Monday, August 21, 2017

OWASP Project Reviews @ APPSEC USA 2017

Once more OWASP is reviewing projects who wish to graduate from Incubator to Lab to Flagship at this workshop.  We are also performing some more detail health checks.  The purpose of these assessments is to determine whether a project meets the minimum criteria to graduate as outlined in the Project Health Assessment Criteria Document.  The review process begins with an initial self-assessment done by the project leader and reviewed by Matt Tesauro.  Next, the assessment enters the peer review phase where we ask volunteers in our OWASP Community to participate and finalize the results. Here's a Sample of a Project Assessment to give you an idea what these look like.

We are still looking for more volunteers to help in this mission. Sign up!

OWASP Project Reviews @ APPSEC USA 2017 - Funding Incentive is Available!

Please contact Claudia Aviles Casanovas and Matt Tesauro with any questions.

Thursday, August 10, 2017

OWASP World Tour

This year the strategic goal of OWASP is to raise awareness and spread application security knowledge world-wide by hosting a training world tour.  The 2017 world tour will have three, free mass application security training events.  Each one-day AppSec training course will teach 500 developers, software testers and entry level application security professionals core security topics. 

Our goal is that each training will combine general security principles such as the principle of least privilege, using secure defaults, reducing attack surface with AppSec specific topics such as parameterized queries to prevent SQLi and input validation and encoding.  We are also interested in teaching how OWASP Projects can assist in developing secure software. 

As part of the OWASP World Tour we are inviting all professional trainers to apply to the Call for Training for your opportunity to train in Tokyo, Boston, or Tel Aviv.  Training will close in this month, so apply today!  

If you are interested or know someone who is interested in attending the OWASP World Tour near you, please keep an eye on the OWASP Blog or OWASP World Tour Wiki Page for registration.  

Wednesday, August 9, 2017

OWASP Board of Directors Candidates and Questions

The OWASP Board of Directors are seven hardworking volunteers elected to direct the financial and outreach goals of the organization.  As a group the board members self organize into positions and guide the organization by defining our strategic goals.  You can follow the election on the Board of Directors Election wiki page.

This year we have seven candidates running for the four open board positions.  You can click on their names to read their bios and statements of purpose :

Additionally, during this time we request that our members submit questions to be asked of our candidates for the board during an interview that will be recorded and shared prior to the election.  The following are the winning questions from our community.

1. How do you make sure that the board's decisions won't be influenced by any personal favors or corruption?
2. OWASP does not have a great reputation internationally due what most people call "Politics", how do you intend to solve the "Politics" problem?
3. How do you intend to address bullying within OWASP? If someone is a repeat offender, will you enforce rules to expel or suspend offending parties?
4. How do you intend to empower the Compliance Committee? Currently all it has the power to do is mediate or make suggestions, it needs more than that.
5. What accomplishments related to OWASP Foundation's mission have you demonstrated in the last (5) years?
6. What kind of action plan do you have in mind to help motivate the participation of Developers into OWASP community?
7. What is your strategy to keep chapters active and motivated with OWASP and keep having meetings and organize local events?

Don’t forget that you must be a member by September 30th to vote for the OWASP Board of Directors.  Get your Membership Today!

Monday, August 7, 2017

OWASP Operations Update for August 2017

Welcome to the operations update for August 2017, the ongoing series of updates on what's happening at the OWASP Foundation.  Last month's post is available here.

In another departure from our normal format, I'd like to have a bit of a preamble to set expetations for the community.

With the staff reduced by 20% from 8 down to 6 FTE's, things are going to take longer then anyone would like.  Know that the OWASP staff is doing the best they can under difficult circumstances.  We currently do not have an ETA on any new hires at OWASP.  However, to offset the workload from Kate and Alison's departure (detailed last month), OWASP has:

  • contracted out the accounting functions Alison was doing.  She was doing more then just accounting but her former accounting functions have been covered.  We've had 1 month of transition and things are going fairly well.  We're still uncovering things that Alison did that haven't been handed off yet but we're nearly there.
  • started migrating some of our oldest and least user-friendly forms/processes from Google Docs 'apps' to Jira Service Desk.  The first of these is the funds reimbursement form which should be live by mid-August with more to come over the next couple of months.
So, while we've got items in motion to help streamline things going forward, those items haven't started to pay dividends yet.  We want the community to know that the staff feel your pain with some of the inevitable delays that will happen with a smaller staff.  We're doing what we can to build up the least amount of tech and operational dept as we go forward.

OWASP IT Infrastructure Hosting - Modernizing and migrating the OWASP infrastructure
  • Remaining hosts at Rackspace: OWASP Wiki, Mailman server, Virtual-host server which provides redirects and static content
    • These are on hold until staff is back to full strength
  • For the current status details, see the June 2017 update.
The Website Reboot - aka TWR - a major effort to update and modernize OWASP's web presence
  • Phase 1 is complete
    • Note: Due to lack of staff availability, the wiki is running the legacy LTS release not latest stable so Phase 1 will need to be repeated in future when this comes off hold.
  • Phase 2, 3 and 4 are in process
  • These are on hold until staff is back to full strength.
  • For the current status details, see the June 2017 update.
The OWASP Communication Plan 
  • Discourse as a replacement for Mailman
    • On a significantly reduced roll-out plan until staff is back to full strength
    • For the roll-out plan, see the Community section below.
  • Beta program for the Foundation's Global Meetup account continues
OWASP 2017 Strategic Goal aka The OWASP World Tour 
  • TLDR: Host 4 trainings worldwide of ~500 attendees geared toward developers and entry-level security professionals - further details on the wiki.
  • 4 locations reduced to 3 due to staff departures
    • Tokyo Bootcamp - September 30, 2017
    • Boston BOAST - October 9, 2017
    • Tel Aviv DevSec - October 17, 2017
  • Call for Trainers anticipated launch is mid-August
Association Management System (AMS) Upgrade 
  • Completed as of August 1st, 2017
  • AppSec USA 2017
    • Final details and marketing plan in full force
    • Sponsor Expo Location Selection
      • Those sponsors who have paid in full have chosen their expo locations
      • Those who have not yet paid have not chosen their expo location and have not received their discount codes
  • AppSec EU 2018
    • Finalizing Gantt Chart
    • Conference budget built out
    • Multiple RFPs out for bid
  • AppSec APAC 2018 - proposal under review
  • 55 Corporate Members
    • $185,000 (46% of yearly goal)
  • 2017 WASPY Awards
    • Nominees notified and winners posted plus announced to the community
    • Prepping for Award Ceremony at AppSec USA 2017
  • 2017 Global Board of Directors Elections
    • Candidates vetted and notified if they are eligible or not
    • Candidates will be posted the week of August 7th
    • Scheduling candidate group interviews to start August 25th to September 1st
  • Developer Summit at AppSec USA 2017
    • 3 trainers confirmed (1 full day presentation and two 1/2 day presentations)
  • BlackHat USA 2017
    • Kelly and Dawn represented the OWASP Foundation at our booth during the event along with several community volunteers
As always, the OWASP Staff are here to make the OWASP community even stronger.  If you have a question, concern or need something, please let us know using the 'Contact Us' form.  Also, feel free to attend, suggest or otherwise engage with the OWASP Foundation further at the August 9th Board Meeting.

Your friendly remaining neighborhood OWASP staff:
    Kelly, Laura, Claudia, Tiffany, Dawn and Matt

AppSec USA Speakers

A Senior Application Security Engineer for Verizon, the Director of Software Engineering for Capital One, and a Senior Cloud Security Engineer at Netflix walk into a bar …
No, this isn’t the start of a bad InfoSec joke. It’s a preview of the speakers you can expect to hear from at OWASP’s AppSecUSA Conference in Orlando, Florida from September 19 – 22, 2017. In addition to individual breakout sessions featuring security and application, and information technology leaders from companies such as Citrix Systems, Slack, PayPal, and USAA, you’ll also have direct access to daily keynote addresses showcasing the latest security ideas and technology advances.
AppSecUSA’s opening keynote kicks off with a not-to-be-missed session from educator and author Jim Manico and Cigital CTO John Steven. Jim will weave topics from his upcoming book from McGraw-Hill and Oracle-Press about Java web security with John’s expertise on threat modeling and architecture risk analysis to frame up today’s landscape in secure development and where the industry is going.
On day two, Runa Sandvik, Director of Information Security at The New York Times, delves deeper into how application and information security impacts a variety of industries, including journalism and the general population’s understanding of the news. And if that wasn’t enough, Jen Ellis, VP of Community and Public Affairs for Rapid7 , will wrap up the conference with her perspectives on how technology specialists and government agencies can work better together for a more secure information infrastructure in our world today.
AppSecUSA’s speakers tackle hot topics from government security to threat management, and from DevSecOps to cookie security and supply chain management across a wide array of industries. For a full list of announced speakers click here to learn more and register for AppSecUSA today: This is one lineup you don’t want to miss!
AppSecUSA’s speakers tackle hot topics from government security to threat management, and from DevSecOps to cookie security and supply chain management across a wide array of industries. For a full list of announced speakers click here to learn more and register for AppSecUSA today: This is one lineup you don’t want to miss!

Wednesday, August 2, 2017

OWASP Top 10 2017 Project Update

The OWASP Top 10 is the most heavily referenced, most heavily used, and most heavily downloaded document at OWASP. Therefore, it rightfully has a greater level of scrutiny and a greater level of review as befitting a Flagship project.

The previous Top 10 leaders have passed the baton for this project on to a new team and we will strive to address the feedback that has been provided over the past few months. We have discussed as a team and at the OWASP Summit what steps must be taken and what changes must be made to the OWASP Top 10.

A summary of changes is listed below, please read further to understand more of the why behind them:
  • The Top 10 will focus on Vulnerability Categories.
  • Feedback on the mailing list has been moved to the Issues List ( in GitHub, please continue to contribute feedback there.
  • The content of the document will be extracted to provide easier translations.
  • Scoring for Top 10 entries is intended to be based on Common Weakness Scoring System (CWSS)
  • For the 2017 Edition, 8 of 10 vulnerabilities will be selected from data submitted via the call for data and 2 of 10 will be selected from an industry-ranked survey.
  • A ranked survey ( is now available for industry professionals to select two new vulnerability categories for inclusion in the Top 10 2017. The deadline for the survey is 30 August, 2017.
  • The call for data ( is now reopened to allow for additional data to be collected for analysis. The new deadline for the extended data call is 18 September, 2017.
  • The Top 10 2017 RC2 will released for review and feedback 9 October, 2017.
  • The final release of the Top 10 2017 is targeted for 18 November, 2017.

OWASP Top10 Timeline-v2.png

The OWASP Top 10 has always been about missing controls, flawed controls, or working controls that haven’t been used, which when present are commonly called vulnerabilities. We have traditionally linked the OWASP Top 10 into the Common Weakness Enumeration (CWE) list maintained by NIST / MITRE. We will continue to align with CWEs and utilize the CWSS scoring system to help provide an industry standard measurement.
For the Top 10 2017, we will be focusing on vulnerability categories. These categories will be mapped to one or more CWEs where possible. The scoring system for the Top 10 will be updated to leverage the CWSS as much as feasible. Like the Common Vulnerability Scoring System (CVSS) for specific Common Vulnerabilities & Exposures (CVEs), we are intending to use CWSS for vulnerability categories. In the scenario where there are multiple CWEs, we will use the high-water mark; if there is a vulnerability category without a matching CWE, we will do what we can to align a CWSS score.
Although the OWASP Top 10 is partially data-driven, there is also a need to be forward looking. At the OWASP Summit we agreed that for the 2017 Edition, eight of the Top 10 will be data-driven from the public call for data and two of the Top 10 will be forward looking and driven from a survey of industry professionals. The OWASP Top 10 will clearly identify which items are forward looking: we will use the CWSS score of these items (if a CWE for the issue exists) or our best judgement on where the issue will be ranked in the Top 10.

The extended call for data can be accessed here:
The two items that are not data-driven will be supported by a qualitative survey. The survey is comprised of vulnerability categories that were identified as “on the cusp,” mailing list feedback, and previous call for data feedback. Respondents should rank the top four most important vulnerability categories from their knowledge and experience. The two vulnerability categories with the total highest ranking will be included in the Top 10 2017. The information will also help us develop a plan to better structure the call for data for the OWASP Top 10 2020.

The survey can be accessed here:

Every single issue in the OWASP Top 10 should have a direct cause: either one or more missing or ineffective controls, or not using an in place control. Every issue should be precise in its language and view (as in not intermingling the terms “weakness,” “vulnerability,” “threat,” “risk,” or “defect”) so each issue can be theoretically testable. This will help us make a stronger and more defensible list of included items.
We aim to review and resolve ontological concerns, such as including issues that are not like the others. This means that in some circumstances, there should be a view from the Developer perspective (documented by the OWASP Proactive Controls) and a view for the Defending Blue Team (documented by the currently non-existent OWASP Defensive Controls).
Every issue should contain clear and effective advice on remediation, deterrence, delay and detection that can be adopted by any development team - no matter how small or how large. As the OWASP Top 10 are important vulnerability categories, we should strive to make our advice easy to follow and easily translatable into other languages.
From a methodology point of view, we are looking at taking lessons learned from 2017 and coming up with a better process for the OWASP Top 10 in 2020. We would like to coordinate with other teams to provide a staggered release of the other OWASP Top 10 efforts with sufficient time between each release to allow the industry to upgrade and adopt in a practical way.
Lastly, we are opening up the text to provide history and traceability. We need to ensure that all of the issues documented within any of the various Flagship projects, but particularly the OWASP Top 10, can be satisfied by developers and devops engineers without recourse to paid tools or services. There is value in the use of paid services and tools, but as an open (as in free and in liberty) organization, the OWASP Top 10 should have a low barrier of entry, and high effectiveness of any suggested remediations.
Thank you, and we look forward to working with you on the OWASP Top 10.

OWASP Top 10 Project Leaders
Andrew van der Stock
Neil Smithline
Torsten Gigler
Data Analyst

Brian Glas