Friday, December 22, 2017

Google Summer of Code 2018 (GSOC) - Deadline January 21st

The OWASP Foundation will be applying as a Mentor Organization for Google Summer of Code 2018 (GSOC)!  GSOC is an international grant program that promotes open source projects by providing a stipend for university students to code for open source projects. During the Google Summer of Code your project can choose a student to mentor from a wide range of applicants. The student will complete a project defined by an OWASP Project leader aimed at improving an OWASP Project.  Each student will be assigned a volunteer mentor (who does not need to be an OWASP Project Leader) to help guide and evaluate the student throughout the process.  

We need your help in a making this program a success and the more mentors the more slots for OWASP!

GSOC for Project Leaders:
  • Add your idea on our GSOC 2018 Ideas wiki page ASAP; Deadline January 21st! 
  • Students will start applying for projects on March 12, 2018 but many are already exploring ideas on our wiki page.
  • You may submit multiple ideas (but each accepted idea will need its own mentor)
  • Leaders are welcome but not required to also be mentors
Become a Mentor: 
  • Do you want to become a mentor for a student?
  • Choose a participating OWASP Project Idea from the wiki page listed below preferably the one you are most familiar with on the GSOC 2018 Ideas page
  • If you have an idea for mentoring a student that is not listed, reach out the the Project Leader to pitch your idea.
Help OWASP Invite Students: 
  • Are you somehow affiliated with a university? Share this opportunity in the classroom, with instructors, and with the appropriate department secretary. 
  • Invite students who already volunteer with OWASP and Students associated with your chapter.

Interested but need more information?


Touch base with Claudia claudia.aviles-casanovas at owasp.org, Kostas konstantinos at owasp.org or Fabio  fcerullo at owasp.org to get started today.  Thank you in advance for your time; we look forward to your participation. 

Wednesday, December 20, 2017

Core Rule Set: The evolution of an OWASP Project

https://coreruleset.org/poster/
Let me put one thing straight: there are two things when we talk about ModSecurity. There is the naked ModSecurity engine running inside NGINX or Apache and there is the rule set that instructs the engine what to do. Many different rule sets exist. But the rule set with the largest user base (and longest name) is the OWASP ModSecurity Core Rule Set or CRS for short.

CRS started in 2006 and moved under the OWASP umbrella in 2009. While widely used, it was essentially run as a one man show until late 2015 when Chaim Sanders took over and asked Walter Hop and me to join the project. We formed a three person leadership team with Chaim having the final say. Our new team undertook an informal review of CRS and identified four areas where the CRS sucked:
  • usability
  • documentation
  • ugly code
  • non-existent community

Additionally, there were also - and still are - blind spots in the rule base. Despite this CRS has always been very good at detecting attacks - easily catching 80% - 90% of the attacks aimed at web applications. If we could solve the four pressing issues, we were sure the project would flourish, so we worked tirelessly throughout 2016 to release CRS v3.0 in November 2016.

False positives really kill the experience when running a web application firewall. The CRS3 release brought a painless out-of-the-box installation that has very few false positives due to our new Paranoia Level. This value lets you decide how aggressive you want the rule set to behave. The default Paranoia Level means you are satisfied with detecting 80% of the attacks - as long as you do not get any false positives. You can raise the level to reach 95% or even 99% of the attacks. But this comes at the expense of a substantial number of false positives and you need to tune away these alerts in order to run your service seamlessly again.

With CRS3, we heard users exclaim that the new CRS just works without much tuning by default. People do a default install on their existing sites and they hardly notice it's there until they try out sql injections on the login screen. As if to underline this, in the year since we released CRS3 we received roughly 20 github issues due to false positives. Having run the old Core Rule Set for many years, 20 false positives used to be what I would eat for breakfast in the old days.

Still, we knew there was room for improvement and so I wrote a series of tutorials in the form of several guides and accompanying scripts to help people streamline the tuning process.

As expected, the CRS3 release brought an increased interest in the project. In order to foster this interest and to build our community we timed the release with a new movie poster style graphic and I began to run ModSecurity / CRS courses in several cities. All these efforts paid off as in October we saw almost 1600 people visit the CRS integration tutorial. On top of that, almost 1000 people visited the tutorial covering false positives. That's a doubling within 12 months. My CRS classes have attracted the interest of internet service providers, appliance manufacturers, big banks, university services and even IT teachers. New developers started to show up with @victorhora leading the way. In early November, we promoted three members of our growing community to active developers and we are now the ten of us. Ten developers is an ass-kicking number and we were able to address the ugly rule base. Developer @fgsch championed a cleanup project in summer. He received immediate supported by @fzipi and @spartantri. This has greatly improved the readability of the rules and spurred a set of coding guidelines that will guide future development.
The new CRS project logo with the OWASP wasp protected by an additional layer of defense.

In late Summer 2017, @franbuehler announced that our legacy of dozens of machine optimized regular expressions were a mess. She proved that the project had lost the readable sources to these patterns a long time ago. So she disassembled the regexes of over 1000 characters width into a list of human readable source patterns. Her solutions were merged to much acclaim in early November. This had the further benefit of galvanizing our community. The monthly CRS community chat evolved into a monthly planning session. We use it to talk about the project and sort out controversial pull requests or issues. This has been very beneficial. It allows us to give positive feedback to new community members. And it lets everybody feel much more like being part of a real community where their input is valued and where they receive guidance with contributing of their own.

This new momentum of the project has not gone unnoticed. The 2017 edition of the OWASP Top Ten includes a reference to the CRS project under A10 Insufficient Monitoring and Logging. And when attending a Hacknight in Berne, Switzerland, one of the board members of the German Open Source Business Alliance approached me and asked to submit our project for the German Open Source Business Awards OSBAR. I gladly complied and on December 6, 2018, CRS 3.0 was invited to receive an OSBAR award together with a handful of other projects including the RUST language. I have never won an award for anything I have done ever, so this felt extremely cool!

With the code base cleanup nearing completion, we are now using our larger developer base to add better coverage and close existing gaps. A hot area in this regard are attacks on Java services. CRS would have detected the Equifax hack, but only at a high paranoia setting. Walter Hop (@lifeforms) and @emphazer are working on a new group of rules to expand the rule coverage for this attack class and include it into the upcoming CRS 3.1 release. Parallel to this, we are also adding unit tests to all our rules. This should protect us from ruining the existing rules with a stupid mistake and from adding false positives when we commit changes. In fact, there is a separate project, FTW, created to support our unit testing process. This is done by providing a Framework for Testing WAFs (hence FTW). It's a great tool and I hope other projects can profit from it's simplicity too. With hundreds of tests merged into OWASP CRS, we are seeing good progress there.

What's next for the project:


  • Release 3.1.0, possibly also 3.0.3, is on the list for the next few months.
  • We aim for a CRS summit at one of the European OWASP conferences in 2018. The idea is to meet with various parties using CRS in their setups or as part of their services or products.
  • We hope to achieve mainstream adoption of CRS with online offerings. Let's encrypt is included with your hosting plan and we think an OWASP ModSecurity Core Rule Set installation should also be added to the package.
  • Now that CRS is being featured in the OWASP Top Ten (2017), we need to open up to the people looking at OWASP Top Ten. They are looking for guidance on how they can take the best out of CRS with their existing setups. Here is a first blog post with this goal.
If you feel like supporting our project read through our blog post aimed for new project members and check out the CRS website.

Or why don't you join our monthly chat. We meet on the first Monday of a month on freenode IRC, channel ModSecurity at 20:30 CET, and we are very open to newcomers. We’re all newcomers, actually.


Christian Folini (Follow him on twitter @ChrFolini)

[EDIT: Typos and formatting]

Labels: , , ,

Monday, December 18, 2017

September - December 2017 Corporate Members


September - December 2017 
Corporate Members

We would like to thank the following companies for supporting the OWASP Foundation.  
The companies listed below have contributed over the past couple months by either renewing their existing 
Corporate Membership or joining OWASP as a new Corporate Member.  

Details about Corporate Membership can be found here.


Premier Corporate Members

Netsparker develops an industry leading automated web application security scanner. Available as Windows desktop software and as a Cloud service, the Netsparker scanner is very easy to use and its proof-based vulnerability scanning technology enables you to easily and automatically detect SQL Injection, Cross-site scripting and other vulnerabilities in your websites, web applications and web services. Netsparker’s unique scanning, detection and auto exploitation techniques allow it to be dead accurate. Therefore you do not have to waste time manually verifying the scanner’s findings and instead can focus on fixing the identified vulnerabilities. Netsparker is trusted and used by world renowned companies such as Samsung, Ernst & Young, Skype, NASA, ISACA and ING Bank. To learn more, please visit: https://www.netsparker.com/

{{{size}}}
Since 2002, organizations have relied on Security Innovation for their unique software and application security expertise to help secure and protect sensitive data in the most challenging environments - automobiles, desktops, web applications, mobile devices and in the cloud. Recognized as a Leader in the Gartner Magic Quadrant for Security Awareness for the third year in a row, Security Innovation is dedicated to making the world (and your organization) a safer place, one employee and one application at a time. Security Innovation is privately held and headquartered in Wilmington, MA USA. For more information, visit www.securityinnovation.com.

300px90px
Signal Sciences is the industry’s first Web Protection Platform using both Next Generation WAF as well as RASP technologies. Signal Sciences WPP was built in response to our own frustrations of trying to use legacy WAFs while enabling business initiatives like DevOps, cloud adoption and CI/CD. The Signal Sciences NGWAF works seamlessly across cloud, physical, and containerized infrastructure, providing security without breaking production traffic. Please visit http://www.signalsciences.com/ for more information.


Contributor Corporate Members

Acunetix logo 200.png
Acunetix’s team of experienced engineers developed a lead in website, web application, and Internet-facing server analysis and vulnerability detection. Available both on-premise and online, Acunetix uses deep crawling techniques to detect exploitable vulnerabilities such as SQL injection, and all forms of Cross-Site scripting – while providing concise vulnerability reports and information on how to fix them allowing you to protect your business against impending hacker attacks. Acunetix customers include Cisco, NASA, American Express, Sony, HSBC, The Pentagon, Skype, and many more. You can find us online at www.acunetix.com.

{{{size}}}
Checkmarx is an Application Security software company, whose mission is to provide enterprise organizations with application security testing products and services that empower developers to deliver secure applications. Amongst the company's 1,000 customers are 5 of the world's top 10 software vendors and many Fortune 500 and government organizations. Checkmarx CxSAST is a highly accurate and flexible Source Code Analysis product that allows organizations to automatically scan un-compiled/un-built code and identify hundreds of security vulnerabilities in the most prevalent coding languages. Learn more at www.checkmarx.com.

{{{size}}}
Distil Networks, the global leader in bot detection and mitigation, is the only easy and accurate way to protect web applications from bad bots, API abuse, and fraud. With Distil, you automatically block 99.9% of malicious traffic without impacting legitimate users. Distil Web Security defends websites against web scraping, brute force attacks, competitive data mining, account takeovers, online fraud, unauthorized vulnerability scans, spam, man-in-the-middle attacks, digital ad fraud, and downtime. Distil API Security protects all types of APIs including those serving web browsers, mobile applications, and Internet of Things (IoT) connected devices. Distil API Security defends APIs against developer errors, integration bugs, automated scraping, and web and mobile hijacking. For more information on Distil Networks, visit us at http://www.distilnetworks.comor follow @DISTIL on Twitter.

Gosecure word red.jpg
At GoSecure, our reason for being is to protect your IT assets and allow you to focus on business. As a cybersecurity services provider, our offering is focused on increased security operations ROI, cutting-edge security testing for IT and facilitating integrated security in new or existing software and hardware systems. Strengthened by over a decade of experience dedicated exclusively to cybersecurity, our team has had to deal with a wide gamut of security breaches and threats and stands today as a group of leaders in technologically complex security mandates in the industry. We continue to invest in advanced security research with our private and public partners. For us, security only makes sense when it serves the best interest of your organization and helps you reach your goals. You can count on us as your long-term partner in assessing and developing all the elements of your technical security for current and future threats. Our clients recognize us as the partner of choice for operationalization of their security strategy as we excel at making security work “where the rubber meets the road”. We offer a full range of managed security services from our two security operations centers. For more information, visit http://www.gosecure.ca/

IMMUNIO LOGO 150x45.png
Please visit https://www.immun.io/ for more information


For more information, please visit: https://www.ipswitch.com/
{{{size}}}
Johnson Controls is a global diversified technology and industrial leader serving customers in more than 150 countries. Our 130,000 employees create quality products, services and solutions to optimize energy and operational efficiencies of buildings; lead-acid automotive batteries and advanced batteries for hybrid and electric vehicles; and seating components and systems for automobiles. Our commitment to sustainability dates back to our roots in 1885, with the invention of the first electric room thermostat. Through our growth strategies and by increasing market share we are committed to delivering value to shareholders and making our customers successful. In 2015, Corporate Responsibility Magazine recognized Johnson Controls as the #14 company in its annual “100 Best Corporate Citizens” list.” Please visit   http://www.johnsoncontrols.com/content/us/en/products/building_efficiency/product-security.html

To learn more, please visit: https://www.nowsecure.com/

{{{size}}}
Security Compass focuses on helping you deliver secure software through deliberate practice while maintaining the speed of your business. Our goal is to help you build secure software by seamlessly unifying your application security needs through eLearning, Security Requirements and Verification. Visit http://www.securitycompass.com/ to learn more!

For more information visit: https://www.synack.com/

UPS.jpg
To learn more, please visit: https://www.ups.com/us/en/Home.page

{{{size}}}
WhiteSource helps software security teams manage open source components used in their products, automatically and continuously. It becomes part of your SDLC and automates the entire process of open source components selection, approval, and management, including finding and fixing vulnerable components. To learn more, please visit: https://www.whitesourcesoftware.com/



Want your company name here? 
Find out how by visiting our Corporate Member page, or contact Kelly Santalucia, our Membership & Business Liaison today!  



Thank you to all of our Premier and Contributor Corporate Members for your support!

Monday, November 20, 2017

Your 2018 Board has been elected

Thank you to everyone who voted in the Board of Directors election!

The OWASP Board consists of seven volunteers elected on alternating years to serve a two year term. These unpaid volunteers dedicate themselves to the organizational mission and playing a pivotal role in the software security community.  Members of the Global Board of Directors are responsible for setting the strategic direction of the organization and ensuring the financial integrity of the Foundation.

Our thanks to everyone who stood for the board this year, your willingness to take on time consuming duties to further OWASP's mission is greatly appreciated.  OWASP is fortunate to have such talented and active volunteers and we look forward to continuing to work with you.

Please help me in welcoming your new board members:

Chenxi Wang
Owen Pendlebury
Sherif Mansour
Greg Anderson

To listen to the newly chosen board member interviews, please visit our Election page.

Come January 1, 2018 these four new board members will begin their two year term. They will be joining our existing board members, Matt Konda, Andrew van der Stock and Martin Knobloch.

Full Election results:


OWASP is pleased to announce the release of the OWASP Top 10 - 2017

After a difficult gestation, the OWASP Top 10 Final is out.

You can get it from here:   https://github.com/OWASP/Top10/tree/master/2017

As many of you know, there was a lot of passion within the application security community about the OWASP Top 10 2017 RC1, so it was critical that we worked with the community to firm up the data and obtain a consensus view of how to proceed.

After the change of leadership from Dave Wichers and Jeff Williams to Andrew van der Stock in late May 2017, we added diversity to the leadership team, by adding Neil Smithline, Torsten Gigler, and Brian Glas. Each of the leaders brings their own experience and point of view to the OWASP Top 10, making it far stronger. I couldn't have done this by myself, and it would have been a far weaker document if it was just little old me. I thank my co-leaders from the bottom of my heart. I also thank the founding leadership of Dave Wichers and Jeff Williams for creating the OWASP Top 10, and trusting in us to get this done.

In June, Dave Wichers and Brian Glas attended the OWASP Project Summit in London, and I participated remotely. During the summit, as a community, we agreed to governance, methodology, data analysis and transparency improvements. The highlights of this are:

  • A diversity of leadership at all times (at least two unrelated leaders). This has been an incredible win for the OWASP Top 10, and I hope more OWASP Flagship projects consider doing it. 
  • The methodology was improved by confirming that we will be using risks, rather than any other metric, and agreeing to up to two items will be selected by the community for up and coming risks
  • Data analysis performed by Brian Glas, in particular how to improve the balance from largely automated findings that swamp manual findings, as well as re-opening the data call to obtain 2016 data and survey the community for the two forward looking items
  • Transparency is now aligned with OWASP's values - we work in the open at GitHub, and folks can see who suggested an improvement or issue, and how this was resolved in the text. For the first time, there is a strong traceability between the data submitted by participating data contributors and the OWASP Top 10. This means that if you want, you can fork the OWASP Top 10, re-analyze the data to suit your needs and create your own version. (Just don't call it the OWASP Top 10 :-) )

The data call was very successful. We obtained a great deal of new data covering previous years, including 2016, from a wide variety of consultancies and vendors. We have data from over 40 data contributors, 23 of which were used in the final data analysis. From those 23 data sets, the data covered over 114,000 applications, which is one of the biggest data sets on application security anywhere. And you can download it from our GitHub repo. At the last minute, we also received data from BugCrowd. The interesting thing about bug bounty programs is that kudos and payouts only occur when fully validated, and it also shows what is on the top of the list from the point of view of bug bounty programs. The bug bounty data backed up our analysis in terms of prevalence data, so we were definitely on the right track.

The survey was wildly successful. We received over 500 survey responses, so I think we can safely claim consensus on the two new items - Insecure Deserialization and Insufficient Logging and Monitoring. These two items were obviously top of mind for many this year considering the era of the mega breach is not slowing down. We discuss our methodology in more detail within the OWASP Top 10 - 2017 itself, as many will wonder why we didn't use the two top items directly. The short answer - and this should be no surprise - some of these other issues were already in the OWASP Top 10 due to prevalence data, such as XXE and access control.

OWASP Top 10 - 2017I will address some of the frequently asked questions - why have CSRF and unvalidated redirects and forwards been removed? It's time to move on. The data for these is no longer strong enough to warrant inclusion, especially when we only have 8 data supported spots with our new methodology, and these two items didn't rank in the community survey. This is actually a sign of success; the fact that CSRF is finally going away is a sign that the OWASP Top 10 has been successful at its mission. Back when I included CSRF in 2007 as a forward looking item, there was no data for it. At all. But ~ 100% of applications had CSRF at that time. Now it's less than 5% of all applications. If you use a modern framework, you're pretty much covered without doing anything. That's a huge success.

This then leads into the discussion about renumbering. We risk rated the resulting list over about a 5 hour meeting, and this is the result. I asked the Twitter community if they wanted a risk based order, a likelihood order, an impact order, or the order from previous OWASP Top 10's. Overwhelmingly risk based order won. Interestingly, the previous OWASP Top 10's kept the previous order, but this was wanted by less than 10% of respondents, compared to over 55% for risk based ordering. So that's what happened. What surprised me is that after re-risk rating many of the existing items didn't move. I was actually surprised by this, particularly in relation to SQL injection, but because we include all forms of injection (which theoretically can cover XSS), it remained at the A1:2017 position. This is because we couple three forms of likelihood (prevalence, detectability, and exploitability) and impact. We have strong prevalence data, but the others were our best judgement. You can look at what we decided upon and review our work. I encourage everyone to do so.

The last common discussion we've had is why we didn't roll up XSS into injections, because it's either HTTP, HTML, or JavaScript injection. The reality is that it would have swamped the important discussion on other injections, and the solutions for XSS are significantly different to preventing OS command injection or SQL injection. I will defend this decision until the day we see XSS gone the way of CSRF. And I can't see that day ... yet. There is hope in the form of CSP and XSS-resistant frameworks such as Ruby on Rails 3 and React, but there's a lot of code out there that is still vulnerable.

The new or heavily updated risks need little explanation:

  • We cover API as well as web apps throughout the entire Top 10. This covers mobile, single page apps, RESTful API and traditional web apps. 
  • A3:2017 Sensitive Data Exposure is now firmly about privacy and PII breaches, and not stack traces or headers.
  • A4:2017 XXE is a new data supported item, and so tools and testers need to learn how to find and test for XXE, and developers and devops need to understand how to fix it.
  • A6:2017 Misconfiguration now encompasses cloud security issues, such as open buckets.
  • A8:2017 Deserialization is a critical issue, asked for by the community. It's time to learn how to find this in tools, and for testers to understand what Java and PHP (and other serialization) looks like so it can be fixed.
  • A10:2017 Insufficient Logging and Monitoring. Many folks think this is a missing control, rather than a weakness, but as it was selected by the community, and whilst organizations still take over half a year to detect a breach - usually from external notification - we have to fix this. The way to go forward here for testers is to ask the organization if they detected whatever activity was undertaken, and if they would have responded to it without being prompted. Obviously, we are looking for testing to be undertaken through security devices, but whitelisted, so that logging, escalation and incident response can also be assessed.


These new items are modern era issues, and I hope that in the next three years, the industry can make  headway on them.

So after more than 370 closed issues and 650 commits, we are finally finished. We received a lot of feedback from the community, and we thank those who reviewed and QA'd the document extremely closely, such as Osama Elnaggar, Dirk Wetter and Jim Manico, as well as over 40 others. For a full list of reviewers, please see the acknowledgement page.

What is the future of the OWASP Top 10? I think if anything, the community's passion during this time around shows how important the OWASP Top 10 is. It is widely adopted and a lot of folks care about it very deeply. It was a time for us to listen and learn from the process, and that will result in improvements for the OWASP Top 10 - 2020.

We will be starting the data collection process much earlier, and we will improve our methodology particularly in relation the survey to provide more choices (we only had 25 CWEs). On top of that, we need to work with NIST / MITRE to keep CWE up to date, because some of the biggest up and coming (and to be fair, some of the existing) weaknesses do not have a CWE entry.

But first, we need a break. Thank you to everyone who participated to make the OWASP Top 10 a much stronger and more evidence based standard. The OWASP Top 10 - 2017 is by far the best sourced, most reviewed, application security standard out there. I encourage everyone to download it and start cracking on the new and updated items. We need translations as well, so if you want to do that, please contact us at @owasptop10 on Twitter or via GitHub.


Friday, November 17, 2017

Get your talks ready for OWASP AppSec Europe 2018!

We are glad to announce that the 2018 AppSec Europe Call for Papers and Call for Training is now open.

 

This year the special theme of OWASP AppSec Europe is: Usable Security.  We ask for you to think about how security is affected by the human aspects of users, developers and administrators? How do we design, deploy and manage a security system so that it will be used consistently and properly? What lessons can we learn from past success (or not-exactly-success...) stories in which the human factor played a major role?

 

Topics of interest include, but are not limited to:

  • Novel web vulnerabilities and countermeasures
  • New technologies, paradigms, tools
  • OWASP tools or projects in practice
  • Secure development: frameworks, best practices, secure coding, methods, processes, SDLC
  • Browser security
  • Mobile security and security for the mobile web
  • Cloud security
  • REST/SOAP security
  • Security of frameworks
  • Large-scale security assessments of web applications and services
  • Privacy risks in the web and the cloud
  • Management topics in Application Security: Business Risks, Awareness Programs, Project Management, Managing SDLC

To ensure the best talks available are presented at AppSec Europe blind reading is being incorporated as part of their process. This means that names and job titles will be removed when the paper abstract is being reviewed. All speakers will be given access to speaker mentorship. 

 

The submission deadline is January 5, 2018. Please submit your proposal through EasyChair and encourage those you want to learn from in hands on training sessions or 45 min. talks to apply as well.

Apply Today

Labels: , , ,

Tuesday, November 14, 2017

See you Later Matt!

We are sad to share that Matt Tesauro has moved on from OWASP to new challenges.  

Matt has been an active community member and Project Leader for over 9 years--including a stint as OWASP Board Member 2011-2012 and a staff member since July of 2016.  While we are sad to lose Matt as a staff member, we hope to see him prosper in his new position as a Senior AppSec Engineer at Duo Security and look forward to collaborating with him for many years as an OWASP Project Leader and community member.  

See you later Matt!


OWASP CODE SPRINT 2017


At OWASP, we were thrilled to sponsor our Second OWASP Code Sprint 2017.  Our partnership with students and universities to grow OWASP Projects was a success since we participated in the GSOC programs. We received more than 29 proposals.  We were able to select 13 students who worked on a diverse range of application security projects. Below, we highlight the activity.

OWASP also provided an additional incentive and had a OWASP Raffle for an APPSEC Ticket and Funding Initiative to award on lucky student for great work done.
Congratulations Sourav Badami !



OWASP OWTF Project
Project Leaders:Abraham Aranguren,Viyat Bhalodia
Student: Anshul Singhal


Great work from Anshul Singhal by adding dynamic report generation from the database with user selected template, and code refactor to separate the UI into a separate React app from the backend.  Anshul also added report generation currently still working on code separation.  Ansul is very committed to complete the work outside the program ifwasthat is what it takes.


Feedback from Anshul: OWASP Code Sprint was a such a great experience. Viyat and Abraham both helped me a lot during whole duration. I learnt a lot in working with OWTF. Thank you OWASP for this opportunity.  


OWASP Hackademic Project
Project Leader: Spyros Gasteratos
Student: Pavlos Zianos


Pavlos Zianos worked successfully on dynamic provisioning, launching and networking of new challenges without any blocking io calls, refactored existing codebase to accept modular drivers for both docker and vagrant provisioning, flexible networking and service discovery.  


Feedback from Pavlos: OWASP Code Sprint has been a very valuable experience for me mainly because I got to bootstrap the project which gave me insight into issues that I had never experienced before. Spyros has been a very good mentor all this time.


Project Leader: Greg Anderson
Student: Eric Anderson


Eric Anderson successfully accomplished a variety of difficult assignments while contributing to OWASP’s DefectDojo Project including: feature development, debugging, and bug fixes. His assignments required professional caliber skill and dedication to complete. We are very grateful for his contributions which improved DefectDojo for our entire community. For technical details, all the information is in our public issues tracker found here.
Feedback from Eric: OWASP Code Sprint was an overall a great experience on getting an idea of how certain jobs and processes of the Cybersecurity field work and function. Learning how to use Django and Python in a professional manner was nice and cool.


Project Leaders: John Melton, David Scrobonia
Student: Rutuja Surve


Rutuja Surve successfully built web server log analysis functions for security. A minor portion of the effort was to include basic statistical metrics and evaluations. The major portion of the effort was to use machine learning, particularly clustering, to evaluate the log file with a view towards anomaly detection. Some of the analysis was based on intelligent thresholds, and some was based on pure clustering analysis.
Details can be found here.
Feedback from Rutuja: OWASP Code Sprint opportunity to learn a lot about several machine learning algorithms in Scikit Learn for analyzing web-server logs. Mentorship is excellent.


Project Leaders: Glenn ten Cate, Riccardo ten Cate
Students: Heeraj H Nair and Wojciech Reguła


Heeraj H Nair successfully added code examples for python flask and python django. Heeraj helped us update the current knowledgebase and iterated over the items to improve them. He delivered fully working apps for both code languages so we could effectively test the quality of the code with both manual testing and code reviews. Details can be found here.


Feedback from Heeraj: OWASP Code Sprint gave me the opportunity to to learn a lot of things while doing codesprint. Mentors were really awesome, they have helped me a lot. Thanks for everything OWASP


Wojciech Reguła successfully created the Ruby on Rails code examples and fixed an expert team of RoR to also help with the review. Created an RoR app for us to test the code examples. Details can be found here.
Feedback from Wojciech: Absolutely amazing program!  I learnt a lot about securing application from the other site (currently I'm a pentester and student😊). OWASP Code Sprint gave me an opportunity to test my programming skills, writing real production code, be a part of the most used security knowledge base in the future 😉 and get to know very cool people like Glenn and Riccardo! Mentoring !


Project Leader: Ali Razmjoo
Students: Nikhil R


Nikhil R successfully added +12 features, shellcodes (OSX also) and obfuscating method. commits are available in here. Great work performed!
Feedback from Nikhil: The project is perfect for learning about the win32 api and writing custom shellcode which I think would help me immensely. In the second part of the project I worked on writing more functional shellcode for windows with abilities to download and execute files. I learned a lot about writing shellcode for windows which I feel is a quite an achievement by itself apart from the open source contributions.


Project Leader:Simon Bennetts
Students: Blay Kevin Cedric Achi and Anamika Das


Anamika Das successfully implemented a new add-on for field enumeration. Its nearly there, just needs a few minor tweaks in order to be merged. Details can be found here.


Feedback from Anamika:It is a great opportunity for us to be a part of a well known organization - OWASP! My mentor Simon and Ricardo were great enthusiast! Without them, the project wouldn't have accomplished. Honestly, I have learnt a lot from them especially from Ricardo. It would be great to see more projects in security. Also, it would be great to have research based project as well (maybe not funded).


Blay Kevin Cedric Achi successfully completed and continues to work on the scope of the project deliverables.


Feedback from Blay:OWASP Code Sprint program is amazing because it helped me to work a lot, learn new things and work with amazing, passionate and influential people (Simon and Ricardo 😊). Also, it is important for student to work sometimes on Community projects.


Project Leader:Sean Auriti
Students: Sourav Badami,Mohit Anand,Raghav Jajodia and Siddharth Goyal


Sourav Badami successfully implemented Travis CI integration. (#286), Vagrant development server implementation. (#258), Implement internationalization and localization. (#351, #353), Integrate Chinese translation. (#358), Integrate French translation. (#351, #353), Integrate German translation. (#371), Integrating code compression on production site. (TBD), Reformatting code base to pass new linter definition. (#364), Integrate a debug toolbar. (#430), Speed improvements. (#443), Redesign application home. (#445), Embedded script to report bug from any website. (#454), Revamp add issue page. (#455), New issues page for adding issues and corresponding test. (#338), Minor Fixes. (#335, Bugheist/extension#1, #409, #431, #440, #451, #453, #456), Improved activity strips with carded design and hover effect. (#506), Redesigned bug hunt page form for consistency. (#516), Redesigned homepage by re-positioning featured website block and leader board section. (#532), Redesigned change password form. (#538), Redesigned login form. (#542), Design homepage from mockup final. (#549), Optimised and reformatted codebase. (#567)


Feedback from Sourav: Amazing experience to work with Sean! Worked mostly in the backend to improve codebase in terms of tests and code readability. In all, didn't got bored at all :)


Mohit Anand:  Successfully added gamification of bugheist.com by providing badges(Gold,Silver,Bronze), . User profiles would include information regarding types of bugs found., . Comment add without refresh., . Comment delete without refresh., . Added confirm before delete comment., . Comment edit without refresh., . Added cancel button when editing., . Tagging user in comments., . Added toggle to issue status button., . Updated total number of bugs., . Tagged user would be notified through email, . Reply to a comment, . Add chart in domain, . Follow/Unfollow a user, . Upvote an issue, . Added feature to send notification when an issue is liked., . Added feature to send notification when someone follows a profile., . Search users using "user:"., . Search issues using "issue:"., . Search domain using "domain:<domain_name>"., . List of users following you., . List of users you are following, . Model of likers, . Added regex for domain validation during domain edit ( #562 ), . Empty description and domain is handled while editing., . Added pagination buttons on top of pages and Added security against XSS attack (#563).


Feedback from Mohit: My first open source experience. Learnt a lot about Django and other technologies. Would love to keep contributing to the source.


Raghav Jajodia: Successfully added a search feature for issues/bugs, Add a search feature for users and domains, Improve design for allauth pages, Add copy-to-clipboard feature, Improvements to avatar upload, Pagination in required lists, Design of header, Integrate search to header, Styling the lightbox plugin, Add tiles for labels, Add Open and close issue count for each user, Make flash messages more elegant, Make issue update [Open <=> Close] asynchronous, Make issue edit asynchronous, Add tabs in /domain, Allow Search by labels, Improvement in Check-for-duplicates, Monthly summary on stats [Monthly User Signups], Popover for user details on activity-strip, Show issue type distribution in /domain, Add Pie-chart for issue distribution in /stats, Add ability to switch domain to another domain, Update the wiki with some internal code-style guidelines, Revamp comments, Add feature to "Bookmark" issues, Listing bookmarks, Listing Followers and Followings in tabs (/profile), Add option to remove a bookmark, Fix Featured section.


Feedback from Raghav: I had a really amazing experience with OWASP and Bugheist. My 3 month long involvement with Bugheist improved my understanding of Django and Cyber security. I would love to see BLT grow as an open source project. We could further improve the repository by selectively opening proper issues and improving the PR reviewing method to prevent introduction of bugs and poor quality code to  the repository.


Siddharth Goyal:Responsive cards for errors, Added onto search functionality for labels, Examples for all types of errors using added label search, Implementation of Footer (Desktop), Implementation of Footer (Mobile), Functionality to check for bug domain in report, Added graph for stats on number of bugs reported, Bug reporting on mobile, Work on activity section., Pagination for company scoreboard, Pagination of domain specific issues., List bugs by type for user profiles, New templates for emails, Color fix for charts, Issue and domain wise duplicate check, Floating Navbar for desktop/mobile, Label specific and open/close based listing of issues for users with pagination, Custom 404/500 pages.

Feedback from Siddarth: The OWASP Code Sprint 2017 program has been an absolute dream for me. The work and other people in the project have made a huge impact on my knowledge and understanding of Django, front-end and open source in general. I would love to further contribute in BLT. Also thanks to OWASP for this awesome opportunity.