OWASP Newsletter 5

Using the same format as used in OWASP Newsletter's [OWASP_Newsletter_1], 2 and 3 this is the page that will be used for the next Newsletter Contents [hide]

Featured Project: OWASP Top 10 RC1
Feedback


 * http://sylvanvonstuppe.blogspot.com/2007/02/owasp-top-10-2007-update-rc1-a5-a6.html
 * {see owasp-topten mailing list}

New Pages

 * OWASP Tiger and Tiger User Manual
 * 6th OWASP AppSec Conference - Italy 2007/Training and 6th OWASP AppSec Conference - Italy 2007/CFP
 * Signing jar files with jarsigner
 * PRNG permanent compromise attack, PRNG state compromise extension attack, PRNG direct cryptanalytic attack and Java overview
 * Session Fixation Protection
 * Poland (New Chapter)
 * Testing Guide Quotes

Updated pages

 * Unvalidated Input
 * Command Injection
 * Session Fixation
 * OWASP Java Table of Contents
 * Password length & complexity
 * Preventing SQL Injection in Java
 * Web Application Penetration Testing
 * Testing for Error Code
 * Testing for Application Discovery
 * Testing for Web Application Fingerprint
 * Testing for Brute Force
 * Testing for infrastructure configuration management
 * Testing for DB Listener
 * Testing for Bypassing Authentication Schema
 * Testing for Default or Guessable User Account
 * Handling E-Commerce Payments
 * Appendix A: Testing Tools
 * Phoenix/Tools
 * PHP CSRF Guard
 * Denver January 2007 meeting

New Documents & Presentations from chapters
Final (revised) version of the Testing Guide:


 * OWASP Testing Guide v2 doc.zip or [[Image:OWASP Testing Guide v2 pdf.zip| OWASP Testing Guide v2 pdf.zip]]

From the last Israeli chapter meeting:
 * [[media:OWASP_IL_Source_Code_Analysis_and_Application_Security.pdf|Source Code Analysis and Application Security - Cheating the Maze]] - Maty Siman, Founder & CTO, Checkmarx
 * [[media:OWASP_IL_WCF_Security.pdf|Security Implications of .Net 3.0 and the Windows Communication Foundation (WCF)]] - Emmanuel Cohen-Yashar (Manu), Senior .NET technology consultant, Sela Group
 * [[media:OWASP_IL_The_Universal_XSS_PDF_Vulnerability.pdf|Analysis of the Universal XSS PDF vulnerability - Cause, Solutions and Fun Stuff]] - Ofer Shezaf, CTO, Breach Security, Leader of OWASP IL

Latest Blog entries

 * Gartner smell the bacon/tofu!!!!
 * UAC not a security feature
 * The game is heating up
 * HTTP Cookie Analysis Tool
 * OWASP Blog’s Update
 * Interesting Article
 * Version 0.10 and First public release (Orizon)

OWASP Community

 * May 10 (18:00h) - Belgium chapter meeting
 * Apr 12 (18:00h) - Netherlands chapter meeting
 * Mar 22 (18:00h) - London chapter meeting
 * Mar 7 (18:30h) - Kansas City chapter meeting
 * Mar 6 (18:30h) - Philadelphia chapter meeting
 * Mar 6 (18:00h) - Melbourne chapter meeting
 * Feb 28 (18:00h) - Seattle chapter meeting
 * Feb 27 (18:00h) - Edmonton chapter meeting
 * Feb 22 (18:30h) - Helsinki chapter meeting
 * Feb 22 (18:00h) - London chapter meeting
 * Feb 19 (18:00h) - Rochester chapter meeting

Application Security News

 * Feb 05 - Sammy 'MySpace' KamKar Pleads Guilty in Court
 * "The man responsible for unleashing what is believed to be the first self-propagating cross-site scripting worm has pleaded guilty in Los Angeles Superior Court to charges stemming from his most infamous hacking."


 * Feb 05 - Why You're Organization Must Increase It's Web Application Security Budget - "The Web application security threat is a real one. A failure to respond to this threat will result in real risk to any enterprise that stores financial or customer data. While the problem is a serious one, it is not something that cannot be fixed so long as proper attention and budget are allocated to it. Unfortunately, given the unique nature of the problem and its impact on the budgetary process, it will likely require direct intervention by the financial staff."


 * Feb 05 - X-Force Notes Increase in Vulnerabilities. Where are the "X-Men" to fix them?- " According to the report, which was developed by the IBM Internet Security Systems (ISS) X-Force(R) research and development team, there were 7,247 new vulnerabilities recorded and analyzed by the X-Force in 2006, which equates to an average of 20 new vulnerabilities per day. This total represents a nearly 40 percent increase over what ISS reported in 2005. Over 88 percent of 2006 vulnerabilities could be exploited remotely, and over 50 percent allowed attackers to gain access to a machine after exploitation. "


 * Feb 05 - Rubin Smacks Diebold Once Again- "Given what I've seen about voting system standards and voting system testing labs, I would bet money that the parking garage system at Baltimore Penn Station was tested more extensively before it was deployed than the Diebold voting machines that we use in Maryland."

OWASP references in the Media

 * FutureBazaar Partners with AppLabs Technologies for Security Testing
 * Lock it down: Use the revised OWASP Top Ten to secure your Web applications -- Part 1
 * Cenzic Identifies Latest Most Serious Web Application Vulnerabilites
 * With Application-Based Attacks on the Rise, No Site Is Safe, Reports CIA (Cenzic Intelligent Analysis) Lab in Year End Top Five Vulnerabilities List
 * Two Fortify Software Products Named as Finalists in 17th Annual Jolt Product Excellence Awards