Thursday, October 19, 2017

Board Election Open With Clean Slate - Please Vote



Dear OWASP Community,

The NEW 2017 OWASP Board of Directors election has been opened. In order to ensure fair results, the previous vote tallies have been zeroed out for this totally NEW ELECTION. Whether or not you already voted, please take a few moments to cast your vote and help decide the future direction of OWASP!


If you are a member in good standing with voting privileges, you should receive an invitation to vote in the election by the end of the day today, 10/19/2017.  If you do not receive an email, but believe you should have, or have any other issues related to the election, please email election2017@owasp.org.


The process behind the scenes for the past two days has been scrambling to ensure that the election is set up properly and doing a second review of the setup before re-opening.


Even as the election opens, OWASP Staff are working tirelessly to make sure that anyone who should be able to vote can.  Unfortunately, this continues to be a highly manual process.  
The anticipated process and timeline is outlined below.
  • 10/19 - open election
  • 10/23 - send renewal email to members that expired who should be able to renew & vote
  • 10/30 - close renewals related to voting (renew before 10/30 to vote in the election)
  • 11/9 - close voting
  • 11/13 - notify candidates
  • 11/14 - share the results with the community

It is critically important that the community participate in this important election in which we will be choosing four new board members.

I apologize again for the inconvenience caused through this process. Thank you for your support and patience as we worked through these issues. As always, feel free to contact me or other leaders directly in addition to the address above if you have further questions or concerns.


Thank you,

Matt Konda
OWASP Board Chair

Tuesday, October 17, 2017

Halting OWASP Board Election

Dear OWASP Community,

The OWASP Global Board has become aware of an issue that affects the integrity of our ongoing Board of Directors election.  

It is with respect for the integrity of our election process, due sensitivity to the impact it will cause and fairness to all our candidates and voting members, that we have decided to halt the current election and restart it with a clean slate once the issue has been corrected.  We do not take this action lightly, but as a unified Board feel we have a duty to do so. We are committed to free, fair, transparent and open elections.

There are two irregularities that need to be addressed to ensure that we have fair results:

  1. A candidate was left off of the ballot.  
  2. Some community members whose membership expired between June - October had one of two issues:
    1. Their memberships did not auto-renew
    2. They did not receive proper reminders that their membership was expiring and that they need to renew.

For #1:  As far as we can tell this was a clerical oversight on the part of an internal staff member - and nothing more suspicious.  We are walking through the process to ensure there are appropriate checks and balances to ensure this doesn’t happen again when we restart the election or in future elections.

For #2:  We recently moved to a new AMS (Association Management System) and there were cases that were not tested well enough.  We believe the glitch we encountered has been fixed but we need time to bring those members that were impacted back into the system so that we can restart the election with the proper voting membership.  Once we have a timeline for the updated election process, we will communicate that.

The Board generally keeps an arms length from the election process to ensure that we do not influence it.  In this case, I wanted to take responsibility, communicate clearly about what had happened and how it is going to be addressed.  I apologize on behalf of the Board and staff for the mistakes that caused this.

I hope that you will participate to make the election a success as soon as we can restart it.  The process to restart it will be as follows:
  1. Ensure that all candidates are properly listed.
  2. Re-open the election with a clean slate and reasonable time window to allow voting.
  3. Cross check the voter registration lists with the member lists and identify gaps.
    1. Address the gaps to ensure members can vote.
  4. Determine appropriate communication to folks that have already voted - then send that.

Our primary goals are to make sure that the election is fair, that candidates are represented properly and that members get to vote. Please feel free to reach out to any board members, compliance committee members, staff or other leaders if you have concerns.

Again, I sincerely apologize for the inconvenience, mistakes and confusion around this.

We will continue to update this page as the timeline and other details become clear.

Thank you for your support.
Matt
Matt Konda

Chair - OWASP Board of Directors

Tuesday, September 19, 2017

OWASP Operations Update for September 2017

Welcome to the operations update for September 2017, the ongoing series of updates on what's happening at the OWASP Foundation.  Last month's post is available here.

We're in the middle of AppSec USA 2017 so this update will likely be a bit shorter then the usual.

OWASP IT Infrastructure Hosting - Modernizing and migrating the OWASP infrastructure

  • Remaining hosts at Rackspace:  OWASP Wiki, Mailman server, Virtual-host server which provides redirects and static content
    • These are on hold until staff is back to full strength
  • For the current status details, see the June 2017 update.
The Website Reboot - aka TWR - a major effort to update and modernize OWASP's web presence
  • Phase 1 is complete
    • Note: Due to the staff availability, the wiki is running the legacy LTS release not the latest stable so Phase 1 will need to be repeated in future when this comes off hold.
  • Phase 2, 3 and 4 are in process
  • These are on hold until staff is back to full strength
  • For the current status details, see the June 2017 update.
The OWASP Communication Plan 
  • Discourse as a replacement for Mailman
    • On a significantly reduced roll-out plan until staff is back to full strength.
    • The roll out plan is here.
  • Beta program for the Foundation's Global Meetup account continues
OWASP World Tour 
  • Call for Trainers completed
    • Trainers selected for Tokyo, acceptance emails sent
    • Reviews ongoing for Boston & Tel Aviv
  • Tokyo - September 13 - Training will be broadcast to multiple locations within Japan
  • Boston - October 9 - Reviewers in place, flyers and local marketing in progress
  • Tel Aviv - October 17 - Reviews in place, training will be the day before a free AppSec conference
Projects 
  • Project Summit & Project Reviews at AppSec USA 2017
    • 8 OWASP Projects Participating
    • 2 OWASP Project Reviews Scheduled
    • 10-20 Deep Dive on Labs/Incubator Health Checks
    • Hot Topics at this event
      • New reimbursement form and process
      • Discourse
      • Kickstarter Pilot Program
  • OWASP Code Sprint 2017 - Final evaluations due by September 14th
    • Blog post of Final Results will be posted by September 22nd
    • Raffle of AppSec Ticket with funding initiative will be done on September 25th
    • 14 originally students participated
    • 8 OWASP Projects
    • 2 Students may not have met expectations will confirm on September 15th
Events 
  • AppSec USA 2017
    • Registration (09/13/2017): 668 attendees
    • Open Sponsorships: 1 Diamond, 3 Silver, 24 a la carte
    • Accommodations room block: Sold out
    • Volunteer slots still need to be filled as of 09/13/2017
  • AppSec EU 2018
    • CFP & CFT will open during AppSec USA 2017
    • Registration is not open yet - delayed due to researching VAT requirements for Isreal
    • Website is up and being updated
    • Working on the sponsorship document
  • AppSec USA 2018
    • Nobody submitted a proposal before the deadline (end of February)
    • Still waiting for the Board to decide whether AppSec USA will have a fixed location alternating between East/West coast every other year
  • OWASP Summit 2018
    • Waiting on the board to decide on the event, its funding and staff involvement.
  • Many regional events - details here.
Membership 
  • Individual Membership
    • 2309 Individual Members / $69,335 (63% of yearly goal)
  • Corporate Membership
    • 48 Corporate Members / $193,500 (48% of yearly goal)
  • 2017 WASPY Awards 
    • Awards ordered and received
    • Awards presenters confirmed
    • Coordinated attendance of winners
    • Ceremony slides created and shared with presenters
    • Preparing for award ceremony at AppSec USA 2017
  • 2017 Global Board of Directors Elections
    • Group interviews scheduled, conducted, and completed
    • Recordings to be posted to the wiki on Monday, September 18
  • AppSec USA 2017 Expo Sponsorships
    • 9 Platinum sold (1 remaining)
    • 12 Gold sold (sold out)
    • 18 Silver sold (3 remaining)
  • Developer Summit at AppSec USA 2017
    • 3 trainers confirmed
    • 48 individuals signed up (as of 09/14/2017)
  • Members Lounge @ AppSec USA 2017
    • Merchandise ordered
    • Furniture rented
    • Food/Beverages ordered
    • Coordinated room setup with venue
As always, the OWASP Staff are here to make the OWASP community even stronger.  If you have a question, concern or need something, please let us know using the 'Contact Us' form.  Also, feel free to attend, suggest or otherwise engage with the OWASP Foundation further at the September 19th Board Meeting.

Your friendly remaining neighborhood OWASP staff:
    Kelly, Laura, Claudia, Tiffany, Dawn and Matt

Tuesday, August 29, 2017

Connector August 2017

OWASP Connector

FOLLOW US


           
  COMMUNICATIONS |  PROJECTS |  EVENTS |  CHAPTERS |  MEMBERSHIP  
Mon, August 28, 2017
OWASP CONNECTOR
Communications

Operations Update

The August Operations Update includes vital information about OWASP's infrastructure initiatives, project activity, and Chapters. Read it for an overview of what is happening in OWASP.


Improved Reimbursements System on Horizon for OWASP

OWASP’s growth over the past decade has been phenomenal! We we have grown from an idea to over 40,000 participating members, 2,000 paid or honorary members, and a staff of 6. As an organization we have prioritized support for volunteer-led priorities and experimentation in our dynamic community. This means that staff has created a lattice of support procedures for small, experimental activities that rapidly became a mainstay of OWASP. As our needs or size changed, these procedures either remained the same or underwent repeated limited revision.

Some of these processes were perfect for OWASP 5 or even 2 years ago, but now need to be made more robust to support their exponentially larger loads. During 2017 and 2018 the staff will be focusing on improving these basic processes to increase speed, transparency and ease for our volunteers

One example of this is the OWASP reimbursement system. Currently all reimbursements go through tata forms into a black hole until paid. The only way for a submitter to check on the progress of their reimbursement is by repeatedly emailing staff member. Furthermore, in many cases that staff member must repeatedly email accounting to get an update as well. Worse, previous, workflows were not identical across all OWASP activities. All of this led to confusion and inefficiency.

The OWASP Staff has created a new reimbursement system that will utilize Jira to make sure that all reimbursements go through the appropriate workflow and that the submitter can see where their reimbursement is in the process at any time. All reimbursement communications will be in the same place to facilitate swift repayment. This reimbursement system will be launched in the coming month and there are no changes to the current funding rules. You can read more about how it will work complete with examples on the OWASP Wiki.


2017 Global Board of Directors Election

The OWASP Board of Directors are seven hardworking volunteers elected to direct the financial and outreach goals of the organization. As a group the board members self organize into positions and guide the organization by defining our strategic goals. You can follow the election on the Board of Directors Election wiki page.

This year we have seven candidates running for the four open board positions. You can click on their names to read their bios and statements of purpose :

Greg Anderson Bil Corry Arthur Hicken Steve Kosten

Sherif Mansour Owen Pendlebury Milton Smith Chenxi Wang

Additionally, during this time we request that our members submit questions to be asked of our candidates for the board during an interview that will be recorded and shared prior to the election. The following are the winning questions from our community.

1. How do you make sure that the board's decisions won't be influenced by any personal favors or corruption?

2. OWASP does not have a great reputation internationally due what most people call "Politics", how do you intend to solve the "Politics" problem?

3. How do you intend to address bullying within OWASP? If someone is a repeat offender, will you enforce rules to expel or suspend offending parties?

4. How do you intend to empower the Compliance Committee? Currently all it has the power to do is mediate or make suggestions, it needs more than that.

5. What accomplishments related to OWASP Foundation's mission have you demonstrated in the last (5) years?

6. What kind of action plan do you have in mind to help motivate the participation of Developers into OWASP community?

7. What is your strategy to keep chapters active and motivated with OWASP and keep having meetings and organize local events?

Don’t forget that you must be a member by September 30th to vote for the OWASP Board of Directors. Get your Membership Today!


OWASP Volunteer Platform

We are ready to begin the design stage for building the OWASP Volunteer Platform and we need your help! The first step of the design phase is a set of surveys. OWASP Leaders will receive a survey to explore your needs as volunteer managers via email. The survey will be active until September 22, 2017. The wider OWASP community will be encouraged to follow a link to the Volunteer Portal Survey for Community Members which explores the needs of prospective volunteers in a volunteer management platform. You do not need to be a paid member of OWASP to take the survey. If you are both a Leader who manages volunteers and a volunteer elsewhere in OWASP you are encouraged to take both surveys.

Your input is invaluable and we thank you for your time.

https://www.surveymonkey.com/r/OWASP-VolunteerSurvey-Communitymemeber

(estimated time to take: 4 min.)


OWASP in the News

 


Projects

OWASP Top 10 2017 Project Update

The OWASP Top 10 is the most heavily referenced, most heavily used, and most heavily downloaded document at OWASP. Therefore, it rightfully has a greater level of scrutiny and a greater level of review as befitting a Flagship project.

Under new leadership, the project has issued a second call data and survey which will end on September 18th. You can read more about it on the Top 10 Blog post at the OWASP Blog.


OWASP Project Reviews @ APPSEC USA 2017

Once more OWASP is reviewing projects who wish to graduate from Incubator to Lab to Flagship at this workshop. We are also performing some more detail health checks. The purpose of these assessments is to determine whether a project meets the minimum criteria to graduate as outlined in the Project Health Assessment Criteria Document. The review process begins with an initial self-assessment done by the project leader and reviewed by Matt Tesauro. Next, the assessment enters the peer review phase where we ask volunteers in our OWASP Community to participate and finalize the results. Here's a Sample of a Project Assessment to give you an idea what these look like.

We are still looking for more volunteers to help in this mission. Sign Up!

OWASP Project Reviews @ APPSEC USA 2017 - Funding Incentive is Available!

Please contact Claudia Aviles Casanovas and Matt Tesauro with any questions.




Events

Utilizing DevSecOps to Its Fullest Potential at AppSec USA

DevSecOps will be one of the most discussed topics at this year’s AppSec conference for obvious reasons. It’s one of the fundamental building blocks of security, development, and organizational growth. We’ll have plenty of DevSecOps talks and workshops to keep you busy, but here are a few of this year’s highlights:

Overcoming Mobile App Security Challenges with DevOps (Thursday, 9/21 @ 11:30am): Solution Engineer for NowSecure, Brian Lawrence examines some of the most common reasons companies struggle without consistent DevOps programs. He’ll look at challenges such as technology fragmentation, how mobile apps expose enterprise architecture, the unending updates cycle, and more before framing some successful DevSecOps processes to mitigate these issues.

Making Vulnerability Management Less Painful with OWASP DefectDojo (Thursday, 9/21 @ 1:30pm): Let Greg Anderson, Senior Security Engineer for Pearson, take some of the pain and tedium out of vulnerability management by introducing you to DefectDojo. He’ll demo this enterprise-level tool’s ability to automate, report, scan, and service vulnerabilities to make your -and your engineers’ - lives easier.

WAFs FTW! A Modern DevOps Approach to Security Testing Your WAF (Thursday, 9/21 @ 3:30pm): In this lecture Zack Allen, Threat Operations Manager at ZeroFox, examines a framework to test arbitrary Web Application Firewall implementations and explores rapid prototyping of attack payloads without relying on developer support to verify WAF defenses and make this tool more valuable than ever.

Core Rule Set for the Masses (Friday, 9/22 @ 11:30pm): Although ModSecurity - OWASP’s very own web application firewall - is widely considered an exceptional security tool, maintaining and managing the system can be tedious, time consuming and difficult. OWASP volunteer Tin Zaw and Robert Whitely, Security Solutions Architect for Verizon Digital Media Services, work together to share some benefits of enhancing and fine tuning to spend less time managing and more time enjoying ModSecurity.

How to Stop Worrying About Application Container Security (Friday, 9/22 @ 2:30pm): Information Security Engineer for the US Citizenship and Immigration Services (USCIS), Brian Andrzejewski challenges existing security models by harnessing containers to deploy applications securely and swiftly. He’ll use his experience at USCIS as a case study to frame this innovative concept and discuss the merits of building a container ecosystem.

Volunteer spots for AppSec USA now open!

OWASP has volunteer positions available for AppSec USA. If you are interested, please take a moment to choose your shifts through this signup.com form.

If you are volunteering in exchange for your ticket you will receive an email explaining how to register for the conference. If you are planning on doing this, please remember that you will need to sign up for 8 hours worth of shifts and OWASP does not cover travel or accommodations.

Remember to consult the Conference Schedule to make sure that you do not choose a shift that conflicts with your preferred talks.

Volunteer Orientation is on-site Monday evening. You will receive an email with the exact time and location closer to the event. If you can't make it, please let us know!


OWASP World Tour

This year the strategic goal of OWASP is to raise awareness and spread application security knowledge world-wide by hosting a training world tour. The 2017 world tour will have three, free mass application security training events. Each one-day AppSec training course will teach 500 developers, software testers and entry level application security professionals core security topics.

Our goal is that each training will combine general security principles such as the principle of least privilege, using secure defaults, reducing attack surface with AppSec specific topics such as parameterized queries to prevent SQLi and input validation and encoding. We are also interested in teaching how OWASP Projects can assist in developing secure software.

As part of the OWASP World Tour we are inviting all professional trainers to apply to the Call for Training for your opportunity to train in Tokyo, Boston, or Tel Aviv. Training will close in this month, so apply today!

If you are interested or know someone who is interested in attending the OWASP World Tour near you, please keep an eye on the OWASP Blog or OWASP World Tour Wiki Page for registration.


5th Annual AppSec Bucharest

OWASP Bucharest team is happy to announce the OWASP Bucharest AppSec Conference 2017 at Hotel Caro; a three day security and hacking conference dedicated to the application security. The event will be in English, with cutting-edge topics presented by renowned security professionals.

The CfP is open through September 9th as is the Call for Training.

Oct 11th and 12th are dedicated to trainings and on the 13th talks and workshops will run in parallel. We will also have CtF with a grand prize of 1024 Euros. Conference talks are free however, you need to register.

More information, including the current training schedule available on the wiki.

Upcoming Events

Regional and Local Events

Training Events

  • OWASP Cyber Security Explorer — August 10–11, 2017; Amity University, Rajasthan, India
  • OWASP Training Day 2017  — October 4, 2017; Portland, OR, USA
  • OWASP World Tour  — September 30, 2017; Tokyo, Japan,
  • OWASP World Tour  — October 9, 2017; Boston University, Boston, MA, USA
  • OWASP World Tour  —  October 17th, 2017; Tel Aviv, Israel

Developer Summits

Partner and Promotional Events


Chapters

OWASP Go Live?

We are looking Chapters interested in participating in the alpha test of the OWASP Discourse system. You can read more about the requirements on the OWASP Discourse roll out plan. If interested please fill out this form of interest.



Membership

June 2017 Corporate Members


August 2017 Corporate Members

We would like to thank the following companies for supporting the OWASP Foundation.  
The companies listed below have contributed this month by either renewing their existing 
Corporate Membership or joining OWASP as a new Corporate Member.  

Details about Corporate Membership can be found here.



Contributor Corporate Members


Code Dx is committed to reducing barriers to effective application security. Our automated application vulnerability correlation and management tools help find and fix insecure code faster, with less effort and a smaller team. Focus your precious resources on developing valuable new features, and ship secure code faster and more often.
For more information, please visit https://codedx.com/



Founded in 1975, Information Builders continues to deliver state-of-the-art technology that is transforming business in all commercial industries, government, and education. We remain one the largest independent, privately held companies in the software industry. Headquartered above Madison Square Garden in New York, Information Builders operates in more than 60 global locations and has built an active customer base of tens of thousands of major installations at the world's leading organizations. Information Builders is not only a major software supplier to our customers, but also a major provider to the leading software vendors in the industry including HP, IBM, Oracle, SAP, Teradata, and many others. In addition to our commitment to superior software engineering, we are equally proud of our people. Some of the most talented and creative professionals in the industry work at Information Builders and are passionate about what they do. In fact, the professionalism and tenure of our employees is often cited as a major differentiator by our customers. Our reputation for customer service has garnered us the highest honors from “CRM” magazine, the SSPA, and the American Business Awards. Our products and services have received top recognition from independent analyst research firms including Gartner, Forrester, Ventana Research, BARC, Butler, Bloor, and The Data Warehouse Institute (TDWI). Most importantly, our customers have received the most information technology and business awards for their accomplishments. More than 50 of our customers have had their information systems inducted into the Smithsonian Institute for superior information technology achievement through the Computerworld Honors Program. http://www.informationbuilders.com/about_us






Want your company name here? 
Find out how by visiting our Corporate Member information page, or contact Kelly Santalucia, our Membership & Business Liaison today!  



Thank you to all of our Premier and Contributor Corporate Members for your support!
 

The OWASP Foundation, 1200C Agora Drive #232, Bel Air, Maryland, 21014, USA

Thursday, August 24, 2017

August 2017 Corporate Members


August 2017 Corporate Members

We would like to thank the following companies for supporting the OWASP Foundation.  
The companies listed below have contributed this month by either renewing their existing 
Corporate Membership or joining OWASP as a new Corporate Member.  

Details about Corporate Membership can be found here.



Contributor Corporate Members


Code Dx is committed to reducing barriers to effective application security. Our automated application vulnerability correlation and management tools help find and fix insecure code faster, with less effort and a smaller team. Focus your precious resources on developing valuable new features, and ship secure code faster and more often.
For more information, please visit https://codedx.com/



Founded in 1975, Information Builders continues to deliver state-of-the-art technology that is transforming business in all commercial industries, government, and education. We remain one the largest independent, privately held companies in the software industry. Headquartered above Madison Square Garden in New York, Information Builders operates in more than 60 global locations and has built an active customer base of tens of thousands of major installations at the world's leading organizations. Information Builders is not only a major software supplier to our customers, but also a major provider to the leading software vendors in the industry including HP, IBM, Oracle, SAP, Teradata, and many others. In addition to our commitment to superior software engineering, we are equally proud of our people. Some of the most talented and creative professionals in the industry work at Information Builders and are passionate about what they do. In fact, the professionalism and tenure of our employees is often cited as a major differentiator by our customers. Our reputation for customer service has garnered us the highest honors from “CRM” magazine, the SSPA, and the American Business Awards. Our products and services have received top recognition from independent analyst research firms including Gartner, Forrester, Ventana Research, BARC, Butler, Bloor, and The Data Warehouse Institute (TDWI). Most importantly, our customers have received the most information technology and business awards for their accomplishments. More than 50 of our customers have had their information systems inducted into the Smithsonian Institute for superior information technology achievement through the Computerworld Honors Program. http://www.informationbuilders.com/about_us




Want your company name here? 
Find out how by visiting our Corporate Member information page, or contact Kelly Santalucia, our Membership & Business Liaison today!  



Thank you to all of our Premier and Contributor Corporate Members for your support!

Monday, August 21, 2017

OWASP Project Reviews @ APPSEC USA 2017

Once more OWASP is reviewing projects who wish to graduate from Incubator to Lab to Flagship at this workshop.  We are also performing some more detail health checks.  The purpose of these assessments is to determine whether a project meets the minimum criteria to graduate as outlined in the Project Health Assessment Criteria Document.  The review process begins with an initial self-assessment done by the project leader and reviewed by Matt Tesauro.  Next, the assessment enters the peer review phase where we ask volunteers in our OWASP Community to participate and finalize the results. Here's a Sample of a Project Assessment to give you an idea what these look like.

We are still looking for more volunteers to help in this mission. Sign up!

OWASP Project Reviews @ APPSEC USA 2017 - Funding Incentive is Available!


Please contact Claudia Aviles Casanovas and Matt Tesauro with any questions.