Difference between revisions of "OWASP Newsletter 7"

From OWASP
Jump to: navigation, search
(Featured Event: Application Security Track at Spring <br /> Conference 2007 (Athens, OH Mar-22))
 
(17 intermediate revisions by 4 users not shown)
Line 1: Line 1:
''Sent to owasp-all mailing list on ?? Mar 2007''  
+
''Sent to owasp-all mailing list on 19 Mar 2007'' __NOEDITSECTION__
==  OWASP Newsletter #7 (?-Mar-2007) ==
+
==  OWASP Newsletter #7 (19-Mar-2007) ==
Welcome to the 7th OWASP Newsletter, tbd ...
+
Welcome to the 7th OWASP Newsletter, featuring the new OWASP Spring of Code 2007, OWASP Chapter activities and introducing the new OWASP SWAAT Project. As always this newsletter is stuffed with the latest OWASP updates, blog entries and Web Application Security updates!
  
== Featured Item: tbd ==
+
If you want to follow the latest changes to the OWASP web site, you can now point your favorite newsreader to the [http://www.owasp.org/index.php?title=Special:Recentchanges&feed=atom OWASP recent changes feed] (atom feed).
  
 +
If you have any content to add to the next edition, feel free to add it directly to its WIKI page ([[OWASP Newsletter 8]]).
  
== Featured Project: tbd ==
+
Sebastien Deleersnyder
 +
 
 +
Belgium Chapter Leader
 +
 
 +
== Featured Item 1: [[OWASP Spring Of Code 2007]] ==
 +
 
 +
Following the success of last year's Autumn of Code (AoC 06) we are are now launching the OWASP Spring of Code 2007 (SpoC 007) with more budget, more energy and more expectations :)
 +
 
 +
Here are the main links for this initiative:
 +
* [[OWASP Spring Of Code 2007]] - main page
 +
* [[OWASP Spring Of Code 2007 : Press Release]] - The press release
 +
* [[OWASP Spring Of Code 2007 Project Ideas]] - If you are looking for projects to do
 +
* [[OWASP Spring Of Code 2007 Applications]] - Where to submit Applications
 +
* [[OWASP Spring Of Code 2007 : Selection]] - The selection criteria and links to each selected project page
 +
 
 +
== Featured Item 2: [[:Category:OWASP Chapter|OWASP Chapters]] ==
 +
 
 +
Currently there are over 80 OWASP chapters world wide! The OWASP chapters program helps to foster local discussion of application security around the world. Our local chapters are free and open to anyone. Check out the [[:Category:OWASP Chapter|chapters page]] to locate a chapter near you or start a new chapter.
 +
 
 +
There are a lot of resources available for all chapters: The [[Chapter Rules|Chapter Rules]], the OWASP [[Chapter Leader Handbook|Chapter Leader Handbook ]] and if you are short of local chapter material, we have started to make available presentations in the monthly [[Chapter Presentation Bundles|Chapter Presentation Bundles]].
 +
 
 +
An extra call for action towards the OWASP (chapter) leaders: If you are in other countries/cities and you would like to participate in a local chapter
 +
meeting, do not hesitate to contact the local chapter leader!
 +
 
 +
Also have a look at the great [[Phoenix/Tools]] page, created by the [[Phoenix]] chapter.
 +
 
 +
== Featured Item 3: WASC Threat Classification Project - Call for Participants ==
 +
 
 +
The WASC Threat Classification Project is seeking people to contribute towards The Threat Classification Version 2.0. Time has passed since the initial TC release, and it's important to keep this widely utilized document up to date.
 +
 
 +
Project Homepage: http://www.webappsec.org/projects/threat/
 +
 
 +
Interested participants can contact 'contact_@_webappsec.org' with any questions.
 +
 
 +
== Featured Project: [[:Category:OWASP SWAAT Project|OWASP SWAAT Project]] ==
 +
SWAAT is a free web application source code analysis tool. SWAAT searches through source code and analyzes against the database of potentially dangerous strings given in the .xml files. Thus it does NOT positively identify the existence of a vulnerability - this generally requires application contextual knowledge. It identifies the usage of functions / strings / SQL that could lead to a finding. All potentially dangerous code references are included in the output report.
 +
 
 +
Future releases of SWAAT will include:
 +
* a graphical user interface (GUI)
 +
* integrated development environment (IDE) plug-ins
 +
* more sophisticated functionality and logic (for example to work with .java source)
 +
 
 +
SWAAT was generously donated by [http://www.securitycompass.com Security Compass]
  
 
== Featured Event: Application Security Track at Spring &lt;br /&gt; Conference 2007 (Athens, OH Mar-22) ==
 
== Featured Event: Application Security Track at Spring &lt;br /&gt; Conference 2007 (Athens, OH Mar-22) ==
Harden web applications against the OWASP "Top 10 Threats"!  Join us for Spring &lt;br /&gt; Conference 2007 on Thursday, March 22, 2007 on the campus of Ohio University in Athens, Ohio. We'll explore this topic and more in this day long event that has been described as, "one of the best kept secrets in Information Technology!".  At this event, the fifth annual, Joel Stanley of Resource Interactive, in Columbus, OH, will share his experiences in maintaining applications with user bases as large as 15+ million.  He'll explore how to utilize standards by which application security and vulnerability can be judged.  Join hundreds of your IT professional peers in this and your choices of thirty-four other sessions in seven tracks at this day long event that costs only $35 (including your lunch!).  Ben Forta, Chief Product Evangelist of Adobe Systems will be give the Key Note presentation, plus Ben will be back to give a presentation at the Lunchtime Session as well.  Vendors such as Parasoft Software, who specializes in application security, will be on hand.  Visit http://www.sbconference.com for all the details and to register online!
+
Harden web applications against the OWASP "Top 10 Threats"!  The Spring &lt;br /&gt; Conference 2007 is held on Thursday, March 22, 2007 on the campus of Ohio University in Athens, Ohio. They have a dedicated Application Security track and more in this day long event that has been described as, "one of the best kept secrets in Information Technology!".   
  
Spring &lt;br /&gt; Conference 2007 is presented by the Southeast Ohio Creative Adobe Technologies User Group in partnership with Ohio University, the IT Alliance of Appalachian Ohio and Adobe.
+
At this event, the fifth annual, Joel Stanley of Resource Interactive, in Columbus, OH, will share his experiences in maintaining applications with user bases as large as 15+ million.  He'll explore how to utilize standards by which application security and vulnerability can be judged. Join hundreds of your IT professional peers in this and your choices of thirty-four other sessions in seven tracks at this day long event that costs only $35 (including your lunch!).  Ben Forta, Chief Product Evangelist of Adobe Systems will be giving the Key Note presentation, plus Ben will be back to give a presentation at the Lunchtime Session as well. Visit [http://www.sbconference.com http://www.sbconference.com] for all the details and to register online!
  
 
== Latest additions to the WIKI ==
 
== Latest additions to the WIKI ==
 
  
 
==== New Pages====
 
==== New Pages====
* tbd
+
* [[‎OWASP Spring Of Code 2007]]
 
+
* [[Kansas City March 2007 Meeting]]
==== Updated pages====
+
* [[Authorization form]]
Updated chapter pages:
+
* [[Session Fixation in Java]]
* tbd
+
Other pages:
+
* tbd
+
  
 
==== New Documents & Presentations from chapters====  
 
==== New Documents & Presentations from chapters====  
* tbd
+
* [[Media:KC_Mar2007_Advanced_Injection_Attacks.zip|Advanced Injection Attacks]] from the [[Kansas City]] chapter meeting (ppt within a zip)<br/>
 +
* [[Media:KC_Mar2007_Flash_Security.pdf|Adobe Flash Security]] from the [[Kansas City]] chapter meeting (pdf)<br/>
 +
* Luca Carettoni has published an interview to OWASP-Italy (OWASP interviews OWASP :) ) [http://blog.html.it/archivi/2007/02/26/quattro-chiacchiere-con-owasp-italia.php Here] the full article (in Italian).
 +
* [[Image:Web Services Hacking and Hardening.pdf|Web Services Hacking and Hardening]] 3/8/07 NoVA chapter meeting, Adam Vincent from Layer7
 
For a complete list of chapter presentations see [[OWASP_Education_Presentation|the online table of presentations]].
 
For a complete list of chapter presentations see [[OWASP_Education_Presentation|the online table of presentations]].
  
 
==== Latest Blog entries====  
 
==== Latest Blog entries====  
* tbd
+
* [http://blogs.owasp.org/orizon/2007/03/14/quick-updates/ Quick updates (Orizon)]
 +
* [http://blogs.owasp.org/dre/2007/03/09/owasp-phoenix-chapter-meeting-presentation/ OWASP Phoenix chapter meeting presentation]
 +
* [http://blogs.owasp.org/diniscruz/2007/03/09/dns-pinning/ DNS Pinning]
  
==== OWASP Community====
+
==== Updated pages====  
* tbd
+
Updated chapter pages:
 +
* [[Philadelphia]]
 +
* [[London]]
 +
* [[Phoenix]]
 +
* [[Kansas City March 2007 Meeting]]
 +
* [[Kansas City]]
 +
* [[New Jersey]]
 +
* [[Italy]]
 +
* [[Austin]]
 +
* [[SanDiego]](new!)
 +
* [[Toronto]]
 +
* [[Helsinki]]
 +
* [[Long Island]]
 +
* [[Switzerland]]
  
==== Application Security News ====  
+
Other pages:
* tbd
+
* [[Appendix A: Testing Tools]]
 +
* [[Testing for SQL Server  (OWASP-DV-008)|Testing for SQL Server]]
 +
* [[Ajax and Other "Rich" Interface Technologies]]
 +
* [[Testing for business logic  (OWASP-BL-001)]]
 +
* [[:Category:OWASP SWAAT Project]]
 +
* [[Preventing SQL Injection in Java]]
 +
* [[:Category:OWASP WebGoat Project]]
 +
* [[6th OWASP AppSec Conference - Italy 2007]]
 +
* [[OWASP Java Table of Contents]]
 +
* [[Signing jar files with jarsigner]]
 +
* [[Testing for HTTP Methods and XST (OWASP-CM-008)|Testing for HTTP Methods and XST]]
 +
* [[:Category talk:Code Snippet]]
 +
* [[OWASP Autumn of Code 2006 - Project Completion]]
 +
* [[OWASP Education Presentation]]
 +
* [[:Category:OWASP Education Project]]
 +
* [[How to value the real risk]]
 +
* [[OWASP Education Presentation]]
 +
* [[Category talk:OWASP XML Security Gateway Evaluation Criteria Project]]
 +
* [[WebGoat User Guide Introduction]]
 +
* [[OWASP SiteGenerator]]
 +
* [[Chaining WebScarab onto another proxy]]
 +
* [[Edcuation Track: Web Application Security Primer]]
 +
* [[OWASP Education Presentation]]
 +
* [[DN BOFinder]]
 +
* [[OWASP Newsletter 8]]
 +
* [[OWASP Community]]
 +
* [[Java server (J2EE) code review]]
 +
* [[OWASP Code Review Guide Table of Contents]]
 +
* [[Application Security News]]
 +
* [[Webgoat‎]]
 +
* [[CSRF Guard]]
 +
* [[Testing for SQL Server  (OWASP-DV-008)|Testing for SQL Server]]
 +
* [[Ajax and Other "Rich" Interface Technologies]]
 +
* [[Testing for business logic  (OWASP-BL-001)]]
 +
* [[:Category:Encoding]]
 +
 
 +
==== Latest Application Security News====  
 +
*'''Mar 15 - [http://aviv.raffon.net/2007/03/14/PhishingUsingIE7LocalResourceVulnerability.aspx local IE 7 phishing hole]'''
 +
:Provides a nice proof of concept with CNN (Link at the bottom). "Internet Explorer 7.0 is vulnerable to cross-site scripting in one of its local resources. In combination with a design flaw in this specific local resource it is possible for an attacker to easily conduct phishing attacks against IE7 users." CNET News also picked this up as a [http://news.com.com/2100-1002_3-6167410.html?part=rss&tag=2547-1_3-0-20&subj=news story].
 +
*'''Mar 14 -  [http://mybeni.rootzilla.de/mybeNi/2007/gmail_information_disclosure/ GMail Information Disclosure]'''
 +
:Only a tiny XSS hole to demonstrate a disclosure proof-of-concept through AJAX/JSON of all contacts you ever mailed. If a domains covers a lot of functionality and users, one XSS can be devastating. Remember the Google Desktop vulnerability. What is frightening is that it took Beni only ~5 minutes to find a XSS hole.
 +
*'''Mar 8 -  [http://myappsecurity.blogspot.com/search/label/reflection Anurag Agarwal's reflection series]'''
 +
:Anurag Agarwal maintains an interesting [http://myappsecurity.blogspot.com/ blog] on Web Application Security. Recently he started a serie of reflections on people active in this field. Up until now he covered Amit Klein, RSnake, Jeremiah Grossman, Ivan Ristic and Sheeraj Shah. Lot's of good pointers to web application research of the last years!
 +
 
 +
==== OWASP Community====
 +
* Apr 17 (18:00h) - [[Rochester|Rochester chapter meeting]]
 +
* Apr 12 (18:00h) - [[Netherlands|Netherlands chapter meeting]]
 +
* Apr 11 (18:00h) - [[Toronto|Toronto chapter meeting]]
 +
* Apr 10 (18:00h) - [[Virginia (Northern Virginia)|Washington DC (N. VA) chapter meeting]]
 +
* Apr 4 (18:30h) - [[Boston|Boston chapter meeting]]
 +
* Apr 3 (18:00h) - [[Melbourne|Melbourne chapter meeting]]
 +
* Mar 28 (11:30h) - [[San Antonio|San Antonio chapter meeting]]
 +
* Mar 22 (18:00h) - [[London|London chapter meeting]]
 +
* Mar 21-22 - [[Belgium#OWASP_Top_10_2007_Update_.28Infosecurity_Belgium.2C_21_.26_.2622_Mar_2007.29|Belgium@InfoSecurity]]
 +
* Mar 20 (18:00h) - [[Rochester|Rochester chapter meeting]]
 +
* Mar 14 (18:00h) - [[Toronto|Toronto chapter meeting]]
 +
* Mar 14 (18:00h) - [[Chicago|Chicago chapter meeting]]
 +
* Mar 13 (18:00h) - [[Virginia (Northern Virginia)|Washington DC (N. VA) chapter meeting]]
  
 
== OWASP references in the Media==
 
== OWASP references in the Media==
* tbd
+
* [http://www.net-security.org/secworld.php?id=4882 SPI Dynamics, Inc. Joins OWASP as Vendor Organization Member]

Latest revision as of 18:37, 14 December 2008

Sent to owasp-all mailing list on 19 Mar 2007

Contents

OWASP Newsletter #7 (19-Mar-2007)

Welcome to the 7th OWASP Newsletter, featuring the new OWASP Spring of Code 2007, OWASP Chapter activities and introducing the new OWASP SWAAT Project. As always this newsletter is stuffed with the latest OWASP updates, blog entries and Web Application Security updates!

If you want to follow the latest changes to the OWASP web site, you can now point your favorite newsreader to the OWASP recent changes feed (atom feed).

If you have any content to add to the next edition, feel free to add it directly to its WIKI page (OWASP Newsletter 8).

Sebastien Deleersnyder

Belgium Chapter Leader

Featured Item 1: OWASP Spring Of Code 2007

Following the success of last year's Autumn of Code (AoC 06) we are are now launching the OWASP Spring of Code 2007 (SpoC 007) with more budget, more energy and more expectations :)

Here are the main links for this initiative:

Featured Item 2: OWASP Chapters

Currently there are over 80 OWASP chapters world wide! The OWASP chapters program helps to foster local discussion of application security around the world. Our local chapters are free and open to anyone. Check out the chapters page to locate a chapter near you or start a new chapter.

There are a lot of resources available for all chapters: The Chapter Rules, the OWASP Chapter Leader Handbook and if you are short of local chapter material, we have started to make available presentations in the monthly Chapter Presentation Bundles.

An extra call for action towards the OWASP (chapter) leaders: If you are in other countries/cities and you would like to participate in a local chapter meeting, do not hesitate to contact the local chapter leader!

Also have a look at the great Phoenix/Tools page, created by the Phoenix chapter.

Featured Item 3: WASC Threat Classification Project - Call for Participants

The WASC Threat Classification Project is seeking people to contribute towards The Threat Classification Version 2.0. Time has passed since the initial TC release, and it's important to keep this widely utilized document up to date.

Project Homepage: http://www.webappsec.org/projects/threat/

Interested participants can contact 'contact_@_webappsec.org' with any questions.

Featured Project: OWASP SWAAT Project

SWAAT is a free web application source code analysis tool. SWAAT searches through source code and analyzes against the database of potentially dangerous strings given in the .xml files. Thus it does NOT positively identify the existence of a vulnerability - this generally requires application contextual knowledge. It identifies the usage of functions / strings / SQL that could lead to a finding. All potentially dangerous code references are included in the output report.

Future releases of SWAAT will include:

  • a graphical user interface (GUI)
  • integrated development environment (IDE) plug-ins
  • more sophisticated functionality and logic (for example to work with .java source)

SWAAT was generously donated by Security Compass

Featured Event: Application Security Track at Spring <br /> Conference 2007 (Athens, OH Mar-22)

Harden web applications against the OWASP "Top 10 Threats"! The Spring <br /> Conference 2007 is held on Thursday, March 22, 2007 on the campus of Ohio University in Athens, Ohio. They have a dedicated Application Security track and more in this day long event that has been described as, "one of the best kept secrets in Information Technology!".

At this event, the fifth annual, Joel Stanley of Resource Interactive, in Columbus, OH, will share his experiences in maintaining applications with user bases as large as 15+ million. He'll explore how to utilize standards by which application security and vulnerability can be judged. Join hundreds of your IT professional peers in this and your choices of thirty-four other sessions in seven tracks at this day long event that costs only $35 (including your lunch!). Ben Forta, Chief Product Evangelist of Adobe Systems will be giving the Key Note presentation, plus Ben will be back to give a presentation at the Lunchtime Session as well. Visit http://www.sbconference.com for all the details and to register online!

Latest additions to the WIKI

New Pages

New Documents & Presentations from chapters

For a complete list of chapter presentations see the online table of presentations.

Latest Blog entries

Updated pages

Updated chapter pages:

Other pages:

Latest Application Security News

Provides a nice proof of concept with CNN (Link at the bottom). "Internet Explorer 7.0 is vulnerable to cross-site scripting in one of its local resources. In combination with a design flaw in this specific local resource it is possible for an attacker to easily conduct phishing attacks against IE7 users." CNET News also picked this up as a story.
Only a tiny XSS hole to demonstrate a disclosure proof-of-concept through AJAX/JSON of all contacts you ever mailed. If a domains covers a lot of functionality and users, one XSS can be devastating. Remember the Google Desktop vulnerability. What is frightening is that it took Beni only ~5 minutes to find a XSS hole.
Anurag Agarwal maintains an interesting blog on Web Application Security. Recently he started a serie of reflections on people active in this field. Up until now he covered Amit Klein, RSnake, Jeremiah Grossman, Ivan Ristic and Sheeraj Shah. Lot's of good pointers to web application research of the last years!

OWASP Community

OWASP references in the Media