Difference between revisions of "OWASP Newsletter 3"

Revision as of 19:48, 22 January 2007

Using the same format as used in OWASP Newsletter 1 and OWASP Newsletter 2 this is the page that will be used for the next Newsletter

OWASP News

{....}

OWASP Projects that need your help

• [Java Project]: Convert Mark Petrovic's article Discovering a Java Application's Security Requirements into the WIKI (contact Stephen de Vries if you are interrested)
• [.Net Project]: Add PDP GnuCitizen AttackAPI to OWASP Site Generator and convert the php files into ASP.NET

Featured Projects:

OWASP Java Project

• How to perform HTML entity encoding in Java to prevent Cross Site Scripting attacks
• JAAS Tomcat Login Module - an example of how to implement a time delayed JAAS login module in Tomcat
• Securing Apache Tomcat - a guide for deployers on how to secure Apache Tomcat
• Hashing in Java - how to securely implement cryptographic hashing in Java

Latest additions to the WIKI

New Pages

• PDF Attack Filter for Apache mod rewrite - PDF Attack Filter for Apache mod rewrite, served by Apache with mod_rewrite installed.
• Struts XSLT Viewer
• Reviewing code for XSS issues
• OWASP WebScarab NG Project Technical Info, if you want to know what is happening under the hood of the new version of WebScarab
• with some content Portuguese (new chapter), All clients can be reverse engineered, monitored, and modified, Native Methods, Long long ago..., Java applet code review

Updated pages

• OWASP student projects - Updated with new ideas for projects
• How OWASP Works - Updated information on OWASP's board current structure and future plans
• Phoenix/Tools
• San_Francisco
• With Minor updates: Bytecode obfuscation, Chapters Assigned, Category:OWASP Top Ten Project

OWASP Community

• Feb 15 (18:00h) - Seattle chapter meeting
• Feb 13 (18:00h) - Ireland chapter meeting
• Feb 6 (18:00h) - Melbourne chapter meeting
• Jan 31 (15:00h) - Mumbai chapter meeting
• Jan 30 (11:30h) - Austin chapter meeting
• Jan 25 (18:00h) - San Francisco chapter meeting
• Jan 25 (14:30h) - Italy@ISACA Rome
• Jan 24 (17:30h) - 6th OWASP Israel chapter meeting
• Jan 23 (18:00h) - Belgium chapter meeting

Application Security News

• Web Application Security Professionals Survey (Jan. 2007) - Jeremiah Grossman just released his survey with lots of very interresting data. Make sure you check out section '11) Top 3 web application security resources' which is a nice database of the most popular vulnerability assessment tools and knowledge resources (#1 was RSnake's Blog, and #2 was OWASP :) )

• Don't take security advice from the devil you know! - He lies. Especially about security flaws. This article notes an increase in vulnerabilities found in open source packages and concludes that... "For the personal sites and the mom-and-pop stores that rely on the software, it certainly affects them," Martin said. "But larger companies likely aren't affected." Right.

• Hackers attack MoneyGram International server, breach personal info of 80,000 customers - A MoneyGram International server has been breached, allowing cybercrooks access to the personal information of nearly 80,000 people. Hackers accessed the server through the web sometime last month, the money-transfer company said in a statement released on Friday.

• Also worth a read: A Rude Awakening , Making Security Rewarding Discovering a Java Application's Security Requirements, Security Startups Make Debut, Source Code Specialist Fortify to Buy Secure Software , Ajax Sniffer - Prrof of concept, Decoding the Google Blacklist, Visual WebGui Announces The Dot.Net Answer To Google's GWT

OWASP references in the Media

• Lock it down: Use the OWASP Top Ten to secure your Web applications -- Part 1, Builder.com, Jan 19, 2007