Difference between revisions of "OWASP Newsletter 12"

Jump to: navigation, search
m (OWASP references in the Media)
Line 66: Line 66:
== OWASP references in the Media==
== OWASP references in the Media==
* [http://www.technologyevangelist.com/2008/01/bruce_schneiers_spea.html Bruce Schneier's Speech at OWASP]
* [http://www.technologyevangelist.com/2008/01/bruce_schneiers_spea.html Bruce Schneier's Speech at OWASP]
* [http://duckdown.blogspot.com/2008/01/does-your-enterprise-suck-at-finding.html Does your enterprise suck at finding top talent?]

Revision as of 11:08, 29 January 2008

OWASP Newsletter #12 (01-Feb-2008)

Welcome to the 12th edition of the OWASP Newsletter, featuring TBD and the release of ESAPI v1.1.

Don’t forget, there are only a few weeks left until the OWASP Australia AppSec 2008 Conference. The conference is being held at the Gold Coast Convention Center in Queensland, Australia, and will include a Training day on February 27th, and presentations on the 28th and 29th. Register Now!

As always, if you have any content to add to the next edition, please feel free to add it directly to its WIKI page OWASP Newsletter 13.

Alison McNamee - OWASP Operations Director - alison.mcnamee@owasp.org

Featured Item: tbd

Featured Project: ESAP v1.1

ESAPI v1.1 is now available! Version 1.1 Major changes include:

1) ESAPIFilter – Added a new class that can be put in front of most applications that handles ESAPI busywork including login, logging requests, URL access check, HTTP request validation (global rules), set no cache headers, set content type, and threadlocal cleanup.

2) AccessReferenceMap – Added addDirectReference and removeDirectReference

3) Authenticator – Added Request and Response ThreadLocals to allow logout from the IntrusionDetector

4) Added “context” parameter to all validation calls so that log messages can indicate where bad data came from

5) Encoder – Move canonicalize method from Validator to Encoder as it seems to fit with all the encoding methods better.

6) Encryptor – Digital signature keypair is now derived from the master secret.

7) HTTPUtilities – Add safe versions of encodeURL and encodeRedirectURL to prevent session rewriting.

8) HTTPUtilities – Add methods to encrypt/decrypt the querystring. Also methods to encrypt/decrypt state into a cookie.

9) HTTPUtilities – Rename safe versions of dangerous methods in Java to all start with “safe”, like safeSendRedirect, safeSendForward, safeAddHeader, safeAddCookie, safeEncodeURL, safeSetContent.

10) Validator – Add getValidSafeHTML method that invokes OWASP AntiSamy to clean up rich content that might contain an attack.

11) HTTPUtilities – Added pragma nocache to the list of HTTP headers sent for setNoCacheHeaders

12) Many minor fixes, documentation enhancements, and tweaks.

Learn more on the Project Home Page!

Latest additions to the WIKI

New Pages

  • tbd

Updated pages

Updated chapter pages:

  • tbd

Other pages:

  • tbd

New Documents & Presentations from chapters

  • tbd

For a complete list of chapter presentations see the online table of presentations.

OWASP references in the Media