDF) file to wiki pages on owasp.org (open to all since anybody can edit the owasp.org website).
  • OWASP Top 10 2007 RC1 - We are opening review of the Top 10 2007 until February 28, 2007. Please review the document and provide feedback to the [email protected] mail list. If you cannot make public submissions or feedback but still wish to make your voice heard, please mail vanderaj (at) owasp.org. Please note: This document is not to be used or referenced until after its release.
  • OWASP Testing Project v2.0 - Now that the The OWASP Testing Guide v2.0 has reached the 'Release Candidate 1 milestone, the time has come to make sure that everything is 100% and that there is nothing major missing (review process ends on the 10th of Feb).
  • Online Questionaires: I (Dinis) want to do a OWASP wide survey, what solution should I use to create, deploy and manage it?
  • WordPress guru needed: Our blogs (http://blogs.owasp.org/) still looks miserable. We need somebody to help Mike de Libero to sort it out (and while you're there get a feed to put on owasp.org and the next version of the OWASP newsletter)

Featured Project: WebGoat 5.0 RC1

WebGoat Overview

WebGoat is a deliberately insecure J2EE web application maintained by OWASP designed to teach web application security lessons. In each lesson, users must demonstrate their understanding of a security issue by exploiting a real vulnerability in the WebGoat application. For example, in one of the lessons the user must use SQL injection to steal fake credit card numbers. The application is a realistic teaching environment, providing users with hints and code to further explain the lesson.

To get started, read the User and Install Guide


WebGoat 5.0 Release Candidate 1

Thursday January 17th, WebGoat 5.0 Release Candidate 1 was released. Special thanks to the many people who have sent comments and suggestions and those who have put in the effort to contribute their time to this release.

The 5.0 release would not have been possible without the efforts of Sherif Koussa and OWASP Autumn of Code 2006.

This version can be downloaded from OWASP's Sourceforce repository: WebGoat 5.0 RC1

Please send all comments to webgoat AT g2-inc DOT com regarding this release candidate.

Featured Item: OWASP Documentation Projects

I wrote this on an email the other day, and realized that it was a good list of our best documentation projects:

  • OWASP Top Ten Project "The OWASP Top Ten provides a powerful awareness document for web application security. The OWASP Top Ten represents a broad consensus about what the most critical web application security flaws are. Project members include a variety of security experts from around the world who have shared their expertise to produce this list"
  • OWASP Guide Project "The Guide is aimed at architects, developers, consultants and auditors and is a comprehensive manual for designing, developing and deploying secure web applications."
  • OWASP AppSec FAQ Project "This FAQ answers some of the questions that developers have about Web Application Security. This FAQ is not specific to a particular platform or language. It addresses the common threats to web applications and are applicable to any platform."
  • OWASP Testing Guide "This project's goal is to create a "best practices" penetration testing framework which users can implement in their own organizations and a "low level" penetration testing guide that describes how to find certain issues."
  • OWASP CLASP Project "CLASP (Comprehensive, Lightweight Application Security Process) provides a well-organized and structured approach for moving security concerns into the early stages of the software development lifecycle, whenever possible."
  • OWASP Honeycomb Project "In the Honeycomb project, OWASP is assembling the most comprehensive and integrated guide ever attempted to the fundamental building blocks of application security (principles, threats, attacks, vulnerabilities, and countermeasures) through collaborative community efforts."
  • OWASP Application Security Assessment Standards Project "Currently there is a lack of standardization over what constitutes an application security assessment. With no single set of criteria being referenced, it is suggested that OWASP establish a set of standards defining and establishing a baseline approach to conducting differing types/levels of application security assessment. The standards should be flexible in design to accommodate a range of security assurance levels. The standards should not be viewed as placing requirements on any party. Rather, the standards should make recommendations about what should be done to be consistent with what the OWASP community believes is best practice. Adhering to the standards should help increase end user organization confidence that assessments meet an industry agreed-upon approach.?"
  • OWASP Application Security Metrics Project "This OWASP Project will first identify and provide the OWASP community a set of application security metrics that have been found by contributors to be effective in measuring application security. This will be followed by the development of new metrics that build on the initial metrics foundation to fulfill unmet metrics requirements. The goals of this Project are to make a baseline set of application security metrics available to the OWASP community and subsequently to provide a forum for the community to contribute metrics back into the baseline."

Latest additions to the WIKI

New Pages

Updated pages

New Documents & Presentations from chapters

Latest Blog entries


OWASP Community

OWASP members receive a $100 Briefings discount by inserting BH7DCASSOC in the box marked “Coupon Codes”

Application Security News

  • Jan 23 - Web Honeynet Project Announcement - The newly formed Web Honeynet Project from SecuriTeam and the ISOTF will in the next few months announce research on real-world web server attacks which infect web servers with: Tools, connect-back shells, bots, downloaders, malware, etc. which are all cross-platform (for web servers) and currently exploited in the wild.

OWASP References in the Media

This week we have two examples of non compliance with the OWASP brand usage rules, namely the #8. The OWASP Brand must not be used in any materials that could mislead readers by narrowly interpreting a broad application security category. For example, a vendor product that can find or protect against forced browsing must not claim that they address all of the access control category.

The problem with these claims is that it is very hard to know what exactly do they mean. At least in KDJ's case they say "...excellent coverage..." versus Ounce Labs' "...any of the Top 10...".

One idea that is currently being debated is if OWASP brand usage rules should state that if a company makes claims such as the ones above in relation with the OWASP Top 10 (or other OWASP materials), they MUST include a reference to a publicly accessible page that ‘explains’ how well they ‘think’ each element of the Top 10 is covered.