December 2010 OWASP Newsletter

I am happy to be able to send out the December 2010 OWASP Newsletter! http://www.owasp.org/index.php/Category:OWASP_Newsletter#tab=Newsletters

Thank you to our editor, Lorna Alamri, MN Chapter co-leader, AppSec US 2011 organizer, Summit 2011 organizer, Industry Committee member, and global contributor.

Happy Holidays!

Kate Hartmann
Operations Director
301-275-9403
www.owasp.org
Skype: Kate.hartmann1

OWASP 2011 Membership

(by Tom Brennan)

Can you believe the OWASP concept is approaching 10 years old?!!

It's those little things like volunteering your time, insight expertise and membership to a professional organization that make the bigger things possible and effect the mission. In growing a community, being taken seriously as a body, having citations from around the world, employees, administrative costs and even having the ability to allocate 50k in funds to put towards a global summit in 2011 is progress.

But no matter how many hours volunteered to it (OWASP), to be recognized as a "member" in 2011 starts with agreement to the principals and donation of $50usd as a member. While everything is free at OWASP this "designation" comes with a privilege that others don't get, that is the ability to support or effect change with a collective consensus of his/her peers and a vote.

Since 2002 I have personally experienced a variety of perspectives:

-Outsider looking for resources

-Individual Member

-Chapter Leader

-Board Member

-Project Leader

-Project Contributor

-Project Reviewer

-Trainer

-Evangelist

-Active Committee Member

-Member of a Supporting Sponsor(s)

In each role the perception of the of OWASP is different at the 2011 summit I hope to unify this important membership topic and I hope you will join us for the discussion. It's worth my $50 bucks per year.

Example

*For persons going to the summit as a example if they have not paid there $50 individual membership fee... Please complete this transaction as a prerequisite. This includes everyone from the board members to the newest member of this mailing list.

Not going to the summit but running a local chapter, do you lead by example with membership?

The current memberlist:

http://spreadsheets.google.com/pub?key=p6IFyntQTi7sxa2Xjx191BA

How/where do you join?

http://www.owasp.org/index.php/Membership

FAQ: If my company(5k) or university($0) is a supporter does this make me a member? Answer: No - however some have called it "associated member/lite member" as in associated with the supporting company however note, this has no voting right in the association.

Support the mission, change the world.

OWASP CSRFGuard 3.0.0.336

(from Eric Sheridan)

It is with great pride that I announce the release of OWASP CSRFGuard 3.0.0.336 (ALPHA)! This is a development release of the v3 series that is in need of peer review, testing, and general feedback in preparation for BETA. There are several significant new features that are in need of testing in the enterprise development environments. Please contact me for support if you are interested in testing the latest release. Of course, I am always open to questions, comments, or feature requests!

Please check out the project home page (http://www.owasp.org/index.php/Category:OWASP_CSRFGuard_Project) and User Manual (http://www.owasp.org/index.php/CSRFGuard_3_User_Manual) for more information about how to install, configure, and deploy the OWASP CSRFGuard library.

OWASP CSRFGuard has been completely rewritten to address the various feature requests and bug fixes submitted to me over the past couple years. No longer will CSRFGuard be referred to as just a "reference implementation". By addressing the performance and scalability issues plaguing older releases, OWASP CSRFGuard v3 is intended to serve as the de-facto standard prevention mechanism against CSRF attacks for JavaEE web applications. The following is a bulleted summary of the significant changes associated with the v3 release:

• OWASP CSRFGuard is now available under the much more liberal BSD license
• Owasp.CsrfGuard.properties file can be loaded from classpath, web context directory, or current directory
• Developers can implement a custom logger to be consumed by the library
• Experimental support for the rotation of CSRF tokens once the previous token is expired
• Experimental support for creating and verifying unique CSRF tokens per page
• Experimental support for Ajax through the verification of headers dynamically injected by CSRFGuard JavaScript
• Configurable actions including Log, Invalidate, Redirect, Forward, RequestAttribute, and SessionAttribute
• Unprotected pages can be captured using same syntax used by the JavaEE container in web.xml
• Library no longer intercepts HTTP responses produced by the web application
• Developers can manually inject CSRF prevention tokens using the JSP tag library
• Developers can automate injection of CSRF prevention tokens using dynamic JavaScript DOM Manipulation
• Tokens are only injected into HTML elements that submit requests to the current origin (planned for XHR)
• JavaScript token injection can be configured to inject into links, forms, and XMLHttpRequests

Please check out the following resources for more information regarding recent project updates:

Project Page - http://www.owasp.org/index.php/Category:OWASP_CSRFGuard_Project

User Manual - http://www.owasp.org/index.php/CSRFGuard_3_User_Manual

Code Repository - http://code.google.com/p/owaspcsrfguard/

Blog - http://ericsheridan.blogspot.com/

-Eric

OWASP 4.0

(From Jeff Williams)

Hi everyone,

In my mind, OWASP 1.0 was pre-wiki with lots of great work and a less great infrastructure. OWASP 2.0 was establishing the 501c3, putting in the wiki, and getting lots of great projects started. OWASP 3.0 started with the Summit in Portugal when we created the new committees and has focused on creating thriving projects instead of standalone tools. Thank you for all of your efforts growing a fun, civil, productive community.

I reach out to you now to ask you to take some time and think about what OWASP should become. The time has come to measure our success not by the number of members, projects, and conferences, but by whether we are succeeding at making the world’s software more secure. It’s time to get our message and strategy to the next level.

HELP DESIGN OWASP 4.0 IN PORTUGAL AT THE SUMMIT!

If you consider yourself an OWASP Leader, won’t you take a few minutes of quiet time and propose a few ideas for how OWASP can retool, reorganize, refocus, and revamp itself to really achieve our mission? We will rip, mix, and burn these ideas into a new strategy for OWASP at the Portugal Summit. I encourage you to check out the resort and all the plans happening right now at http://www.owasp.org/index.php/Summit_2011.

Here are some ideas to get you started.

1. We bootstrap several application security ecosystems around key technologies like mobile, cloud, REST
2. We reach out to governments around the world to help them push for application security
3. We raise money to fund real security enhancements to tools, browsers, protocols (e.g. OpenSSL)
4. We make the OWASP materials more usable by providing a “user” site and keep the wiki for development
5. We invest in marketing AppSec – How do we scale David Rice and the “greening” of AppSec
6. We continue our education initiative – academies, college chapters, videos, curriculum
7. We continue our browser initiative and do whatever it takes to get the browsers and frameworks talking
8. We invest in getting in front of new technologies like HTML5
9. We launch a no-holds barred XSS eradication campaign
10. We create a set of objective AppSec *market* metrics that quantify the state of our art
11. We continue to push on creating standards

We need your ideas NOW. Get yourself on the list!

http://www.owasp.org/index.php/Summit_2011#tab=Summit_Attendees

In one week of thinking, arguing, coding, hacking, and writing we are going to accomplish more than the rest of the world’s appsec efforts combined. We’ll see you in Portugal ready to rock. Thanks!

--Jeff Williams

OWASP Call for Trainers!

To all OWASP Leaders

In the context of the effort we are making to stabilize and consolidate an OWASP Training model that can be used as a powerful tool to spread OWASP’s knowledge and message, OWASP is looking for trainers to deliver training under the flag “OWASP projects and resources you can use today”. This is a model of training which is free for OWASP members, delivered by OWASP Leaders (with only travel expenses paid) and covering OWASP modules and/or projects.

If you are an OWASP Leader and would like to be included in OWASP's pool of trainers, this is your chance - add your name and info to the OWASP Trainers Database and be counted!

Check out the Database and do it now!

Follow all the developments on the OWASP Training here.

We are looking forward to seeing your names online!

Preventing XSS with Content Security Policy

An individual XSS can be easily remediated with contextual output encoding per the OWASP XSS Prevention Cheat Sheet. Although an individual XSS can easily be addressed, the overall cat and mouse game of effectively ridding an application of XSS can be very difficult.  To combat this problem a new security feature, Content Security Policy, has been introduced into the Mozilla Firefox browser.

Content Security Policy (CSP) is an opt-in white list approach for defining what external scripts sources are allowed to execute JavaScript or other content loading code (e.g. iframes) within the page.  By eliminating inline scripts and defining a white list of allowed external scripts it is possible to strictly control what JavaScript is executed within the page. In the event that a user injected script into the page via an improperly encoded piece of user controlled data, then Content Security Policy would identify that the JavaScript is not part of the white-listed data and the browser will disregard this unauthorized script.

Here's a basic overview of the CSP process:

1. Externalize all JavaScript within the pages (e.g no inline script
   tag, no inline JavaScript for onclick or other handling events )
2. Define the policy for your site and whitelist the allowed domains where the externalized JavaScript is located.
3. Add the X-Content-Security-Policy response header to instruct the browser that CSP is in use.

Violation Reporting

 The violation reporting component is another huge benefit of using CSP that can be enabled by providing a value for the policy-uri field within the site's specific Content Security Policy.  In the event content (JavaScript, injected iframe, etc) is not allowed to execute due to CSP, the user's browser will issue a violation report back to the URL specified by the site's CSP.  This means that a website owner can receive real time notifications of CSP violations that could be potential XSS attacks. 

CSP Enabled Browsers

Content Security Policy is currently supported in Firefox 4. Although CSP is currently supported in only one browser, there are still many reasons to provide CSP support within a website. CSP will provide an added layer of protection to all web site users with a CSP enabled browser. In addition, CSP enabled browsers will also provide violation reporting feedback back to the web site owners in the event an XSS attack is somehow injected into the page. Finally, if CSP is well received then the intent is to formalize this into a standard and push for adoption within other browsers. 

More Information

• Spec: https://wiki.mozilla.org/Security/CSP/Specification
• Developer CSP Link: https://developer.mozilla.org/en/Introducing_Content_Security_Policy
• W3C Web App Security Working Group - CSP Link: http://www.w3.org/2010/07/appsecwg-charter#deliverables
• Mozilla Blog Post on CSP: http://blog.mozilla.com/security/2009/06/19/shutting-down-xss-with-content-security-policy/
• Sample Policy Definitions : https://wiki.mozilla.org/Security/CSP/Specification#Sample_Policy_Definitions
• Notes from one of the CSP creators (Brandon Sterne) : http://people.mozilla.com/~bsterne/content-security-policy/

Michael Coates (@_mwc) & Brandon Sterne (@bsterne)

AppSec DC is just 2 weeks away!

We have a great schedule (http://schedule.appsecdc.org) this year with 4 tracks of amazing talks and a selection of great training classes at rock bottom prices. Register now at http://reg.appsecdc.org Highlights will include keynotes from Neal Ziring of the Information Assurance Directorate of the National Security Agency (NSA) and Ron Ross of the National Institute of Standards and Technology (NIST), panel discussions of federal CISOs on their experiences with implementing application security, 50 plenary presentations by leading personalities in the field of web application security.

Also this year, AppSec DC has partnered with entities within the Department of Homeland Security, the Department of Defense, the National Institute of Standards and Technology, the National Security Agency, and other government agencies who will be contributing content focusing on Software Assurance and the role that that plays in areas such as protecting Critical Infrastructure or Supply Chain Risk Management.

In addition to two days of great speaking content, a track by the federal government, keynotes and panels, AppSec DC will also provide two days of world class training on applications security from a variety of vendors at a fraction of the cost found at other events. Training courses include:

2-Day Courses ($1495)
- Assessing and Exploiting Web Applications with Samurai-WTF
- Leading the AppSec Initative
- Remote Testing for Common Web Application Security Threats
- Software Security Best Practices

Single Day Courses ($745)
- WebAppSec.php: Developing Secure Web Applications
- The Art of Exploiting SQL Injections
- Java Security Overview
- Software Security Remediation: How to Fix Application Vulnerabilities
- Threat Modeling Express

More information can be found at http://wiki.appsecdc.org. Come join us for what is shaping up to be another amazing conference this year!

The AppSec DC Team
http://www.appsecdc.org

OWASP NYC Chapter Meetings

OWASP NYC Chapter Meeting

When: November 2nd 6:00pm - 9:00pm

Where: 345 Park Ave, NY, NY

Topics will include:
-Memory Corruption, Exploitation, and You, Dino Dai Zovi
-Escaping the Sandbox, Stephen Ridley
-Much Ado about Randomness, Aleksandr Yampolskiy
-Groundspeed: Manipulating Web Application Interfaces, Felipe Moreno

Food/Beer/Wine/Drinks Included

Cost: FREE

RSVP is required by building security, limited seats: http://www.owasp.org/index.php/NYNJMetro

OWASP NYC Metro Holiday Security Party
December 9th - 6:30 - 10:30pm

Where: STOUT 133 West 33rd Street, NY, NY 10001
When: Thursday, December 9th 2010 6:30pm - 10:30pm
Cost: $40.00 per person include food, drinks and fun!
Limited Capacity get your tickets early - 250 People

RSVP and for more information on these events events visit: http://www.owasp.org/index.php/NYNJMetro#tab=2010_Holiday_Party

Who attendees these events?

NYC Metro

Application Developers
Application Testers and Quality Assurance
Application Project Management and Staff
Chief Information Officers, Chief Information Security Officers, Chief Technology Officers, Deputies, Associates and Staff
Chief Financial Officers, Auditors, and Staff Responsible for IT Security Oversight and Compliance
Security Managers and Staff
Executives, Managers, and Staff Responsible for IT Security Governance
IT Professionals Interesting in Improving IT Security
Anyone interested in learning about or promoting Web Application Security

More information about membership http://www.owasp.org/index.php/Membership

Semper Fi,

Tom Brennan

OWASP NYC Metro Chapter President
OWASP Foundation Board Member
http://www.owasp.org/index.php/About_OWASP

AppSec DC is back!

OWASP Leaders,

AppSec DC is back as the premier web application security conference on the east coast! AppSec DC will take place at the Walter E. Washington Convention Center in Washington DC on November 8-11. Training will be on the 8th and 9th, talks will be on the 10th and 11th. The partner hotel is the Grand Hyatt again this year but rooms are going fast!

AppSec DC brings some of the leading minds in web application security to Washington DC for two days of talks on a wide variety of topics, including cutting edge presentations and panel discussions with leaders in the Federal, finance, and security research arenas and a variety of world class training at a fraction of the cost of other providers. Highlights will include keynotes from Neal Ziring of the Information Assurance Directorate of the National Security Agency (NSA) and Ron Ross of the National Institute of Standards and Technology (NIST), panel discussions of federal CISOs on their experiences with implementing application security, invaluable interaction and networking with attendees and presenters, a custom-made capture the flag contest by members of OWASP DC, and many of the best talks available by leading personalities in the field of web application security. Oh, and rockets.

Register: https://guest.cvent.com/EVENTS/Register/IdentityConfirmation.aspx?e=d52c6f5f-d568-4e16-b8e0-b5e2bf87ab3a
Hotel: https://resweb.passkey.com/Resweb.do?mode=welcome_gi_new&groupID=2766908
Schedule: http://www.owasp.org/index.php/OWASP_AppSec_DC_2010_Schedule

For more information visit the OWASP wiki at http://www.owasp.org/index.php/OWASP_AppSec_DC_2010or the AppSec DC website at http://appsecdc.org

Look forward to seeing you there!

--
Mark Bristow

OWASP Global Conferences Committee Chair - http://is.gd/5MTvF
AppSec DC 2010 Organizer - https://www.appsecdc.org
OWASP DC Chapter Co-Chair - http://is.gd/5MTwu

OWASP Newsletter

Please follow the attached link to get the latest news from your OWASP Community: http://www.owasp.org/index.php/Category:OWASP_Newsletter#tab=Newsletters

Special thanks to Lorna Alamri – editor and creator of this newsletter, and to all our international translators who make this available in many languages.

If you are interested/available to contribute a few hours/quarter to the newsletter, please contact either Lorna lorna.alamri@owasp.org or me kate.hartmann@owasp.org.

Kate Hartmann
Operations Director
301-275-9403
www.owasp.org
Skype: Kate.hartmann1

IBWAS'10 Call for Papers

2nd. OWASP Ibero-American Web-Applications Security conference 2010 (IBWAS’10) ISCTE – Lisbon University Institute 25th – 26th November 2010 Lisboa, Portugal http://www.ibwas.com

Call for Papers

Introduction

There is a change in the information systems development paradigm. The emergence of Web 2.0 technologies led to the extensive deployment and use of web-based applications and web services as a way to developed new and flexible information systems. Such systems are easy to develop, deploy and maintain and demonstrate impressive features for users, resulting in their current wide use.

As a result of this paradigm shift, the security requirements have also changed. These web-based information systems have different security requirements, when compared to traditional systems. Important security issues have been found and privacy concerns have also been raised recently. In addition, the emerging Cloud Computing paradigm promises even greater flexibility; however corresponding security and privacy issues still need to be examined. The security environment should involve not only the surrounding environment but also the application core.

This conference aims to bring together application security experts, researchers, educators and practitioners from the industry, academia and international communities such as OWASP, in order to discuss open problems and new solutions in application security. In the context of this track academic researchers will be able to combine interesting results with the experience of practitioners and software engineers.

Conference Topics

Suggested topics for papers submission include (but are not limited to):

• Secure application development
• Security of service oriented architectures
• Security of development frameworks
• Threat modelling of web applications
• Cloud computing security
• Web applications vulnerabilities and analysis (code review, pen-test, static analysis etc.)
• Metrics for application security
• Countermeasures for web application vulnerabilities
• Secure coding techniques
• Platform or language security features that help secure web applications
• Secure database usage in web applications • Access control in web applications
• Web services security
• Browser security
• Privacy in web applications
• Standards, certifications and security evaluation criteria for web applications • Application security awareness and education
• Security for the mobile web
• Attacks and Vulnerability Exploitation

Global Summit 2011 Venue Proposal

OWASP Leaders,

We are looking for a venue for the Global Summit to be scheduled for four days sometime between January 15th, 2011 and February 15th, 2011. The Global Summit committee is requesting proposals from OWASP Leaders for venues. We will need your proposal by the October 4th. Proposal can be in rough draft format with estimated pricing, we just need to know who is interested in helping to put together the Global Summit to be held this coming January/or February and rough estimates of pricing for a particular location.

We are also looking for more volunteers to help with planning for the event so please respond if interested.

Venue Requirements:
Key organizer in close contact with venue.

Hosting:
30- 100 people

Cost:
$2000 USD/ per person to include facility, lodging, food, beer and transport to and from location. (This should be an all-inclusive cost per person, with the assumption that OWASP members will room together 2-4 depending on number of beds in room/apartment)

Duration:
4 days

Dates:
Will be scheduled between Jan 15th and Feb 15th

Facility requirements:
3-6 meeting rooms
1 large meeting room to hold all attendees (estimate for 75-100) e.g. auditorium.
Lodging should be part of conference facilities or within walking distance of venue.

Internet - what is bandwidth available?
Must be sufficient for a group used to high bandwidth.

Rooms:
To be shared by attendees - need to understand how many attendees to a room/suite/apartment. Apartments preferred. 4-5 star hotel acceptable.

Food:
Local Food supplier which has been pre-negotiated with hotel.

Airport:
Venue must be within 50 km's max from International airport.

We'd love to bring the OWASP Summit to your city so please consider putting together a proposal.

Thanks
OWASP Global Summit 2011 Planning Committee
martin.Knobloch@owasp.org

OWASP Secure Coding Practices - Quick Reference Guide

Leaders,

I am glad to announce I’ve just set a new project up – the OWASP Secure Coding Practices - Quick Reference Guide, led by Keith Turpin. Please welcome him!

http://www.owasp.org/index.php/OWASP_Secure_Coding_Practices_-_Quick_Reference_Guide#tab=Project_About

http://www.owasp.org/index.php/User:Keith_Turpin

As always, your suggestions and contributions would be greatly appreciated.

In addition, this project already has a very mature release, OWASP Secure Coding Practices - Quick Reference Guide/Version 1.0, which is under formal assessment and seeking Stable Release status.

http://www.owasp.org/index.php/Projects/OWASP_Secure_Coding_Practices_-_Quick_Reference_Guide/Releases/Current

http://www.owasp.org/index.php/Projects/OWASP_Secure_Coding_Practices_-_Quick_Reference_Guide/Releases/SCP_v1/Assessment

What’s more, Matt Tesauro already volunteered to act as Second Reviewer in his quality of Board Member but we are still in need of a First Reviewer. Please do let us know if you are up to take the challenge. To do so, please fill in the following link using one of the available positions aka volunteers[1-10].

http://www.owasp.org/index.php/OWASP_Project_Reviewers_Database#tab=Project_Reviewers.2FVolunteers

Many thanks, regards,

Paulo Coimbra,

OWASP Project Manager

ESAPI 2.0 rc7 (for Java 1.5+) is now live!

ESAPI 2.0 rc7 for Java 1.5 and above is now live!

You can download the complete zip file here:

http://owasp-esapi-java.googlecode.com/files/ESAPI-2.0-rc7.zip

You can browse the ESAPI 2.0 rc7 Javadocs here:

http://owasp-esapi-java.googlecode.com/svn/trunk_doc/2.0-rc7/apidocs/index.html

Additional online project documentation can be found here:

http://owasp-esapi-java.googlecode.com/svn/trunk_doc/2.0-rc7/project-reports.html

Major enhancements include:

1. Several fixes to SecurityWrapperRequest.
2. Overhauled Singleton implementations to make the ObjFactory create instances or singletons rather than having ESAPI manage unreliably.
3. Changes to get rid of deprecated Encryptor encrypt() / decrypt() methods and replace them with the new, stronger encrypt() / decrypt() methods.
4. Several Validation fixes around returning consistent error states.
5. Made changes t0 the Encryptor so that it is no longer vulnerable to "padding oracle attacks" (issue #120)
   
6. Fixes to seal() so that it now properly works if the message being sealed contains a ":" (issue #28).
7. Examples should now work (if you follow directions in README.txt)
   whether ESAPI has been pulled from the SVN repository or downloaded
   from the zip file. (Issue #114.)
   

Please see changelog.txt at the root of the zip file for more information.

Thanks to Kevin Wall, Chris “Beef” Schmidt, Jonathon Ruckwood and Ed Schaller for their contributions in this release.

Malama Pono Aloha,

--

Jim Manico

OWASP Podcast Host/Producer

OWASP ESAPI Project Manager

http://www.manico.net

OWASP ModSecurity CRS v2.0.8

Greetings everyone,
I wanted to announce the availability of the OWASP ModSecurity CRS v2.0.8.

DOWNLOADING -
Download page - http://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project#tab=Download
You can also use the util/rules-updater.pl script to auto-download the latest ZIP archive (see the rules-updater-example.conf file for Repo data).

TESTING -
We have integrated the new CRS into the Demo page to help facilitate community testing -
http://www.modsecurity.org/demo/

CHANGES -
--------------------------
Version 2.0.8 - 08/27/2010
--------------------------

Improvements:
- Updated the PHPIDS filters
- Updated the SQL Injection filters to detect boolean attacks (1<2, foo == bar, etc..)
- Updated the SQL Injection filters to account for different quotes
- Added UTF-8 encoding validation support to the modsecurity_crs_10_config.conf file
- Added Rule ID 950109 to detect multiple URL encodings
- Added two experimental rules to detect anomalous use of special characters

Bug Fixes:
- Fixed Encoding Detection RegEx (950107 and 950108)
- Fixed rules-updater.pl script to better handle whitespace
https://www.modsecurity.org/tracker/browse/MODSEC-167
- Fixed missing pass action bug in modsecurity_crs_21_protocol_anomalies.conf
https://www.modsecurity.org/tracker/browse/CORERULES-55
- Fixed the anomaly scoring in the modsecurity_crs_41_phpids_filters.conf file
https://www.modsecurity.org/tracker/browse/CORERULES-54
- Updated XSS rule id 958001 to improve the .cookie regex to reduce false postives
https://www.modsecurity.org/tracker/browse/CORERULES-29


--
Ryan Barnett
OWASP ModSecurity Core Rule Set Project Leader

APPSEC BRAZIL 2010 - REGISTRATIONS OPEN!

Greetings everyone!

We're proud to announce that the OWASP's AppSec Brazil 2010 Conference registrations' are officially open!

Early bird offers are available! Hurry up!

This year we'll have keynotes by Robert 'Rsnake' Hansen and Jeremiah Grossman and Samy Kamkar as a Special Speaker!

Registrations are available here: http://www.owasp.org/index.php/AppSec_Brasil_2010#tab=Registration

All info about the event can be found at: http://www.appsecbrasil.org

If you have any doubt please contact us at organizacao2010 (at) appsecbrasil.org

See you there!

--
Leonardo Buonsanti

OWASP SPECIAL ANNOUNCEMENT

This is a special announcement in an attempt to reach out to our community’s

• Application Developers
• Application Testers and Quality Assurance
• Application Project Management and Staff
• Chief Information Officers, Chief Information Security Officers, Chief Technology Officers, Deputies, Associates and Staff
• Chief Financial Officers, Auditors, and Staff Responsible for IT Security Oversight and Compliance
• Security Managers and Staff
• Executives, Managers, and Staff Responsible for IT Security Governance
• IT Professionals Interesting in Improving IT Security

If you have not done so already, please take a minute to register for one of our upcoming events. We have something happening in almost every part of the world! This is the time to learn the latest in Application Security from the global industry experts. Thanks to our many sponsors, we are able to continue to keep our registration and training costs low while raising the standards in the AppSec industry. Don’t miss out on this opportunity to sharpen your skills, learn new techniques, network with leaders, and advance your career. CPE credits are available for most programs.

As always, if you have any questions, please feel free to contact me. Kate.hartmann@owasp.org

September

September 7-10 AppSec US - Irvine, CA (training available)
http://www.owasp.org/index.php/AppSec_US_2010,_CA

September 17th, AppSec Ireland - Dublin, Ireland (training available)
http://www.owasp.org/index.php/OWASP_IRELAND_2010

October

October 20th, AppSec Germany – Nurnberg, Germany
http://www.owasp.org/index.php/OWASP_AppSec_Germany_2010_Conference

October 20-21, Rochester Security Summit – Rochester, NY
http://www.rochestersecurity.org/

October 20-23, OWASP China Summit 2010 – Beijing, China
http://www.owasp.org/index.php/OWASP_China_Summit_2010

October 29th , LASCON – Austin, TX
http://www.owasp.org/index.php/Lonestar_Application_Security_Conference_2010

November

November 8-11, AppSec DC 2010 – Washington, DC (training available)
http://www.owasp.org/index.php/OWASP_AppSec_DC_2010

November 16-19, AppSec Brazil – Campinas, SP, Brazil (training available)
http://www.owasp.org/index.php/AppSec_Brasil_2010

November 25-26, IBWAS – Portugal (training available)
http://www.owasp.org/index.php/IBWAS10

Kate Hartmann
Operations Director
301-275-9403
www.owasp.org
Skype: Kate.hartmann1

AppSec Ireland, AppSec DC, and AppSec US updates

OWASP Ireland September 17th 2010
The agenda has been finalized for the OWASP Ireland event. We have the pleasure to announce a number of key figures from industry which should provide some unique insight into the latest trends, threats and methodologies in the world of application security.
http://www.owasp.org/index.php/OWASP_IRELAND_2010

Keynotes:
John Viega: “Application Security in the Real World” - Considerations for AppSec in non-security companies.
http://www.owasp.org/index.php/John_Viega
Professor Fred Piper "The changing face of cryptography"
http://www.owasp.org/index.php/User:Professor_Fred_Piper
Damian Gordon Phd: “Hackers and Hollywood: The Implications of the Popular Media Representation of Computer Hacking"
http://www.owasp.org/index.php/User:Damian_Gordon

We also have some great international and local speakers covering topics from Smart phone application security to SDLC to Penetration testing techniques:

• Dan Cornell ("Smart Phones with Dumb Apps")
• Ryan Berg ("Path to a Secure Application")
• Dr Marian Ventunaec ("Testing the Enterprise E-mail Security - from Software to Cloud-based Services")
• Fred Donovan and (“Counter Intelligence as Defense……”)
• Nick Coblentz (“Microsoft's Security Development Lifecycle……”)

.. but to name a few http://www.owasp.org/index.php/OWASP_IRELAND_2010#Agenda_and_Presentations_-_September_17

Training:

http://www.owasp.org/index.php/OWASP_IRELAND_2010#Training
“Secure Application Development: Writing secure code (and testing it)”
AppSec DC: CFP Round Two:
AppSec DC 2010 is the East Coast's premiere Information Security Conference for 2010.

**AppSec DC has added a second round for CFP until August 31st, so there is still time to get submissions in for our CFP!**

Building on the success of last year's AppSec DC 2009, the AppSec DC team is working to further the OWASP conference mission of hosting the best minds in application security in a forum to share innovations and ideas. AppSec DC's unique location and relationship with federal entities in the Washington DC area also allows OWASP and affiliates to continue to reach out to and interact with the federal government in this time of ever-increasing National Security concerns.
This year, in addition to content from industry leaders in application security research, entities within the Department of Homeland Security, the Department of Defense, the National Institute of Standards and Technology and other government agencies will be contributing content focusing on Software Assurance and the role that that plays areas of extreme concern in the current climate, such as protecting Critical Infrastructure or Supply Chain Risk Management. If you work in or with the federal government, regardless of branch or service, this is likely a critical concern for some subset of your workplace, and the combination of content at this event will provide an incredible value to your and your employer.

In addition to two days of great speaking content, keynotes and panels, AppSec DC will also provide two days of world class training on applications security from a variety of vendors at a fraction of the cost found at other events. This year featured panels will not only include federal "what works" in application security, but several other areas of interest so that there will be engaging discussion for all types of attendees. The AppSec DC crew is also working a great vendor space and engaging contests, including a hacking competition built specifically for our event.

AppSec DC will take place at the Walter E. Washington Convention Center in Washington DC on November 8-11. Training will be on the 8th and 9th, talks will be on the 10th and 11th. Our partner hotel is the Grand Hyatt again this year, and a discounted rate will be available for attendees who register in Advance.

For more information visit the OWASP wiki at http://www.owasp.org/index.php/OWASP_AppSec_DC_2010
or the AppSec DC website (updates coming soon!) at http://appsecdc.org
CFP submissions should use the Easy Chair system, our URL is at http://www.easychair.org/conferences/?conf=appsecdc2010 -- Registration is required.

AppSec US 2010, CA
Register before August 15, 2010 and you may be eligible to win a free iPad! Details can be found here: http://www.owasp.org/index.php/AppSec_US_2010,_CA

Kate Hartmann
Operations Director
301-275-9403
www.owasp.org
Skype: Kate.hartmann1

Interview with Jeff Williams

OWASP,

The conference guide for OWASP AppSec Research 2010 featured an interview I did with Jeff Williams, volunteer chair of OWASP. Now it's online. Read his view on:

* Will OWASP ever reach out to developers?
* Application security and the word Trust
* Do developers care about rugged software?
* Java rootkits and trusted developers

http://owaspsweden.blogspot.com/2010/07/interview-with-jeff-williams.html

Regards, John

--
John Wilander
Chapter leader OWASP Sweden, http://owaspsweden.blogspot.com
Conference chair OWASP AppSec Research 2010, http://owasp.se