Difference between revisions of "OWASP Newsletter 14"

From OWASP
Jump to: navigation, search
(Featured Item: Proposed OWASP Project Assessment)
(Featured Item: Proposed OWASP Project Assessment)
 
(9 intermediate revisions by 3 users not shown)
Line 1: Line 1:
==  OWASP Newsletter #14 (xx-Feb-2008) ==
+
==  OWASP Newsletter #14 (29-Feb-2008) ==
Welcome to the 14th edition of the OWASP Newsletter, featuring TBD and the TBD Project.
+
Welcome to the 14th edition of the OWASP Newsletter, featuring OWASP Employee #2 - Paulo Coimbra, the Proposed OWASP Project Assessment and the OWASP Summer of Code 2008 Project.
  
  
Line 9: Line 9:
  
 
== Featured Item: OWASP Employee #2, Paulo Coimbra==
 
== Featured Item: OWASP Employee #2, Paulo Coimbra==
* Paulo Coimbra (following is recent sucess of managing Spoc 07) as accepted to become the 2nd OWASP employee (he will be working part-time until June and full time from then one). Paulo will take on the role of OWASP Project Management, and here are his first short-term action plan:
+
* Paulo Coimbra (following his recent sucess of managing Spoc 07) as accepted to become the 2nd OWASP employee (he will be working part-time until June and full time from then on). Paulo will take on the role of OWASP Project Management, and here are his first short-term action plan:
 
# To launch and manage the new season of code – OWASP Summer of Code 2008.
 
# To launch and manage the new season of code – OWASP Summer of Code 2008.
 
# To contribute to and stabilize OWASP’s new Project Assessment Criteria.
 
# To contribute to and stabilize OWASP’s new Project Assessment Criteria.
Line 18: Line 18:
  
 
== Featured Item: Proposed OWASP Project Assessment==
 
== Featured Item: Proposed OWASP Project Assessment==
* OWASP has begun the process of stabilization its [[:Category:OWASP Project Assessment|'''PROJECT ASSESSMENT CRITERIA''']]. The objective is to have clear and objective requirements for OWASP project's deliverables (for both tools and documentation).  
+
* OWASP has begun the process of stabilization its [[:Category:OWASP Project Assessment|'''PROJECT ASSESSMENT CRITERIA''']]. The objective is to have clear and objective requirements for OWASP project's (for both tools and documentation).  
 
** The current structure is still in flux, so please spend some time reviewing it and send us your comments.
 
** The current structure is still in flux, so please spend some time reviewing it and send us your comments.
 
** The objective is to map all [[:Category:OWASP_Project|OWASP Projects]] to the proposed 3 project modes (Release Quality, Beta Quality and Alpha Quality) in the next couple months.
 
** The objective is to map all [[:Category:OWASP_Project|OWASP Projects]] to the proposed 3 project modes (Release Quality, Beta Quality and Alpha Quality) in the next couple months.
Line 107: Line 107:
  
  
===='''[https://www.owasp.org/index.php/Template:Application_Security_News Application Security News Feed]'''====
+
=='''[https://www.owasp.org/index.php/Template:Application_Security_News Application Security News Feed]'''==
  
 
* Feb 28 - [http://www.cafeconleche.org/#February_27_2008_69626| The W3C Web API Working Group has posted the first public working draft of XMLHttpRequest Level 2. "XMLHttpRequest Level 2 enhances XMLHttpRequest with new features, such as cross-site requests, progress events, and the handling of byte streams for both sending and receiving." I'm afraid I'm not familiar enough with XMLHttpRequest Level 1 to tell immediately what's new here]. (by [http://www.cafeconleche.org/today.rss undefined]) - The W3C Web API Working Group has posted the first public working draft of XMLHttpRequest Level 2. "XMLHttpRequest Level 2 enhances XMLHttpRequest with new features, such as cross-site requests, progress events, and the handling of byte streams for ...
 
* Feb 28 - [http://www.cafeconleche.org/#February_27_2008_69626| The W3C Web API Working Group has posted the first public working draft of XMLHttpRequest Level 2. "XMLHttpRequest Level 2 enhances XMLHttpRequest with new features, such as cross-site requests, progress events, and the handling of byte streams for both sending and receiving." I'm afraid I'm not familiar enough with XMLHttpRequest Level 1 to tell immediately what's new here]. (by [http://www.cafeconleche.org/today.rss undefined]) - The W3C Web API Working Group has posted the first public working draft of XMLHttpRequest Level 2. "XMLHttpRequest Level 2 enhances XMLHttpRequest with new features, such as cross-site requests, progress events, and the handling of byte streams for ...
Line 114: Line 114:
  
 
* Feb 28 - [http://feeds.feedburner.com/~r/tssci/~3/242517957/| OWASP Hartford tomorrow] (by [http://feeds.feedburner.com/tssci| Marcin]) - Tomorrow, February 28th, is the first ever meeting for the brand new Hartford Owasp chapter. James McGovern, the chapter lead has been putting some effort into starting it off with a bang, so I hope everyone in the NY/CT/Mass area can make it. Agenda ...
 
* Feb 28 - [http://feeds.feedburner.com/~r/tssci/~3/242517957/| OWASP Hartford tomorrow] (by [http://feeds.feedburner.com/tssci| Marcin]) - Tomorrow, February 28th, is the first ever meeting for the brand new Hartford Owasp chapter. James McGovern, the chapter lead has been putting some effort into starting it off with a bang, so I hope everyone in the NY/CT/Mass area can make it. Agenda ...
 +
 +
* Feb 27 - [http://www.net-security.org/news.php?id=15778 Off the wire: Extended validation certificates and XSS considered harmful] (by [http://feeds.feedburner.com/HelpNetSecurity Undefined]) - A cross-site scripting vulnerability on the popular SourceForge.net website shows how Extended Validation SSL certificates could be exploited by fraudsters.
 +
 +
* Feb 27 - [http://mcpmag.com/columns/article.asp?EditorialsID=950 Security is Everybody's Business - Microsoft Certified Professional] (by [http://news.google.com/news?svnum=10&as_scoring=r&ie=UTF-8&oe=utf8&hl=en&q=%22application+security%22+OR+%22software+security%22&output=rss Undefined]) - Security is Everybody’s Business Microsoft Certified Professional - 17 hours ago It seems like all of us really need to understand *application security*, whether or not that was part of our original training. Fortunately, a pair of new...
 +
 +
* Feb 27 - [http://blog.ivanristic.com/2008/02/extended-valida.html Extended Validation SSL certificates not going anywhere, as predicted] (by [http://blog.ivanristic.com/atom.xml ivanr]) - According to Netcraft, there are around 4,500 web sites using Extended Validation (EV) SSL certificates, one year after this new type of certificate was introduced. At the same time, over 800,000 sites continue to use the old-style certificates...
 +
 +
* Feb 27 - [http://www.thespanner.co.uk/2008/02/27/polymorphic-javascript/ Polymorphic Javascript] (by [http://www.thespanner.co.uk/feed/ Gareth Heyes]) - Finding a pattern in malicious javascript is difficult, it’s possible to selectively change the source code yet still execute the same payload. There are many ways to morph Javascript and I shall go through a few of the possibilities and provide...
 +
 +
* Feb 26 - [http://i8jesus.com/?p=15 Improving Hackvertor: Polymorphic Javascript Payloads] (by [http://i8jesus.com/?feed=atom Arshan Dabirsiaghi]) - One of the cooler tools in the webappsec hacker’s handbook is Hackvertor. It’s a smart encoding tool written by Gareth Heyes that helps you craft XSS vectors that pass whatever filters you’re trying to evade. Rather than wasting 3 paragraphs ...

Latest revision as of 14:18, 3 March 2008

Contents

OWASP Newsletter #14 (29-Feb-2008)

Welcome to the 14th edition of the OWASP Newsletter, featuring OWASP Employee #2 - Paulo Coimbra, the Proposed OWASP Project Assessment and the OWASP Summer of Code 2008 Project.


As always, if you have any content to add to the next edition, please feel free to add it directly to its WIKI page OWASP Newsletter 15.


Alison McNamee - OWASP Operations Director - Alison.mcnamee@owasp.org

Featured Item: OWASP Employee #2, Paulo Coimbra

  • Paulo Coimbra (following his recent sucess of managing Spoc 07) as accepted to become the 2nd OWASP employee (he will be working part-time until June and full time from then on). Paulo will take on the role of OWASP Project Management, and here are his first short-term action plan:
  1. To launch and manage the new season of code – OWASP Summer of Code 2008.
  2. To contribute to and stabilize OWASP’s new Project Assessment Criteria.
  3. To contribute to the assessment, and re-assessment, of all OWASP projects.
  4. To build and maintain a wiki page with the status of all OWASP projects and their assessments.
  5. To welcome new developers who are interested in joining OWASP community.
  6. To help project leaders and participants with their projects in any way that I can.

Featured Item: Proposed OWASP Project Assessment

  • OWASP has begun the process of stabilization its PROJECT ASSESSMENT CRITERIA. The objective is to have clear and objective requirements for OWASP project's (for both tools and documentation).
    • The current structure is still in flux, so please spend some time reviewing it and send us your comments.
    • The objective is to map all OWASP Projects to the proposed 3 project modes (Release Quality, Beta Quality and Alpha Quality) in the next couple months.

Featured Project: OWASP Spring of Code 2008 is about to be launched - March 3rd

Latest additions to the WIKI

New Pages

New Chapter Pages

Updated Pages


Updated chapter pages:

New Documents & Presentations from chapters

For a complete list of chapter presentations see the online table of presentations.

OWASP references in the Media


Application Security News Feed

  • Feb 28 - OWASP Hartford tomorrow (by Marcin) - Tomorrow, February 28th, is the first ever meeting for the brand new Hartford Owasp chapter. James McGovern, the chapter lead has been putting some effort into starting it off with a bang, so I hope everyone in the NY/CT/Mass area can make it. Agenda ...
  • Feb 27 - Polymorphic Javascript (by Gareth Heyes) - Finding a pattern in malicious javascript is difficult, it’s possible to selectively change the source code yet still execute the same payload. There are many ways to morph Javascript and I shall go through a few of the possibilities and provide...