Difference between revisions of "OWASP Newsletter 14"

From OWASP
Jump to: navigation, search
(Featured Item: TBD)
(Featured Item: Proposed OWASP Project Assessment)
 
(17 intermediate revisions by 3 users not shown)
Line 1: Line 1:
==  OWASP Newsletter #14 (xx-Feb-2008) ==
+
==  OWASP Newsletter #14 (29-Feb-2008) ==
Welcome to the 14th edition of the OWASP Newsletter, featuring TBD and the TBD Project.
+
Welcome to the 14th edition of the OWASP Newsletter, featuring OWASP Employee #2 - Paulo Coimbra, the Proposed OWASP Project Assessment and the OWASP Summer of Code 2008 Project.
  
  
Line 8: Line 8:
 
Alison McNamee - OWASP Operations Director - Alison.mcnamee@owasp.org
 
Alison McNamee - OWASP Operations Director - Alison.mcnamee@owasp.org
  
== Featured Item: TBD==
+
== Featured Item: OWASP Employee #2, Paulo Coimbra==
*OWASP has begun the process of stabilization its [[:Category:OWASP Project Assessment|PROJECT ASSESSMENT CRITERIA]]. Your comments would certainly be very useful. Visit the page and let us know your thoughts.
+
* Paulo Coimbra (following his recent sucess of managing Spoc 07) as accepted to become the 2nd OWASP employee (he will be working part-time until June and full time from then on). Paulo will take on the role of OWASP Project Management, and here are his first short-term action plan:
 +
# To launch and manage the new season of code – OWASP Summer of Code 2008.
 +
# To contribute to and stabilize OWASP’s new Project Assessment Criteria.
 +
# To contribute to the assessment, and re-assessment, of all OWASP projects.
 +
# To build and maintain a wiki page with the status of all OWASP projects and their assessments.
 +
# To welcome new developers who are interested in joining OWASP community.
 +
# To help project leaders and participants with their projects in any way that I can.
  
== Featured Project: TBD ==
+
== Featured Item: Proposed OWASP Project Assessment==
 +
* OWASP has begun the process of stabilization its [[:Category:OWASP Project Assessment|'''PROJECT ASSESSMENT CRITERIA''']]. The objective is to have clear and objective requirements for OWASP project's (for both tools and documentation).
 +
** The current structure is still in flux, so please spend some time reviewing it and send us your comments.
 +
** The objective is to map all [[:Category:OWASP_Project|OWASP Projects]] to the proposed 3 project modes (Release Quality, Beta Quality and Alpha Quality) in the next couple months.
  
*DRUM ROLL PLEASE: MONDAY, MARCH 3, [[OWASP Summer of Code 2008|''''OWASP SUMMER OF CODE 2008'''']] WILL BE OFFICIALLY LAUNCHED!
+
== Featured Project: OWASP Spring of Code 2008 is about to be launched - March 3rd ==
** Period for submitting applications starts on the same date.
+
 
 +
* OWASP is about to launch the [[OWASP Summer of Code 2008|''''OWASP SUMMER OF CODE 2008'''']] (SoC 2008). This follows the successfull OWASP Spring of Code 2007 (SpoC 07), in which 21 projects were sponsored with a budget of US$117,500, and the OWASP Autumn of Code 2006 (AoC 06), in which 9 projects were sponsored with a budget of US$20,000.
 +
* The SoC 2008 is an open sponsorship program were participants/developers are paid to work on OWASP (and web security) related projects.
 +
* The SoC 2008 is also an opportunity for external individual or company sponsors to challenge the participants/developers to work in areas in which they are willing to invest additional funding.
 +
* For more details see:
 +
** [[OWASP Summer of Code 2008|OWASP Summer of Code 2008]]  - Main page of SoC 08
 +
** [[OWASP Summer of Code 2008 Press Release]] - Press release.
 +
** [[OWASP Summer of Code 2008 Applications]] - To submit applications.
 +
** [[OWASP Summer 0f Code 2008 : Selection]] - Jury's evaluation of applications. 
 +
** [[OWASP Summer of Code 2008#Who Can Apply?|Who Can Apply?]]
 +
** [[OWASP Summer of Code 2008#How To Participate (To Developers)|How To Participate (To Developers)]]
 +
** [[OWASP Summer of Code 2008#Schedule|Schedule]]
 +
** [[OWASP Summer of Code 2008#Jury and Selection Criteria|Jury and Selection Criteria]]
 +
** [[OWASP Summer of Code 2008#Operational Rules|Operational Rules]]
 +
** [[OWASP Summer of Code 2008#General Rules|General Rules]]
 +
** [[OWASP Summer of Code 2008#SoC 2008 Budget|SoC 2008 Budget]]
  
 
== Latest additions to the WIKI ==
 
== Latest additions to the WIKI ==
Line 81: Line 105:
 
* [http://denimgroup.typepad.com/denim_group/2008/02/authentication.html Authentication & Authorization Assumptions]
 
* [http://denimgroup.typepad.com/denim_group/2008/02/authentication.html Authentication & Authorization Assumptions]
 
* [http://cincinnatirecruiter.wordpress.com/2008/02/09/locks-are-to-keep-the-honest-people-out/ Locks are to keep the honest people out]
 
* [http://cincinnatirecruiter.wordpress.com/2008/02/09/locks-are-to-keep-the-honest-people-out/ Locks are to keep the honest people out]
 +
 +
 +
=='''[https://www.owasp.org/index.php/Template:Application_Security_News Application Security News Feed]'''==
 +
 +
* Feb 28 - [http://www.cafeconleche.org/#February_27_2008_69626| The W3C Web API Working Group has posted the first public working draft of XMLHttpRequest Level 2. "XMLHttpRequest Level 2 enhances XMLHttpRequest with new features, such as cross-site requests, progress events, and the handling of byte streams for both sending and receiving." I'm afraid I'm not familiar enough with XMLHttpRequest Level 1 to tell immediately what's new here]. (by [http://www.cafeconleche.org/today.rss undefined]) - The W3C Web API Working Group has posted the first public working draft of XMLHttpRequest Level 2. "XMLHttpRequest Level 2 enhances XMLHttpRequest with new features, such as cross-site requests, progress events, and the handling of byte streams for ...
 +
 +
* Feb 25 - [http://feeds.feedburner.com/~r/developer_center_tutorials/~3/242450087/introduction_to_air_security.html| Introducing the Adobe AIR security model] (by [http://feeds.feedburner.com/developer_center_tutorials?format=xml| Lucas Adamski]) - Learn more about the rationale behind the AIR security model and what you should consider when building AIR applications.
 +
 +
* Feb 28 - [http://feeds.feedburner.com/~r/tssci/~3/242517957/| OWASP Hartford tomorrow] (by [http://feeds.feedburner.com/tssci| Marcin]) - Tomorrow, February 28th, is the first ever meeting for the brand new Hartford Owasp chapter. James McGovern, the chapter lead has been putting some effort into starting it off with a bang, so I hope everyone in the NY/CT/Mass area can make it. Agenda ...
 +
 +
* Feb 27 - [http://www.net-security.org/news.php?id=15778 Off the wire: Extended validation certificates and XSS considered harmful] (by [http://feeds.feedburner.com/HelpNetSecurity Undefined]) - A cross-site scripting vulnerability on the popular SourceForge.net website shows how Extended Validation SSL certificates could be exploited by fraudsters.
 +
 +
* Feb 27 - [http://mcpmag.com/columns/article.asp?EditorialsID=950 Security is Everybody's Business - Microsoft Certified Professional] (by [http://news.google.com/news?svnum=10&as_scoring=r&ie=UTF-8&oe=utf8&hl=en&q=%22application+security%22+OR+%22software+security%22&output=rss Undefined]) - Security is Everybody’s Business Microsoft Certified Professional - 17 hours ago It seems like all of us really need to understand *application security*, whether or not that was part of our original training. Fortunately, a pair of new...
 +
 +
* Feb 27 - [http://blog.ivanristic.com/2008/02/extended-valida.html Extended Validation SSL certificates not going anywhere, as predicted] (by [http://blog.ivanristic.com/atom.xml ivanr]) - According to Netcraft, there are around 4,500 web sites using Extended Validation (EV) SSL certificates, one year after this new type of certificate was introduced. At the same time, over 800,000 sites continue to use the old-style certificates...
 +
 +
* Feb 27 - [http://www.thespanner.co.uk/2008/02/27/polymorphic-javascript/ Polymorphic Javascript] (by [http://www.thespanner.co.uk/feed/ Gareth Heyes]) - Finding a pattern in malicious javascript is difficult, it’s possible to selectively change the source code yet still execute the same payload. There are many ways to morph Javascript and I shall go through a few of the possibilities and provide...
 +
 +
* Feb 26 - [http://i8jesus.com/?p=15 Improving Hackvertor: Polymorphic Javascript Payloads] (by [http://i8jesus.com/?feed=atom Arshan Dabirsiaghi]) - One of the cooler tools in the webappsec hacker’s handbook is Hackvertor. It’s a smart encoding tool written by Gareth Heyes that helps you craft XSS vectors that pass whatever filters you’re trying to evade. Rather than wasting 3 paragraphs ...

Latest revision as of 14:18, 3 March 2008

Contents

OWASP Newsletter #14 (29-Feb-2008)

Welcome to the 14th edition of the OWASP Newsletter, featuring OWASP Employee #2 - Paulo Coimbra, the Proposed OWASP Project Assessment and the OWASP Summer of Code 2008 Project.


As always, if you have any content to add to the next edition, please feel free to add it directly to its WIKI page OWASP Newsletter 15.


Alison McNamee - OWASP Operations Director - Alison.mcnamee@owasp.org

Featured Item: OWASP Employee #2, Paulo Coimbra

  • Paulo Coimbra (following his recent sucess of managing Spoc 07) as accepted to become the 2nd OWASP employee (he will be working part-time until June and full time from then on). Paulo will take on the role of OWASP Project Management, and here are his first short-term action plan:
  1. To launch and manage the new season of code – OWASP Summer of Code 2008.
  2. To contribute to and stabilize OWASP’s new Project Assessment Criteria.
  3. To contribute to the assessment, and re-assessment, of all OWASP projects.
  4. To build and maintain a wiki page with the status of all OWASP projects and their assessments.
  5. To welcome new developers who are interested in joining OWASP community.
  6. To help project leaders and participants with their projects in any way that I can.

Featured Item: Proposed OWASP Project Assessment

  • OWASP has begun the process of stabilization its PROJECT ASSESSMENT CRITERIA. The objective is to have clear and objective requirements for OWASP project's (for both tools and documentation).
    • The current structure is still in flux, so please spend some time reviewing it and send us your comments.
    • The objective is to map all OWASP Projects to the proposed 3 project modes (Release Quality, Beta Quality and Alpha Quality) in the next couple months.

Featured Project: OWASP Spring of Code 2008 is about to be launched - March 3rd

Latest additions to the WIKI

New Pages

New Chapter Pages

Updated Pages


Updated chapter pages:

New Documents & Presentations from chapters

For a complete list of chapter presentations see the online table of presentations.

OWASP references in the Media


Application Security News Feed

  • Feb 28 - OWASP Hartford tomorrow (by Marcin) - Tomorrow, February 28th, is the first ever meeting for the brand new Hartford Owasp chapter. James McGovern, the chapter lead has been putting some effort into starting it off with a bang, so I hope everyone in the NY/CT/Mass area can make it. Agenda ...
  • Feb 27 - Polymorphic Javascript (by Gareth Heyes) - Finding a pattern in malicious javascript is difficult, it’s possible to selectively change the source code yet still execute the same payload. There are many ways to morph Javascript and I shall go through a few of the possibilities and provide...