Difference between revisions of "OWASP Newsletter 2"

From OWASP
Jump to: navigation, search
(Featured Projects: {TBD})
m (Protected "OWASP Newsletter 2": Email Sent, content is static now [edit=sysop:move=sysop])
 
(22 intermediate revisions by 2 users not shown)
Line 1: Line 1:
Using the same format as used in [[OWASP Newsletter 1]] this is the page that will be used for the next Newsletter
+
''Sent to owasp-all mailing list on 16th Jan 2007''
 +
 
 +
''' OWASP Newsletter #2 – January 8th 2006 to January 15th 2006'''
 +
 
 +
Hello, here is another newsletter with tons of links and information about what is happening at OWASP. If you want something to appear in the next version, please add it to [[OWASP Newsletter 3]]
 +
 
 +
Dinis Cruz
 +
Chief OWASP Evangelist
 +
London, UK
  
 
====  OWASP News ====
 
====  OWASP News ====
  
====  Featured Projects: {TBD} ====
+
* [[ORG (OWASP Report Generator)]] - New release of [http://sourceforge.net/project/downloading.php?group_id=64424&use_mirror=osdn&filename=ORG_v0.88.msi| ORG Installer] (1/15/2007)
  
==== Featured Story: Two free Java EE filters for CSRF, Reflected XSS, and Adobe XSS====
+
* [http://www.owasp.org/index.php/OWASP_Autumn_of_Code_2006_-_Projects:_Live_CD OWASP Live CD] Beta Release  - Download it from [http://www.packetfocus.com/hackos| http://www.packetfocus.com/hackos]
  
'''Two free Java EE filters for CSRF, Reflected XSS, and Adobe XSS'''
 
  
 +
====  Featured Projects ====
 +
 +
* [[OWASP WebScarab NG Project]] - Rogan has been very busy on the new version of WebScarab, which is not complete, but is already in a very usable state (I already prefer it to the current version). Rogan needs your help in testing this version and sending in your comments. Quote from [[OWASP WebScarab NG Project]]: ''WebScarab-NG is a complete rewrite of the old WebScarab application, with a special focus on making the application more user-friendly. To this end, WebScarab-NG makes use of the Spring Rich Client Platform to provide the user interface features. By using the Spring Rich Client Platform, WebScarab-NG automatically gains things like default buttons, keyboard shortcuts, support for internationalisation, etc.''
 +
 +
*  [[:Category:OWASP Testing Project]] - As per my last email to you, we have started a review process for new version of the OWASP Testing Guide v2 (which you can you can read it on line [http://www.owasp.org/index.php/OWASP_Testing_Guide_v2_Table_of_Contents  Testing Guide v2 wiki - 'Release Candidate 1'] or view it in in [http://www.owasp.org/index.php/Image:OWASP_Testing_Guide_v2_RC1_pdf.zip Adobe PDF format] or [http://www.owasp.org/index.php/Image:OWASP_Testing_Guide_v2_RC1_doc.zip Ms Doc format]). If you want to participate in this review see the [[OWASP_Testing_Project_v2.0_-_Review_Guidelines]] page.
 +
 +
* [[:Category:OWASP CAL9000 Project]] - This project is a great resource to (amongst other things) understand and exploit XSS. Quote: ''CAL9000 is a collection of web application security testing tools that complement the feature set of current web proxies and automated scanners. CAL9000 gives you the flexibility and functionality you need for more effective manual testing efforts. Works best when used with Firefox or Internet Explorer.''
 +
 +
==== Featured Story: Two free Java EE filters for CSRF, Reflected XSS, and Adobe XSS====
 
OWASP contributors from '''[http://www.aspectsecurity.com Aspect Security]''' have developed two new Java EE filters to protect against common web attacks. Just add a few lines to your web.xml file and enjoy the protection.
 
OWASP contributors from '''[http://www.aspectsecurity.com Aspect Security]''' have developed two new Java EE filters to protect against common web attacks. Just add a few lines to your web.xml file and enjoy the protection.
  
Line 17: Line 33:
 
: This filter protects against the recent XSS attacks on PDF files. By using a redirect and an encrypted token, this filter ensures that dangerous attacks are not passed into the Adobe reader plugin.
 
: This filter protects against the recent XSS attacks on PDF files. By using a redirect and an encrypted token, this filter ensures that dangerous attacks are not passed into the Adobe reader plugin.
  
==== Latest Blog Entries ====
+
==== Featured Story: "Automated Scanner vs. The OWASP Top Ten"====
  
As posted in blogs.owasp.org
+
Apart from some shameless marketing plus and its [http://www.prnewswire.com/cgi-bin/stories.pl?ACCT=104&STORY=/www/story/01-09-2007/0004502553&EDATE= real intention with this paper], WhiteHat Security has published a good paper on the limitations of Web Application Security Scanners capabilities to detect the [OWASP_Top_Ten_Project OWASP Top 10] vulnerabilities (which btw, all vendors claim they do). I actually think that the examples are quite basic, but they are good enough for the argument presented.
 +
 
 +
You can download this paper from [http://www.whitehatsec.com/home/assets/OWASPTop10ScannersF.pdf]
 +
 
 +
Quote: ''"The OWASP Top Ten is a list of the most critical web application
 +
security flaws – a list also often used as a minimum standard for web
 +
application vulnerability assessment (VA) and compliance.  There is
 +
an ongoing industry dialog about the possibility of identifying the
 +
OWASP Top Ten in a purely automated fashion (scanning). People
 +
frequently ask what can and can’t be found using either white box or
 +
black box scanners. This is important because a single missed
 +
vulnerability, or more accurately exploited vulnerability, can cause
 +
an organization significant financial harm. Proper expectations must
 +
be set when it comes to the various vulnerability assessment solutions."''
 +
 
 +
Note: I haven't seen any Web App Scannor vendor responses, so if you spot it let me know.
 +
 
 +
====  Latest Blog Entries from blogs.owasp.org ====
 
* from [http://blogs.owasp.org/eoinkeary/ Eoin Keary] blog
 
* from [http://blogs.owasp.org/eoinkeary/ Eoin Keary] blog
 
** [http://blogs.owasp.org/eoinkeary/2007/01/11/owasp-testing-guide-v20/ OWASP Testing Guide v2.0], January 11th, 2007
 
** [http://blogs.owasp.org/eoinkeary/2007/01/11/owasp-testing-guide-v20/ OWASP Testing Guide v2.0], January 11th, 2007
Line 37: Line 70:
 
** [http://blogs.owasp.org/webservices/2006/12/13/hello-world/ Pen Testing Web Services], December 13th
 
** [http://blogs.owasp.org/webservices/2006/12/13/hello-world/ Pen Testing Web Services], December 13th
  
====  Latest additions to the WIKI ====   
+
====  Latest additions to the WIKI ====
 +
'''New pages'''
 +
* [[OWASP Testing Project v2.0 - Review Guidelines]] - Support page for the OWASP Testing Project V2.0 Review effort where you will find more details on how to participate in this collaborative review process.
 +
* [[Chapter Leader Handbook]] - Handbook for new and experienced chapter leaders on leading an active chapter community.
 +
* [[OWASP WebScarab NG Project]] - Rogan details his work on the new version of WebScarab
 +
* [[Phoenix/Tools]] - Good list of Web App Sec tools
 +
* Eoin has been quite busy this week working on the new version of the[[:Category: OWASP Code Review Project]]
 +
** [[Logging issues]]
 +
** [[Reviewing Code for Buffer Overruns and Overflows]]
 +
** [[Reviewing Code for OS Injection]]
 +
** [[Reviewing Code for Data Validation]]
 +
** [[Reviewing Code for Logging Issues]]
 +
** [[Reviewing The Secure Code Environment]]
 +
** [[Chapters Assigned]]
 +
** just starting [[SQL Injection Cookbook template]], [[SQL Injection Cookbook - Oracle]], [[Preface]] , [[Reasons for using automated tools]],[[Education and cultural change]], [[Tool Deployment Model]]
 +
 
 +
'''Edited Pages'''
 +
*[[OWASP_AppSec_Conference_Sponsors]] - for you if you want to sponsor one of the [[:Category:OWASP AppSec Conference| next OWASP conferences]]. Quote from page: ''"OWASP is accepting sponsorships for the 2007 OWASP Conferences. Financial sponsorship for a conference will help defray the non-profit OWASP Foundation's expenses to prepare for and hold this conference."''
 +
* Chapter updates: [[New_Zealand]] , [[Denver]], [[Washington DC]]
 +
* [[Membership]]
 +
* [[Securing tomcat]]
 +
* [[Cross-Site Request Forgery]]
 +
* [[Chapter Rules]]
 +
* [[OWASP Autumn of Code 2006 - Projects: Web Goat]]
 +
 
 +
====  OWASP Community ====
 +
 
 +
*'''Feb 13 (18:00h) - [[Ireland|Ireland chapter meeting]]'''
 +
 
 +
*'''Feb 6 (18:00h) - [[Melbourne|Melbourne chapter meeting]]'''
 +
 
 +
*'''Jan 31 (15:00h) - [[Mumbai|Mumbai chapter meeting]]'''
 +
 
 +
*'''Jan 30 (11:30h) - [[Austin|Austin chapter meeting]]
 +
 
 +
*'''Jan 25 (14:30h) - [[Italy#October_25th.2C_2007_-_Isaca_Rome|Italy@ISACA Rome]]'''
 +
 
 +
*'''Jan 23 (18:00h) - [[Belgium|Belgium chapter meeting]]'''
 +
 
 +
*'''Jan 22 (18:00h) - [[Rochester|Rochester chapter meeting]]'''
 +
 
 +
*'''Jan 17 (18:30h) - [[Denver|Denver chapter meeting]]'''
 +
 
 +
*'''Jan 16 (17:45h) - [[Edmonton|Edmonton chapter meeting]]'''
  
====  OWASP Community ==== 
 
  
====  OWASP News Headlines (from owasp.org website) ==== 
 
  
 
====  Application Security News (from Owasp.org) ====
 
====  Application Security News (from Owasp.org) ====
 +
 +
; '''Jan 10 - [http://www2.csoonline.com/exclusives/column.html?CID=28072 Vulnerability Disclosure: The Good, the Bad and the Ugly]'''
 +
:''More than a decade into the practice of vulnerability disclosure, where do we stand? Are we more secure? Or less?'', three good articles: [http://www2.csoonline.com/exclusives/column.html?CID=28071 Microsoft: Responsible Vulnerability Disclosure Protects Users] , [http://www2.csoonline.com/exclusives/column.html?CID=28073 Schneier: Full Disclosure of Security Vulnerabilities a ’Damned Good Idea’], [http://www2.csoonline.com/exclusives/column.html?CID=28072 The Vulnerability Disclosure Game: Are We More Secure?] and [http://www.csoonline.com/read/010107/fea_vuln.html The Chilling Effect]
 +
 +
 +
====  OWASP references in the Media ====
 +
* [http://www.net-security.org/article.php?id=970 Automated Scanning vs. The OWASP Top Ten], Help Net Security, Croatia - Jan 11, 2007
 +
* [http://br.sys-con.com/read/264922.htm AJAX, Design, and Mobile Devices], SYS-CON Media, NJ - Jan 10, 2007
 +
* [http://scmagazine.com/us/news/article/623765/hot-not-web-application-vulnerabilities Hot or Not: Web application vulnerabilities], SC Magazine, UK - Dec 28, 2006
 +
* [http://au.sys-con.com/read/322897.htm Sprajax Author – AJAX Security Tool – To Speak at AJAXWorld 2007], SYS-CON Media, NJ - Jan 13, 2007
 +
* [http://www.computerweekly.com/Articles/2007/01/11/221120/web-application-security-vulnerabilities-by-the-numbers.htm Web application security vulnerabilities by the numbers], ComputerWeekly.com, UK - Jan 11, 2007
 +
* This one is actual an mistake from PSC Group LLC, since there is currently no relationship with them an OWASP (note: I emailed them and they corrected this on their website) [http://home.businesswire.com/portal/site/google/index.jsp?ndmViewId=news_view&newsId=20070109005299&newsLang=en Fujitsu’s GlobalSTORE Software Completes Visa’s Payment ...], Business Wire (press release), CA - Jan 9, 2007  (there is a major typo in this article (OWASP related), see if you can spot it :) )
 +
* [http://www.prnewswire.com/cgi-bin/stories.pl?ACCT=104&STORY=/www/story/01-09-2007/0004502553&EDATE= WhiteHat Security Announces Risk-Free Competitive Trade-Up Program], PR Newswire (press release), NY - Jan 9, 2007
 +
 +
__NOEDITSECTION__

Latest revision as of 09:44, 16 January 2007

Sent to owasp-all mailing list on 16th Jan 2007

OWASP Newsletter #2 – January 8th 2006 to January 15th 2006

Hello, here is another newsletter with tons of links and information about what is happening at OWASP. If you want something to appear in the next version, please add it to OWASP Newsletter 3

Dinis Cruz Chief OWASP Evangelist London, UK

Contents

OWASP News


Featured Projects

  • OWASP WebScarab NG Project - Rogan has been very busy on the new version of WebScarab, which is not complete, but is already in a very usable state (I already prefer it to the current version). Rogan needs your help in testing this version and sending in your comments. Quote from OWASP WebScarab NG Project: WebScarab-NG is a complete rewrite of the old WebScarab application, with a special focus on making the application more user-friendly. To this end, WebScarab-NG makes use of the Spring Rich Client Platform to provide the user interface features. By using the Spring Rich Client Platform, WebScarab-NG automatically gains things like default buttons, keyboard shortcuts, support for internationalisation, etc.
  • Category:OWASP CAL9000 Project - This project is a great resource to (amongst other things) understand and exploit XSS. Quote: CAL9000 is a collection of web application security testing tools that complement the feature set of current web proxies and automated scanners. CAL9000 gives you the flexibility and functionality you need for more effective manual testing efforts. Works best when used with Firefox or Internet Explorer.

Featured Story: Two free Java EE filters for CSRF, Reflected XSS, and Adobe XSS

OWASP contributors from Aspect Security have developed two new Java EE filters to protect against common web attacks. Just add a few lines to your web.xml file and enjoy the protection.

CSRF and Reflected XSS Filter for Java EE
This filter adds a random token to forms and URLs that prevent an attacker from executing both CSRF and reflected XSS attacks.
Adobe XSS Filter for Java EE
This filter protects against the recent XSS attacks on PDF files. By using a redirect and an encrypted token, this filter ensures that dangerous attacks are not passed into the Adobe reader plugin.

Featured Story: "Automated Scanner vs. The OWASP Top Ten"

Apart from some shameless marketing plus and its real intention with this paper, WhiteHat Security has published a good paper on the limitations of Web Application Security Scanners capabilities to detect the [OWASP_Top_Ten_Project OWASP Top 10] vulnerabilities (which btw, all vendors claim they do). I actually think that the examples are quite basic, but they are good enough for the argument presented.

You can download this paper from [1]

Quote: "The OWASP Top Ten is a list of the most critical web application security flaws – a list also often used as a minimum standard for web application vulnerability assessment (VA) and compliance. There is an ongoing industry dialog about the possibility of identifying the OWASP Top Ten in a purely automated fashion (scanning). People frequently ask what can and can’t be found using either white box or black box scanners. This is important because a single missed vulnerability, or more accurately exploited vulnerability, can cause an organization significant financial harm. Proper expectations must be set when it comes to the various vulnerability assessment solutions."

Note: I haven't seen any Web App Scannor vendor responses, so if you spot it let me know.

Latest Blog Entries from blogs.owasp.org

Latest additions to the WIKI

New pages

Edited Pages

OWASP Community


Application Security News (from Owasp.org)

Jan 10 - Vulnerability Disclosure: The Good, the Bad and the Ugly
More than a decade into the practice of vulnerability disclosure, where do we stand? Are we more secure? Or less?, three good articles: Microsoft: Responsible Vulnerability Disclosure Protects Users , Schneier: Full Disclosure of Security Vulnerabilities a ’Damned Good Idea’, The Vulnerability Disclosure Game: Are We More Secure? and The Chilling Effect


OWASP references in the Media