Difference between revisions of "OWASP Newsletter 4"

From OWASP
Jump to: navigation, search
(1 OWASP Newsletter #4)
Line 1: Line 1:
 
Using the same format as used in OWASP Newsletter's [[OWASP Newsletter 1|1]], [[OWASP Newsletter 2|2]] and [[OWASP Newsletter 3|3]] this is the page that will be used for the next Newsletter
 
Using the same format as used in OWASP Newsletter's [[OWASP Newsletter 1|1]], [[OWASP Newsletter 2|2]] and [[OWASP Newsletter 3|3]] this is the page that will be used for the next Newsletter
  
== 1 OWASP Newsletter #4 ==
+
== OWASP Newsletter #4 ==
 
http://sylvanvonstuppe.blogspot.com/2007/01/owasp-top-10-2007-update-rc1.htm
 
http://sylvanvonstuppe.blogspot.com/2007/01/owasp-top-10-2007-update-rc1.htm
  
Line 11: Line 11:
 
* This is not from an OWASP project, but a request I received from an MBA Student who is doing a survey on Open Source (http://www.surveymonkey.com/s.asp?u=387523013251])
 
* This is not from an OWASP project, but a request I received from an MBA Student who is doing a survey on Open Source (http://www.surveymonkey.com/s.asp?u=387523013251])
  
== 4 Featured Project: WebGoat 5.0 RC1 ==
+
== Featured Project: WebGoat 5.0 RC1 ==
 
'''WebGoat Overview'''
 
'''WebGoat Overview'''
  
Line 29: Line 29:
 
Please send all comments to webgoat AT g2-inc DOT com regarding this release candidate. A final release is scheduled for the end of January
 
Please send all comments to webgoat AT g2-inc DOT com regarding this release candidate. A final release is scheduled for the end of January
  
== 3 Featured Project: {TBD} ==  
+
== Featured Project: {TBD} ==  
== 5 Latest additions to the WIKI ==  
+
== Latest additions to the WIKI ==  
==== 5.1 New Pages ====  
+
==== New Pages ====  
 
* [[Top 10 2007]] - Top 10 2007 RC1 Public Comments & Review page
 
* [[Top 10 2007]] - Top 10 2007 RC1 Public Comments & Review page
 
* [[Guide to SQL Injection]] - Article examining the possibility of tampered SQL query data exploiting your database and/or application.
 
* [[Guide to SQL Injection]] - Article examining the possibility of tampered SQL query data exploiting your database and/or application.
Line 39: Line 39:
 
* [[OWASP News 2006]], [[OWASP Community 2006]] - These pages contains OWASP news stories and community events from 2006.
 
* [[OWASP News 2006]], [[OWASP Community 2006]] - These pages contains OWASP news stories and community events from 2006.
  
==== 5.2 Updated pages ====  
+
==== Updated pages ====  
 
* [[Membership]] - Add reference to the  [[Member Offers]] page and changed the 'Educational Members' category to be 'Educational and Non-Profit Members'
 
* [[Membership]] - Add reference to the  [[Member Offers]] page and changed the 'Educational Members' category to be 'Educational and Non-Profit Members'
 
* [[ORG_%28OWASP_Report_Generator%29#Building_the_Installer|Installer details for ORG]] - Information on how to build an installer for ORG using WiX
 
* [[ORG_%28OWASP_Report_Generator%29#Building_the_Installer|Installer details for ORG]] - Information on how to build an installer for ORG using WiX
Line 70: Line 70:
 
* [[:Image:ValidationQuestionnaire.doc|ValidationQuestionnaire.doc]]
 
* [[:Image:ValidationQuestionnaire.doc|ValidationQuestionnaire.doc]]
  
==== 5.3 Latest Blog entries ====  
+
==== Latest Blog entries ====  
==== 5.4 Interesting Discussion Threads ====  
+
==== Interesting Discussion Threads ====  
==== 5.5 OWASP Community ====
+
==== OWASP Community ====
 
*Feb 26-Mar 1 - [http://www.blackhat.com Black Hat DC]
 
*Feb 26-Mar 1 - [http://www.blackhat.com Black Hat DC]
 
: OWASP members receive a $100 Briefings discount by inserting BH7DCASSOC in the box marked “Coupon Codes”
 
: OWASP members receive a $100 Briefings discount by inserting BH7DCASSOC in the box marked “Coupon Codes”
Line 90: Line 90:
 
*Jan 30 (11:30h) - [[Austin|Austin chapter meeting]]
 
*Jan 30 (11:30h) - [[Austin|Austin chapter meeting]]
  
==== 5.6 Application Security News ====
+
==== Application Security News ====
  
== 6 OWASP references in the Media ==
+
== OWASP references in the Media ==
 +
 
 +
This week we have two examples of non complience with [[OWASP brand usage rules]], namely ''8. The OWASP Brand must not be used in any materials that could mislead readers by narrowly interpreting a broad application security category. For example, a vendor product that can find or protect against forced browsing must not claim that they address all of the access control category.''
 +
 
 +
* [http://www.embedded-computing.com/news/db/?5197 Java Source Code Analysis Available for Developers to Improve Software Security and Quality] - quote ''"Java Security Analysis Aligned with OWASP -- KDJ's vulnerability analysis provides excellent coverage of the vulnerabilities from the OWASP Top 10 list."''
 +
* [http://www.marketwire.com/mw/release_html_b1?release_id=208677 Ounce Labs Simplifies Regulatory and Policy Compliance With New SmartAudit] - quote : ''"1. OWASP Top Ten: Identifies the existence and location in the source code of any of the Top 10 most critical web application security vulnerabilities, a list complied by the Open Web Application Security Project."''
 +
 
 +
The problem with these claims is that it is very hard to know what exactly do they mean. At least in KDJ's case they say ''"...excelent coverage..."'' versus Ounce Labs' ''"...any of the Top 10..."''.
 +
 
 +
One idea that is currently being debated is if OWASP brand usage rules should state that if a company makes claims such as the ones above in relation with the OWASP Top 10 (or other OWASP materials), they MUST include a reference to a publicly accessible page that ‘explains’ how well they ‘think’ each element of the Top 10 is covered.

Revision as of 09:30, 31 January 2007

Using the same format as used in OWASP Newsletter's 1, 2 and 3 this is the page that will be used for the next Newsletter

OWASP Newsletter #4

http://sylvanvonstuppe.blogspot.com/2007/01/owasp-top-10-2007-update-rc1.htm

OWASP projects that need your help

  • OWASP Top 10 2007 RC1 - We are opening review of the Top 10 2007 until February 28, 2007. Please review the document and provide feedback to the owasp-topten@lists.owasp.org mail list. If you cannot make public submissions or feedback but still wish to make your voice heard, please mail vanderaj (at) owasp.org. Please note: This document is not to be used or referenced until after its release.
  • OWASP Testing Project v2.0 - Now that the The OWASP Testing Guide v2.0 has reached the 'Release Candidate 1 milestone, the time has come to make sure that everything is 100% and that there is nothing major missing (review process ends on the 10th of Feb).
  • Online Questionaires: I (Dinis) want to do a OWASP wide survey, what solution should I use to create, deploy and manage it?
  • WordPress guru needed: Our blogs (http://blogs.owasp.org/) still looks miserable. We need somebody to help Mide de Libero to sort it out (and while you're there get a feed to put on owasp.org and the next version of the OWASP newsletter)
  • This is not from an OWASP project, but a request I received from an MBA Student who is doing a survey on Open Source (http://www.surveymonkey.com/s.asp?u=387523013251])

Featured Project: WebGoat 5.0 RC1

WebGoat Overview

WebGoat is a deliberately insecure J2EE web application maintained by OWASP designed to teach web application security lessons. In each lesson, users must demonstrate their understanding of a security issue by exploiting a real vulnerability in the WebGoat application. For example, in one of the lessons the user must use SQL injection to steal fake credit card numbers. The application is a realistic teaching environment, providing users with hints and code to further explain the lesson.

To get started, read the User and Install Guide


WebGoat 5.0 Release Candidate 1

Thursday January 17th, WebGoat 5.0 Release Candidate 1 was released. Special thanks to the many people who have sent comments and suggestions and those who have put in the effort to contribute their time to this release.

The 5.0 release would not have been possible without the efforts of Sherif Koussa and OWASP Autumn of Code 2006.

This version can be downloaded from OWASP's Sourceforce repository: WebGoat 5.0 RC1

Please send all comments to webgoat AT g2-inc DOT com regarding this release candidate. A final release is scheduled for the end of January

Featured Project: {TBD}

Latest additions to the WIKI

New Pages

Updated pages

New Documents & Presentations from chapters

Latest Blog entries

Interesting Discussion Threads

OWASP Community

OWASP members receive a $100 Briefings discount by inserting BH7DCASSOC in the box marked “Coupon Codes”

Application Security News

OWASP references in the Media

This week we have two examples of non complience with OWASP brand usage rules, namely 8. The OWASP Brand must not be used in any materials that could mislead readers by narrowly interpreting a broad application security category. For example, a vendor product that can find or protect against forced browsing must not claim that they address all of the access control category.

The problem with these claims is that it is very hard to know what exactly do they mean. At least in KDJ's case they say "...excelent coverage..." versus Ounce Labs' "...any of the Top 10...".

One idea that is currently being debated is if OWASP brand usage rules should state that if a company makes claims such as the ones above in relation with the OWASP Top 10 (or other OWASP materials), they MUST include a reference to a publicly accessible page that ‘explains’ how well they ‘think’ each element of the Top 10 is covered.