OWASP Newsletter 14

OWASP Newsletter #14 (29-Feb-2008)
Welcome to the 14th edition of the OWASP Newsletter, featuring OWASP Employee #2 - Paulo Coimbra, the Proposed OWASP Project Assessment and the OWASP Summer of Code 2008 Project.

As always, if you have any content to add to the next edition, please feel free to add it directly to its WIKI page OWASP Newsletter 15.

Alison McNamee - OWASP Operations Director - Alison.mcnamee@owasp.org

Featured Item: OWASP Employee #2, Paulo Coimbra

 * Paulo Coimbra (following is recent sucess of managing Spoc 07) as accepted to become the 2nd OWASP employee (he will be working part-time until June and full time from then on). Paulo will take on the role of OWASP Project Management, and here are his first short-term action plan:
 * 1) To launch and manage the new season of code – OWASP Summer of Code 2008.
 * 2) To contribute to and stabilize OWASP’s new Project Assessment Criteria.
 * 3) To contribute to the assessment, and re-assessment, of all OWASP projects.
 * 4) To build and maintain a wiki page with the status of all OWASP projects and their assessments.
 * 5) To welcome new developers who are interested in joining OWASP community.
 * 6) To help project leaders and participants with their projects in any way that I can.

Featured Item: Proposed OWASP Project Assessment

 * OWASP has begun the process of stabilization its PROJECT ASSESSMENT CRITERIA. The objective is to have clear and objective requirements for OWASP project's deliverables (for both tools and documentation).
 * The current structure is still in flux, so please spend some time reviewing it and send us your comments.
 * The objective is to map all OWASP Projects to the proposed 3 project modes (Release Quality, Beta Quality and Alpha Quality) in the next couple months.

Featured Project: OWASP Spring of Code 2008 is about to be launched - March 3rd

 * OWASP is about to launch the 'OWASP SUMMER OF CODE 2008' (SoC 2008). This follows the successfull OWASP Spring of Code 2007 (SpoC 07), in which 21 projects were sponsored with a budget of US$117,500, and the OWASP Autumn of Code 2006 (AoC 06), in which 9 projects were sponsored with a budget of US$20,000.
 * The SoC 2008 is an open sponsorship program were participants/developers are paid to work on OWASP (and web security) related projects.
 * The SoC 2008 is also an opportunity for external individual or company sponsors to challenge the participants/developers to work in areas in which they are willing to invest additional funding.
 * For more details see:
 * OWASP Summer of Code 2008 - Main page of SoC 08
 * OWASP Summer of Code 2008 Press Release - Press release.
 * OWASP Summer of Code 2008 Applications - To submit applications.
 * OWASP Summer 0f Code 2008 : Selection - Jury's evaluation of applications.
 * Who Can Apply?
 * How To Participate (To Developers)
 * Schedule
 * Jury and Selection Criteria
 * Operational Rules
 * General Rules
 * SoC 2008 Budget

New Pages

 * OWASP Summer of Code 2008
 * OWASP Summer of Code 2008 Press Release
 * OWASP Summer of Code 2008 Applications
 * OWASP Summer of Code 2008 Applications - Proposal Type
 * OWASP Summer of Code 2008 - Selection
 * Control Template
 * JSP JSTL
 * ASDR Table of Contents

New Chapter Pages

 * Bay Area Past Events
 * Denver February 2008 Meeting
 * South Africa

Updated Pages

 * OWASP AppSec Europe 2008 - Belgium
 * OWASP AJAX Security Project Roadmap
 * Category:OWASP AJAX Security Project
 * Testing for AJAX Vulnerabilities
 * CSRF Guard 2x Roadmap
 * Category:OWASP Testing Project
 * OWASP DirBuster Project
 * OWASP Project Assessment
 * Front Range Web Application Security Summit Planning Page
 * Reviewing Code for Data Validation

Updated chapter pages:

 * Belgium
 * Bay Area
 * San Jose
 * San Francisco Bay Area
 * Boulder
 * Denver
 * Spain
 * Latvia
 * New Zealand
 * Eugene
 * Helsinki
 * South Africa
 * Greece
 * Austin
 * Memphis
 * NYNJMetro

New Documents & Presentations from chapters

 * French Translation of OWASP Top 10

For a complete list of chapter presentations see the online table of presentations.

OWASP references in the Media

 * Your Client-Side Security Sucks
 * The Changed Face of Cybercrime
 * Authentication & Authorization Assumptions
 * Locks are to keep the honest people out

Application Security News Feed

 * Feb 28 - | The W3C Web API Working Group has posted the first public working draft of XMLHttpRequest Level 2. "XMLHttpRequest Level 2 enhances XMLHttpRequest with new features, such as cross-site requests, progress events, and the handling of byte streams for both sending and receiving." I'm afraid I'm not familiar enough with XMLHttpRequest Level 1 to tell immediately what's new here. (by undefined) - The W3C Web API Working Group has posted the first public working draft of XMLHttpRequest Level 2. "XMLHttpRequest Level 2 enhances XMLHttpRequest with new features, such as cross-site requests, progress events, and the handling of byte streams for ...


 * Feb 25 - | Introducing the Adobe AIR security model (by | Lucas Adamski) - Learn more about the rationale behind the AIR security model and what you should consider when building AIR applications.


 * Feb 28 - | OWASP Hartford tomorrow (by | Marcin) - Tomorrow, February 28th, is the first ever meeting for the brand new Hartford Owasp chapter. James McGovern, the chapter lead has been putting some effort into starting it off with a bang, so I hope everyone in the NY/CT/Mass area can make it. Agenda ...


 * Feb 27 - Off the wire: Extended validation certificates and XSS considered harmful (by Undefined) - A cross-site scripting vulnerability on the popular SourceForge.net website shows how Extended Validation SSL certificates could be exploited by fraudsters.


 * Feb 27 - Security is Everybody's Business - Microsoft Certified Professional (by Undefined) - Security is Everybody’s Business Microsoft Certified Professional - 17 hours ago It seems like all of us really need to understand *application security*, whether or not that was part of our original training. Fortunately, a pair of new...


 * Feb 27 - Extended Validation SSL certificates not going anywhere, as predicted (by ivanr) - According to Netcraft, there are around 4,500 web sites using Extended Validation (EV) SSL certificates, one year after this new type of certificate was introduced. At the same time, over 800,000 sites continue to use the old-style certificates...


 * Feb 27 - Polymorphic Javascript (by Gareth Heyes) - Finding a pattern in malicious javascript is difficult, it’s possible to selectively change the source code yet still execute the same payload. There are many ways to morph Javascript and I shall go through a few of the possibilities and provide...


 * Feb 26 - Improving Hackvertor: Polymorphic Javascript Payloads (by Arshan Dabirsiaghi) - One of the cooler tools in the webappsec hacker’s handbook is Hackvertor. It’s a smart encoding tool written by Gareth Heyes that helps you craft XSS vectors that pass whatever filters you’re trying to evade. Rather than wasting 3 paragraphs ...