This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Test2test

From OWASP
Revision as of 19:29, 17 December 2012 by Samantha Groves (talk | contribs)

Jump to: navigation, search


NEW-PROJECTS-BANNER.jpg

An OWASP project is a collection of related tasks that have a defined roadmap and team members. OWASP project leaders are responsible for defining the vision, roadmap, and tasks for the project. The project leader also promotes the project and builds the team. OWASP currently has over 120 active projects, and new project proposal applications are submitted every week. This is one of the most popular divisions of OWASP as it gives members an opportunity to freely test theories and ideas with the professional advice and support of the OWASP community.


All OWASP tools, document, and code library projects are organized into the following categories:


  • PROTECT - These are tools and documents that can be used to guard against security-related design and implementation flaws.
  • DETECT - These are tools and documents that can be used to find security-related design and implementation flaws.
  • LIFE CYCLE - These are tools and documents that can be used to add security-related activities into the Software Development Life Cycle (SDLC).


Every project has an associated mail list. You can view all the lists, examine their archives, and subscribe to any project by visiting the OWASP Project Mailing Lists page.

A summary of recent project announcements is available on the OWASP Updates page.


Who Should Start an OWASP Project:

  • Application Developers
  • Software Architects
  • Information Security Authors
  • Those who would like the support of a community to develop or test an idea
  • Anyone wishing to take advantage of the professional body of knowledge OWASP has to offer


Contact Us

If you have any questions, please do not hesitate to contact the
OWASP Project Manager, Samantha Groves.




                                                                                                                              Projects Front Page Graphic.jpg

Visit the OWASP Zed Attack Proxy Project Blog to find regular updates on the project's status!

@zaproxy (follow us on Twitter!) <twitter>262394051</twitter>


So you want to start a project...

Starting an OWASP Project is easy. You don't have to be an application security expert. You just have to have the drive and desire to make a contribution to the application security community.

Here are some of the guidelines for running a successful OWASP project:

  • The best OWASP projects are strategic - they make it easier to produce secure applications by filling a gap in the application security knowledge-base or technology support.
  • You can run a single person project, but it's usually best to get the community involved. You should be prepared to support a mailing list, build a team, speak at conferences, and promote your project.
  • You can contribute existing documents or tools to OWASP! Assuming you have the intellectual property rights to a work, you can open it to the world as an OWASP Project. Please coordinate this with OWASP by contacting owasp(at)owasp.org.
  • Available Grants to consider if you need funding - Click Here
  • You should promote your project through the OWASP channels as well as by outside means. Get people to blog about it!


Creating a new project

Here's the simple process for starting a new OWASP Project.

  • Get the following information together:

A - PROJECT

  1. Project Name,
  2. Project purpose / overview,
  3. Project Roadmap,
  4. Project links (if any) to external sites,
  5. Project License,
  6. Project Leader name,
  7. Project Leader email address,
  8. Project Leader wiki account - the username (you'll need this to edit the wiki),
  9. Project Contributor(s) (if any) - name email and wiki account (if any),
  10. Project Main Links (if any).


OWASP Recommended Licenses

Why are you recommending these licenses?
Which other open source licenses are eligible for an OWASP project?

Choosing a license under which an artifact is distributed and enforcing the license are prerogatives of the copyright holders over that artifact. By default, each contributor is copyright holder over the contributed piece. Contributors must all agree on the license and cooperate in enforcing it or must assign their copyright to the entity which becomes responsible for choosing and enforcing the license.

OWASP is a collaborative initiative for the public good and most of its output is expected to be functional, rather than aesthetic. The problem OWASP tackles is so large that OWASP acknowledges a need to collaborate with the commercial world. Therefore, in order to become an OWASP Sponsored Project, you should be comfortable with:

  • Allowing arbitrary uses for your work, for example for commercial purposes. (If you disagree, consider using CC-BY-NC.)
  • Revealing to the world your project's source code (its form preferred for modification).
  • Allowing your work, under certain conditions (see below), to be modified by others and redistributed. (If you disagree, consider using CC-BY-ND.)
How to choose a license for artifcts of your OWASP project
Artifact Under what conditions can your work be modified and redistributed?
As long as modifications are licensed in the same spirit If credit is appropriately given to you Under any circumstances
Standalone Tool Run locally
GPL (newest version as of 2016 is 3.0)

The "General Public License" protects users' four essential freedoms, among other things by requiring someone who distributes software derived from yours to also publish the source code for the modifications. Anyone can charge money for distributing copies of the software, but cannot prevent its recipients from redistributing it for free. The GPL allows the copyright holders to distribute the software under additional licenses, too, which can be a way to make it proprietary-friendly.
Apache License (newest version as of 2016 is 2.0)

Has the fewest restrictions, even allowing proprietary modifications and proprietary forks of your project, and is more up-to-date than the BSD license.
CC0 (newest version as of 2016 is 1.0)

The "Public Domain Dedication" means that anybody can copy, modify, distribute and perform the work, even for commercial purposes, all without asking permission.
Consumed over the network
AGPL (newest version as of 2016 is 3.0)

The "Affero General Public License" extends the GPL to SaaS: users of the modified software must be able to obtain the source code of the modifications.
Library
GPL or LGPL (newest version as of 2016 is 3.0)

The "Lesser General Public License" relaxes the GPL for libraries: if the library is not modified, just integrated (function calls, global variables,...), with other software, it does not require the source code of the other software to be published. The Free Software Foundation recommends the LGPL only for libraries which have established competitors for the same functionality, otherwise they recommend the full GPL.
Document (includes E-Learning, presentations, books etc.)
CC-BY-SA (newest version as of 2016 is 4.0)

The "Creative Commons Attribution-ShareAlike" is like the GPL, but for documents.
CC-BY (newest version as of 2016 is 4.0)

The "Creative Commons Attribution" is like the Apache License, but for documents.


Project Release

  • As your project reaches a point that you'd like OWASP to assist in its promotion, the OWASP Global Projects Committee will need the following to help spread the word about your project:
  1. Conference style presentation that describes the tool/document in at least 3 slides,
  2. Project Flyer/Pamphlet (PDF file),


  • If possible, get also the following information together:

B – FIRST RELEASE

  1. Release Name,
  2. Release Description,
  3. Release Downloadable file link
  4. Release Leader,
  5. Release Contributor(s),
  6. Release Reviewer,
  7. Release Sponsor(s) (if any),
  8. Release Notes
  9. Release Main Links (if any),


  • Note: For Project/Release Leader, Contributors and Reviewers please create a wiki accounts and please send the links off. See Tutorial and here how to do it and here an example of how it will be used.


  • To get your project started, fill out the new project form. We'll review the information and get you set up with a project wiki page, a mailing list, and subscribe you to the OWASP-Leaders list. You'll be part of setting OWASP's direction!



Project Processes

These forms were created to help project leaders, and those interested in a going through a process in the OWASP projects infrastrucutre. They faciliate the management of each query based on the specific task an applicant will need help with. The forms are described below, and they are linked with their designated online application form.

  • Project Transition Application:The OWASP project transition form gives current project leaders an easy way of handing over project administration information to individuals wishing to take over a project.
  • Project Review Application:This form is for current project leaders to request a review of their project based on OWASP graduation criteria. The aim is to designate an OWASP volunteer to review these projects within 3 months time.
  • Project Donation Application:This form is for projects outside of the OWASP project infrastructure. Project Leaders for these open source projects can choose to partner or give their project to OWASP directly through this form.
  • Project Abandonment Request:The OWASP project abandonment form gives current project leaders an easy way of letting the OWASP Foundation know that they wish to resign their project leader duties. This form should be used when no replacement project leader exists to take over these duties.


Questions?

If you have any questions, please do not hesitate to contact the
OWASP Project Manager, Samantha Groves.


Call for Papers

Submit your Talk Proposal here: Call for Papers Submission Form


Please carefully fill out the CFP form to submit your talk for consideration at OWASP AppSec Latam 2012 in Montevideo, Uruguay.

The talks will be held November 20th and 21st, 2012 at the ANTEL National Telco Company located in downtown Montevideo (training is November 18th and 19th). Talks will be 50 minutes each. We will post your Display Name, Biography, Talk Title, and Talk Abstract to the appseclatam.org site if your talk is selected. If you provide a URL or Twitter handle, we will post that if your talk is selected, too.


The deadline for this Call for Papers is August 31, 2011. If your talk is selected, we will contact you to confirm, and we will expect that your slides and other material will be sent to us no later than November 16, 2011 for our peer review. We peer review slides and other material for inclusion on the conference website (post-conference) and to verify general conformance to OWASP conference presentation guidelines.


If you would like to submit multiple presentations, please make multiple separate form submissions.


Speakers will receive free admission (nontransferable) to the conference in return for delivering a 50 minute talk.


Speaker Agreement

By submitting your proposal for a talk/paper through our CFP, you are consenting to stay within the guidelines of the speaker agreement: https://www.owasp.org/index.php/Speaker_Agreement


Questions?

Please contact us at [email protected] with any questions!


Active Projects

Flagship Projects

The OWASP Flagship designation is given to projects that have demonstrated superior maturity, established quality, and strategic value to OWASP and application security as a whole. OWASP Flagship projects represent projects that are not only mature, but are also projects that OWASP as an organization provides direct support to maintaining.


Code


Tools


Documentation


Lab Projects

OWASP Labs projects represent projects that have produced a deliverable of value. While these projects are typically not production ready, the OWASP community expects that an OWASP Labs project leader is producing releases that are at least ready for mainstream usage.


Tools


Documentation


Incubator Projects

OWASP Incubator projects represent the experimental playground where projects are still being fleshed out, ideas are still being proven, and development is still underway. The “OWASP Incubator” label allows OWASP consumers to readily identify a project’s maturity. The label also allows project leaders to leverage the OWASP name while their project is still maturing.


Code


Tools


Documentation


Education


Inactive Projects

Archived Projects

OWASP Archived Projects are inactive Labs projects. If you are interested in pursuing any of the projects below, please contact us and let us know of your interest.


Graveyard Projects

OWASP Graveyard Projects are inactive Incubator projects. They have no releases, and they have had no activity in the last year. If you are interested in pursuing any of the projects below, please contact us and let us know of your interest.


Merged Projects


Philosophy

OWASP stands for informed security decisions based on a solid, comprehensive understanding of the business risk associated with an application. OWASP's philosophy is that achieving security involves all parts of an organization, including people, process, and technology. We support the use of our brand consistent with this philosophy. However, we cannot allow the use of our brand when it implies something inconsistent with OWASP's comprehensive and balanced approach to application security. Therefore, we have defined these brand usage rules to clarify appropriate and inappropriate uses of the OWASP brand, including our name, domain, logos, project names, and other trademarks.


Rules

The following rules make reference to the OWASP Materials, meaning any tools, documentation, or other content from OWASP. The rules also make reference to "OWASP Published Standards" which are currently in the process of being developed and released. Currently there are no OWASP Published Standards.

  1. The OWASP Brand may be used to direct people to the OWASP website for information about application security.
  2. The OWASP Brand may be used in commentary about the materials found on the OWASP website.
  3. The OWASP Brand may be used by OWASP Members in good standing to promote a person or company's involvement in OWASP.
  4. The OWASP Brand may be used in association with an application security assessment only if a complete and detailed methodology, sufficient to reproduce the results, is disclosed.
  5. The OWASP Brand must not be used in a manner that suggests that The OWASP Foundation supports, advocates, or recommends any particular product or technology.
  6. The OWASP Brand must not be used in a manner that suggests that a product or technology is compliant with any OWASP Materials other than an OWASP Published Standard.
  7. The OWASP Brand must not be used in a manner that suggests that a product or technology can enable compliance with any OWASP Materials other than an OWASP Published Standard.
  8. The OWASP Brand must not be used in any materials that could mislead readers by narrowly interpreting a broad application security category. For example, a vendor product that can find or protect against forced browsing must not claim that they address all of the access control category.
  9. The OWASP Brand may be used by special arrangement with The OWASP Foundation.


Resources

Download our OWASP Image Toolbox. This includes all of OWASP's branding images.


Logos

Owasp_logo_122106.png - Owasp_member_trans.gif

Download our OWASP Image Toolbox. This includes all of OWASP's branding images.


Business Card Templates

OWASP Business Card Template Front: https://www.owasp.org/index.php/File:OWASPBusinessCardTemplateFront.psd

OWASP Business Card Template Back: https://www.owasp.org/index.php/File:OWASPBusinessCardTemplateBack.psd


Ads/Flyers

2012 Print Ad

https://www.owasp.org/images/4/49/OWASP_Brochure_-_Global.pdf

2012 Print Ad "One Byte at a Time"

Powerpoint Version: https://www.owasp.org/images/2/24/OWASP-AD-V3-FINAL.ppt

Standard .PDF - https://www.owasp.org/images/a/ac/OWASP-AD-V3-FINAL.pdf

A4 Print ready - https://www.owasp.org/images/2/2d/OWASP-AD-V3-FINAL-A4.pdf

A4-2 Print ready - https://www.owasp.org/images/1/1f/OWASP-AD-V3-FINAL-A42.pdf


Banners

Pictures of the banners and links to the dropbox files also appear here

Cog wheel banner

Honeycomb banner


Presentation

Slides presented at Global AppSec Conferences by the Global Board to provide a high level overview of OWASP and to highlight some of the key initiatives at a Global level. This can be presented in its current form at OWASP Chapter meetings to enable a clarification of the mission and purpose of the local chapter. This can also be used or sent to the press/media when looking for a "overview of owasp"

2012 Where we are, Where we are going..

2011 Where we are, Where we are going..


Questions

If you have any questions or concerns, please contact the OWASP Project Manager, Samantha Groves


Conference Fees

Access to conference:

  • Before Sept 30th: 3200.00 UYU (approx. 150.00 USD)
  • Before Oct 31st: 4250.00 UYU (approx. 200.00 USD)
  • After Nov 1st: 5300.00 UYU (approx. 250.00 USD)


Trainings

  • One day: 8500.00 UYU (approx. 400.00 USD)
  • Two days: 17000.00 UYU (approx. 800.00 USD)


Discounts

  • OWASP Member: 50.00 USD (Note: This discount is equal to the cost of becoming an OWASP paid Member.)
  • Student: 1600.00 UYU (approx. 75.00 USD). Note: student ID or other proof of current student status is required.
  • Special discounts available for groups registrations. Please send inquiries to [email protected].


Online Registration

Registration is not yet available for this event. Check back the beginning of September for registration details.

OWASP Projects, a global division of the OWASP Foundation, is run under the same world wide not-for-profit charitable status as all the foundation strategic groups. OWASP provides a platform for contributors to share their work while providing them with the project and community support they need throughout their project development. All OWASP Projects are run by volunteers and they rely on personal donations and sponsorship to continue their development. Donate to OWASP Projects, and we promise to spend your money wisely on open source initiatives.

This is how your money can help:

  • $20 could help us spread the word on the importance of open source initiatives in the Application Security industry.
  • $100 could help fund OWASP project demos at major conferences.
  • $250 could help get our volunteer Project Leaders to speaking engagements.


Donate Button.jpg


OWASP Project Sponsors

Americas

  • Name, Link and Logo with sort description of what they donated.

Africa

  • Name, Link and Logo with sort description of what they donated.

Asia

  • Name, Link and Logo with sort description of what they donated.

Europe

  • Name, Link and Logo with sort description of what they donated.

Middle East

  • Name, Link and Logo with sort description of what they donated.

Announcements

Open Source Showcase & Open Source Project Track Opportunities

The AppSec APAC conference organizers, in conjunction with the Global Projects Division, is pleased to announce a Call for Entries for the 2013 APAC Open Source Showcase (OSS), and the OWASP Projects Track (OPT).

We are offering a limited number of FREE booth spaces and speaking opportunities to open source projects this year, as well as FREE conference admission for the representatives of the chosen projects. We would like to invite ALL open source projects to apply.


About the AppSec APAC 2013 Open Source Showcase The APAC 2013 OSS is not just for OWASP projects. All open source projects are encouraged to apply for an opportunity to showcase, demo, and/or promote their project. Showcase participants will be responsible for manning their booth during their allocated presentation time. For an opportunity to showcase your open source project at AppSec APAC 2013, please submit your application using the OSS APAC 2013 Application.


About the AppSec APAC 2013 Open Source Projects Track The APAC 2013 OPT forum differs from OSS in that only OWASP Projects can apply to participate. This is a great opportunity for OWASP Project Leaders to showcase their project as an official conference presenter. Please note that successful OPT applicants are responsible for developing and presenting in their designated timeslot at the conference.

For an opportunity to present your open source project through the OSPT at AppSec APAC 2013, please submit your application using the OSPT APAC 2013 Application.


Sponsorship Opportunities OWASP Project Leaders have the option of requesting financial assistance from the Foundation to cover travel and hotel expenses ONLY. This funding is only available to projects that have been selected to participate in the OSS and OPT at AppSec APAC 2013. Preference will be given to OWASP Project Leaders that are applying to present at the confernce that is closest to their region. Additionally, preference will be given to OWASP Project Leaders that have not presented or participated in either the OSS or OPT forums.


Date and Times

APPLICATION DEADLINES

OSS & OPT Applications are due: December 28, 2012


CONFERENCE DATE

February 19-22, 2013


OSS and OPT DATE & TIME

All OPT Talks and OSS presentations will be held between February 21-22, 2013.


LOCATION

Hyatt Regency Jeju
114,Jongmoongwangwang-ro 72 beon-gil,Seogwipo-si,
Jeju Special Self-Governing Province
South Korea
Phone: +82 64 733 1234


Press Releases

  • Press Release 1

Contact Us

If you need any help with anything projects related, or if you simply need some more information, please do not hesitate to contact the OWASP Project Manager, Samantha Groves.

Samantha Groves: OWASP Project Manager
Sam2.jpg Samantha Groves is the Project Manager at OWASP. Samantha has led many projects in her career, some of which include website development, brand development, sustainability and socio-behavioural research projects, competitor analysis, event organisation and management, volunteer engagement projects, staff recruitment and training, and marketing department organisation and strategy implementation projects for a variety of commercial and not-for-profit organisations. She is eager to begin her work at OWASP and help the organisation reach its project completion goals.

Samantha earned her MBA in International Management with a concentration in sustainability from Royal Holloway, University of London. She earned her Bachelor's degree majoring in Multimedia from The University of Advancing Technology in Mesa, Arizona, and she earned her Associate's degree from Scottsdale Community College in Scottsdale, Arizona. Additionally, Samantha recently attained her Prince2 (Foundation) project management certification.


GPC Meeting Reports

Board Meeting Reports


Project Manger's Quarterly Strategic Objectives

Goals and Objectives: 2012 Q4

  • Identify and initiate 3 grant opportunities.
  • Complete metadata for Salesforce import related to projects.
  • Finalise and launch the Project database communication tool and webpage
  • Complete the project lifecycle redesign
    • Sort out levels and stages for projects.
    • Determine and define landmarks for project advancement.
    • Document release stages and reviewer participation.
  • Update Project handbook
    • Document process for project donation.
    • Define and develop process for project advancement.
    • Define and develop process for funding requests.


Yearly Projects Budget

  • OWASP Projects Division Budget: 2013


Contact the Project Manager

If you need any help with anything projects related, or if you simply need some more information, please do not hesitate to contact the OWASP Project Manager, Samantha Groves.


Jason Li
Jason.jpg Jason has led security architecture reviews, application security code reviews, penetration tests and provided web application security training services for a variety of commercial, financial, and government customers. He is also actively involved in the Open Web Application Security Project (OWASP), serving on the OWASP Global Projects Committee and as a co-author of the OWASP AntiSamy Project (Java version). Jason earned his Post-Master's degree in Computer Science with a concentration in Information Assurance from Johns Hopkins University. He earned his Master's degree in Computer Science from Cornell University, where he also earned his Bachelor's degree, double majoring in Computer Science and Operations Research.

Past conference presentations include:


Justin Searle
Justin.jpg Justin is a Managing Partner of UtiliSec, specializing in Smart Grid security architecture design and penetration testing. Justin led the Smart Grid Security Architecture group in the creation of NIST Interagency Report 7628 and currently plays key roles in the Advanced Security Acceleration Project for the Smart Grid (ASAP-SG), National Electric Sector Cybersecurity Organization Resources (NESCOR), and Smart Grid Interoperability Panel (SGIP). Justin has taught courses in hacking techniques, forensics, networking, and intrusion detection for multiple universities, corporations, and security conferences, and is currently an instructor for the SANS Institute. In addition to electric power industry conferences, Justin frequently presents at top security conferences such as Black Hat, DEFCON, OWASP, and AusCERT. Justin co-leads prominent open source projects including the Samurai Web Testing Framework, Middler, Yokoso!, and Laudanum. Justin has an MBA in International Technology and is a CISSP and SANS GIAC certified Incident Handler (GCIH), Intrusion Analyst (GCIA), and Web Application Penetration Tester (GWAPT).


Keith Turpin
Keith.jpg Over the years Keith has held a number of positions at The Boeing Company including: Application Security Assessments team leader, Team Leader for IT Security International Operations, Team Leader for Information and Supply Chain Security Assessments, engineering systems integrator, software developer and senior manufacturing engineer on the 747 airplane program.

He represented Boeing on the International Committee for Information Technology Standard's cyber security technical committee and served as a U.S. delegate to the ISO/IEC sub-committee on cyber security.

He is a member of the (ISC)2 Application Security Advisory Board, and the Director of the HPPV Northwest regional engineering competition.

You can see his OWASP project on secure coding practices here: http://www.owasp.org/index.php/OWASP_Secure_Coding_Practices_-_Quick_Reference_Guide

The presentation on his OWASP project at AppSec USA 2010 can be found here: http://vimeo.com/17018329

You can see the video of his AppSec USA 2009 presentation on Building Security Assessment Teams here: http://vimeo.com/8989378


Nishi Kumar
Nishi.jpg Nishi Kumar IT Architect Specialist, FIS

Nishi Kumar is an Architect with 20 years of broad industry experience. She is part of OWASP Global Industry Committee and project lead for OWASP CBT (Computer based training) project. She is a committed contributor of OWASP. She has spearheaded Secure Code Initiative program in FIS Electronics Payment division. As part of that program, she has delivered OWASP based training to management and development teams to various groups in FIS. She has been involved with PA-DSS certification of several applications in FIS. Since joining FIS in 2004 she has worked as an architect and team lead for several financial payment and fraud applications. She has hands-on accomplishments in design, development and deployment of complex software systems on a variety of platforms. Prior to joining FIS Nishi Kumar has worked for Pavilion, HNC, Fair Isaac, Trajecta, Nationwide Insurance and Data Junction as Senior Software Engineer, Architect and in Project Management roles. Nishi can be reached at: nishi787(at)hotmail.com


Brad Causey
Brad.jpg Brad Causey is a Web Application Security, Forensics, and Phishing specialist working in the financial sector. He frequently contributes to various open source projects, and participates in training and lectures at various educational facilities.

Brad Causey is also an OWASP GPC member, the President of the OWASP AL Chapter, and the President of the AL IISFA Chapter.


Chris Schmidt
Chris.jpg Chris is currently the Project Leader for the OWASP ESAPI Projects and also serves on the OWASP Global Projects Committee. He has been involved with OWASP for 4 years and has spoken at many OWASP events about the benefits of the Enterprise Security API as well as participated in Leadership discussions amongst the organization.

During the day, Chris is an Application Security Engineer and Senior Software Engineer for Aspect Security where he has been since fall 2010. Prior to joining the team at Aspect Security he spent 5 years as 'Black Ops Beef' for ServiceMagic Inc with the official title of Software Engineer. Before getting involved in software professionally, Chris worked in hardware as a Senior Field Service Engineer providing hardware and software support for PC’s, Servers, Midrange Systems and Peripherals for 9 years.

In addition to his professional career he is also a musician with several ongoing projects and enjoys cold beer and long walks in the park.

Links:



OWASP Representation


Global Project Committee Members


If you need any help with anything projects related, or if you simply need some more information, please do not hesitate to contact the OWASP Project Manager, Samantha Groves.


Retrieved from "https://wiki.owasp.org/index.php?title=Test2test&oldid=141244"