Tuesday, August 31, 2010

OWASP Secure Coding Practices - Quick Reference Guide

Leaders,

I am glad to announce I’ve just set a new project up – the OWASP Secure Coding Practices - Quick Reference Guide, led by Keith Turpin. Please welcome him!

http://www.owasp.org/index.php/OWASP_Secure_Coding_Practices_-_Quick_Reference_Guide#tab=Project_About

http://www.owasp.org/index.php/User:Keith_Turpin

As always, your suggestions and contributions would be greatly appreciated.

In addition, this project already has a very mature release, OWASP Secure Coding Practices - Quick Reference Guide/Version 1.0, which is under formal assessment and seeking Stable Release status.

http://www.owasp.org/index.php/Projects/OWASP_Secure_Coding_Practices_-_Quick_Reference_Guide/Releases/Current

http://www.owasp.org/index.php/Projects/OWASP_Secure_Coding_Practices_-_Quick_Reference_Guide/Releases/SCP_v1/Assessment

What’s more, Matt Tesauro already volunteered to act as Second Reviewer in his quality of Board Member but we are still in need of a First Reviewer. Please do let us know if you are up to take the challenge. To do so, please fill in the following link using one of the available positions aka volunteers[1-10].

http://www.owasp.org/index.php/OWASP_Project_Reviewers_Database#tab=Project_Reviewers.2FVolunteers

Many thanks, regards,

Paulo Coimbra,
OWASP Project Manager

Saturday, August 28, 2010

ESAPI 2.0 rc7 (for Java 1.5+) is now live!

ESAPI 2.0 rc7 for Java 1.5 and above is now live!

You can download the complete zip file here:


You can browse the ESAPI 2.0 rc7 Javadocs here:


Additional online project documentation can be found here:


Major enhancements include:
  1. Several fixes to SecurityWrapperRequest.
  2. Overhauled Singleton implementations to make the ObjFactory create instances or singletons rather than having ESAPI manage unreliably.
  3. Changes to get rid of deprecated Encryptor encrypt() / decrypt() methods and replace them with the new, stronger encrypt() / decrypt() methods.
  4. Several Validation fixes around returning consistent error states.
  5. Made changes t0 the Encryptor so that it is no longer vulnerable to "padding oracle attacks" (issue #120)
  6. Fixes to seal() so that it now properly works if the message being sealed contains a ":" (issue #28).
  7. Examples should now work (if you follow directions in README.txt)
    whether ESAPI has been pulled from the SVN repository or downloaded
    from the zip file. (Issue #114.)
Please see changelog.txt at the root of the zip file for more information.

Thanks to Kevin Wall, Chris “Beef” Schmidt, Jonathon Ruckwood and Ed Schaller for their contributions in this release.

Malama Pono Aloha,

--
Jim Manico
OWASP Podcast Host/Producer
OWASP ESAPI Project Manager
http://www.manico.net

OWASP ModSecurity CRS v2.0.8

Greetings everyone,
I wanted to announce the availability of the OWASP ModSecurity CRS v2.0.8.

DOWNLOADING -
Download page - http://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project#tab=Download
You can also use the util/rules-updater.pl script to auto-download the latest ZIP archive (see the rules-updater-example.conf file for Repo data).

TESTING -
We have integrated the new CRS into the Demo page to help facilitate community testing -
http://www.modsecurity.org/demo/

CHANGES -
--------------------------
Version 2.0.8 - 08/27/2010
--------------------------

Improvements:
- Updated the PHPIDS filters
- Updated the SQL Injection filters to detect boolean attacks (1<2, foo == bar, etc..)
- Updated the SQL Injection filters to account for different quotes
- Added UTF-8 encoding validation support to the modsecurity_crs_10_config.conf file
- Added Rule ID 950109 to detect multiple URL encodings
- Added two experimental rules to detect anomalous use of special characters

Bug Fixes:
- Fixed Encoding Detection RegEx (950107 and 950108)
- Fixed rules-updater.pl script to better handle whitespace
https://www.modsecurity.org/tracker/browse/MODSEC-167
- Fixed missing pass action bug in modsecurity_crs_21_protocol_anomalies.conf
https://www.modsecurity.org/tracker/browse/CORERULES-55
- Fixed the anomaly scoring in the modsecurity_crs_41_phpids_filters.conf file
https://www.modsecurity.org/tracker/browse/CORERULES-54
- Updated XSS rule id 958001 to improve the .cookie regex to reduce false postives
https://www.modsecurity.org/tracker/browse/CORERULES-29


--
Ryan Barnett
OWASP ModSecurity Core Rule Set Project Leader

Monday, August 23, 2010

APPSEC BRAZIL 2010 - REGISTRATIONS OPEN!

Greetings everyone!

We're proud to announce that the OWASP's AppSec Brazil 2010 Conference registrations' are officially open!

Early bird offers are available! Hurry up!

This year we'll have keynotes by Robert 'Rsnake' Hansen and Jeremiah Grossman and Samy Kamkar as a Special Speaker!

Registrations are available here: http://www.owasp.org/index.php/AppSec_Brasil_2010#tab=Registration

All info about the event can be found at: http://www.appsecbrasil.org

If you have any doubt please contact us at organizacao2010 (at) appsecbrasil.org

See you there!

--
Leonardo Buonsanti

Thursday, August 19, 2010

OWASP SPECIAL ANNOUNCEMENT

This is a special announcement in an attempt to reach out to our community’s
  • Application Developers
  • Application Testers and Quality Assurance
  • Application Project Management and Staff
  • Chief Information Officers, Chief Information Security Officers, Chief Technology Officers, Deputies, Associates and Staff
  • Chief Financial Officers, Auditors, and Staff Responsible for IT Security Oversight and Compliance
  • Security Managers and Staff
  • Executives, Managers, and Staff Responsible for IT Security Governance
  • IT Professionals Interesting in Improving IT Security
If you have not done so already, please take a minute to register for one of our upcoming events. We have something happening in almost every part of the world! This is the time to learn the latest in Application Security from the global industry experts. Thanks to our many sponsors, we are able to continue to keep our registration and training costs low while raising the standards in the AppSec industry. Don’t miss out on this opportunity to sharpen your skills, learn new techniques, network with leaders, and advance your career. CPE credits are available for most programs.

As always, if you have any questions, please feel free to contact me. Kate.hartmann@owasp.org

September

September 7-10 AppSec US - Irvine, CA (training available)
http://www.owasp.org/index.php/AppSec_US_2010,_CA

September 17th, AppSec Ireland - Dublin, Ireland (training available)
http://www.owasp.org/index.php/OWASP_IRELAND_2010

October

October 20th, AppSec Germany – Nurnberg, Germany
http://www.owasp.org/index.php/OWASP_AppSec_Germany_2010_Conference

October 20-21, Rochester Security Summit – Rochester, NY
http://www.rochestersecurity.org/

October 20-23, OWASP China Summit 2010 – Beijing, China
http://www.owasp.org/index.php/OWASP_China_Summit_2010

October 29th , LASCON – Austin, TX
http://www.owasp.org/index.php/Lonestar_Application_Security_Conference_2010

November

November 8-11, AppSec DC 2010 – Washington, DC (training available)
http://www.owasp.org/index.php/OWASP_AppSec_DC_2010

November 16-19, AppSec Brazil – Campinas, SP, Brazil (training available)
http://www.owasp.org/index.php/AppSec_Brasil_2010

November 25-26, IBWAS – Portugal (training available)
http://www.owasp.org/index.php/IBWAS10

Kate Hartmann
Operations Director
301-275-9403
www.owasp.org
Skype: Kate.hartmann1

Tuesday, August 10, 2010

AppSec Ireland, AppSec DC, and AppSec US updates

OWASP Ireland September 17th 2010
The agenda has been finalized for the OWASP Ireland event. We have the pleasure to announce a number of key figures from industry which should provide some unique insight into the latest trends, threats and methodologies in the world of application security.
http://www.owasp.org/index.php/OWASP_IRELAND_2010

Keynotes:
John Viega: “Application Security in the Real World” - Considerations for AppSec in non-security companies.
http://www.owasp.org/index.php/John_Viega
Professor Fred Piper "The changing face of cryptography"
http://www.owasp.org/index.php/User:Professor_Fred_Piper
Damian Gordon Phd: “Hackers and Hollywood: The Implications of the Popular Media Representation of Computer Hacking"
http://www.owasp.org/index.php/User:Damian_Gordon

We also have some great international and local speakers covering topics from Smart phone application security to SDLC to Penetration testing techniques:
  • Dan Cornell ("Smart Phones with Dumb Apps")
  • Ryan Berg ("Path to a Secure Application")
  • Dr Marian Ventunaec ("Testing the Enterprise E-mail Security - from Software to Cloud-based Services")
  • Fred Donovan and (“Counter Intelligence as Defense……”)
  • Nick Coblentz (“Microsoft's Security Development Lifecycle……”)
.. but to name a few http://www.owasp.org/index.php/OWASP_IRELAND_2010#Agenda_and_Presentations_-_September_17

Training:

http://www.owasp.org/index.php/OWASP_IRELAND_2010#Training

“Secure Application Development: Writing secure code (and testing it)”
AppSec DC: CFP Round Two:
AppSec DC 2010 is the East Coast's premiere Information Security Conference for 2010.

**AppSec DC has added a second round for CFP until August 31st, so there is still time to get submissions in for our CFP!**

Building on the success of last year's AppSec DC 2009, the AppSec DC team is working to further the OWASP conference mission of hosting the best minds in application security in a forum to share innovations and ideas. AppSec DC's unique location and relationship with federal entities in the Washington DC area also allows OWASP and affiliates to continue to reach out to and interact with the federal government in this time of ever-increasing National Security concerns.
This year, in addition to content from industry leaders in application security research, entities within the Department of Homeland Security, the Department of Defense, the National Institute of Standards and Technology and other government agencies will be contributing content focusing on Software Assurance and the role that that plays areas of extreme concern in the current climate, such as protecting Critical Infrastructure or Supply Chain Risk Management. If you work in or with the federal government, regardless of branch or service, this is likely a critical concern for some subset of your workplace, and the combination of content at this event will provide an incredible value to your and your employer.

In addition to two days of great speaking content, keynotes and panels, AppSec DC will also provide two days of world class training on applications security from a variety of vendors at a fraction of the cost found at other events. This year featured panels will not only include federal "what works" in application security, but several other areas of interest so that there will be engaging discussion for all types of attendees. The AppSec DC crew is also working a great vendor space and engaging contests, including a hacking competition built specifically for our event.

AppSec DC will take place at the Walter E. Washington Convention Center in Washington DC on November 8-11. Training will be on the 8th and 9th, talks will be on the 10th and 11th. Our partner hotel is the Grand Hyatt again this year, and a discounted rate will be available for attendees who register in Advance.

For more information visit the OWASP wiki at http://www.owasp.org/index.php/OWASP_AppSec_DC_2010
or the AppSec DC website (updates coming soon!) at http://appsecdc.org
CFP submissions should use the Easy Chair system, our URL is at http://www.easychair.org/conferences/?conf=appsecdc2010 -- Registration is required.

AppSec US 2010, CA
Register before August 15, 2010 and you may be eligible to win a free iPad! Details can be found here: http://www.owasp.org/index.php/AppSec_US_2010,_CA

Kate Hartmann
Operations Director
301-275-9403
www.owasp.org
Skype: Kate.hartmann1