[prev in list] [next in list] [prev in thread] [next in thread]
List: owasp-common
Subject: OWASP Newsletter #4 (31-Jan-07)
From: "Dinis Cruz" <dinis () ddplus ! net>
Date: 2007-01-31 18:55:53
Message-ID: 701fd6b60701311055lbb0da7cy6774d3026e4da837 () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (text/plain)]
Welcome to OWASP Newsletter #4 *OWASP Top 10 2007
RC1<http://www.owasp.org/index.php/Top_10_2007>
* As mentioned last week, we finally got the new version RC1 (Release
Candidate 1) of the OWASP Top 10 out for review, criticism and comment. We
take all comments very seriously (see Sylvan von
Stuppe<http://sylvanvonstuppe.blogspot.com/2007/01/owasp-top-10-2007-update-rc1.html>,
so please do spend the time to check this version and speak up your mind. *
WebGoat <http://www.owasp.org/index.php/OWASP_WebGoat_Project>* See below
for a feature on one of our longest and most famous projects, which has
released WebGoat 5.0 RC1 containing a bunch of new lessons created via an OWASP
Autumn of Code <http://www.owasp.org/index.php/Owasp_Autumn_Of_Code_2006>sponsorship.
*OWASP Grants* Talking about the AoC (Autumn of Code), if all goes well we
will close it officially next week, and will announce the SpoC. SpoC has you
must be guessing by now, is the OWASP Spring of Code (still with no
connection with Google's Summer of Code) :) *Support for Non-Profits* As
you can see on the updated pages section, we also made a small change in our
membership criteria, where we changed the 'Educational Members' category to
be 'Educational and Non-Profit Members'. *RSA Meetup* If you are going to
the RSA conference next week, drop a line to Brian Bertacini from the San
Jose OWASP Chapter for details on an OWASP get-together.
*Recommended Reading*
- The brilliant OWASP Testing Guide
Presentation<http://www.owasp.org/index.php/Image:OWASP_Testing_Guide_Presentation.zip>
- SDLC for the
"Geek"<http://blogs.owasp.org/seba/2007/01/29/sdlc-for-the-geek/>
,Cross-Chapter
cooperation<http://blogs.owasp.org/seba/2007/01/23/cross-chapter-cooperation/>
- Reporting Web
Vulns<http://blogs.owasp.org/dacort/2007/01/31/reporting-web-vulns/>
- the Waterfall 2006 <http://www.waterfall2006.com/> conference (I
think next year I will be doing a presentation on 'Security by Obscurity,
don't advertise (or link to) your site' :)
- http://www.securitybullshit.com - *"Humorous look at an industry
spinning out of control"* by the uncompromising Mark Curphey
Don't forget, if you want something to appear in the next version, please
add it to OWASP Newsletter
5<http://www.owasp.org/index.php/OWASP_Newsletter_5>.
Dinis Cruz
Chief OWASP Evangelist
London, UK
OWASP projects that need your help
- OWASP Top 10 2007 RC1 <http://www.owasp.org/index.php/Top_10_2007> -
Convert the Word (or PDF) file to wiki pages on owasp.org (open to all
since anybody can edit the owasp.org website).
- OWASP Top 10 2007 RC1 <http://www.owasp.org/index.php/Top_10_2007> -
We are opening review of the Top 10 2007 until February 28, 2007. Please
review the document and provide feedback to the
owasp-topten@lists.owasp.org mail list. If you cannot make public
submissions or feedback but still wish to make your voice heard, please mail
vanderaj (at) owasp.org. *Please note: This document is not to be used
or referenced until after its release.*
- OWASP Testing Project
v2.0<http://www.owasp.org/index.php/OWASP_Testing_Project_v2.0_-_Review_Guidelines>-
Now that the The OWASP Testing Guide
v2.0 has reached the 'Release Candidate 1 milestone, the time has come
to make sure that everything is 100% and that there is nothing major missing
(review process ends on the 10th of Feb).
- Online Questionaires: I (Dinis) want to do a OWASP wide survey, what
solution should I use to create, deploy and manage it?
- WordPress guru needed: Our blogs (http://blogs.owasp.org/) still
looks miserable. We need somebody to help Mike de Libero to sort it out (and
while you're there get a feed to put on owasp.org and the next version
of the OWASP newsletter)
Featured Project: WebGoat 5.0 RC1
*WebGoat Overview*
WebGoat <http://www.owasp.org/index.php/Category:OWASP_WebGoat_Project> is a
deliberately insecure J2EE web application maintained by OWASP designed to
teach web application security lessons. In each lesson, users must
demonstrate their understanding of a security issue by exploiting a real
vulnerability in the WebGoat application. For example, in one of the lessons
the user must use SQL injection to steal fake credit card numbers. The
application is a realistic teaching environment, providing users with hints
and code to further explain the lesson.
To get started, read the User and Install
Guide<http://www.owasp.org/index.php/WebGoat_User_and_Install_Guide_Table_of_Contents%7CWebGoat>
*WebGoat 5.0 Release Candidate 1*
Thursday January 17th, WebGoat 5.0 Release Candidate 1 was released. Special
thanks to the many people who have sent comments and suggestions and those
who have put in the effort to contribute their time to this release.
The 5.0 release would not have been possible without the efforts of Sherif
Koussa and OWASP Autumn of Code
2006<http://www.owasp.org/index.php/Owasp_Autumn_Of_Code_2006>.
This version can be downloaded from OWASP's Sourceforce repository: WebGoat
5.0 RC1<http://sourceforge.net/project/showfiles.php?group_id=64424&package_id=61824>
Please send all comments to webgoat AT g2-inc DOT com regarding this release
candidate.
Featured Item: OWASP Documentation Projects
I wrote this on an email the other day, and realized that it was a good list
of our best documentation projects:
- OWASP Top Ten
Project<http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project>"The
OWASP Top Ten provides a powerful awareness document for web
application security. The OWASP Top Ten represents a broad consensus about
what the most critical web application security flaws are. Project members
include a variety of security experts from around the world who have shared
their expertise to produce this list"
- OWASP Guide
Project<http://www.owasp.org/index.php/Category:OWASP_Guide_Project>"The
Guide is aimed at architects, developers, consultants and auditors and
is a comprehensive manual for designing, developing and deploying secure web
applications."
- OWASP AppSec FAQ
Project<http://www.owasp.org/index.php/Category:OWASP_AppSec_FAQ_Project>"This
FAQ answers some of the questions that developers have about Web
Application Security. This FAQ is not specific to a particular platform or
language. It addresses the common threats to web applications and are
applicable to any platform."
- OWASP Testing
Guide<http://www.owasp.org/index.php/Category:OWASP_Testing_Project>"This
project's goal is to create a "best practices" penetration testing
framework which users can implement in their own organizations and a "low
level" penetration testing guide that describes how to find certain issues."
- OWASP CLASP
Project<http://www.owasp.org/index.php/Category:OWASP_CLASP_Project>"CLASP
(Comprehensive, Lightweight Application Security Process) provides a
well-organized and structured approach for moving security concerns into the
early stages of the software development lifecycle, whenever possible."
- OWASP Honeycomb
Project<http://www.owasp.org/index.php/Category:OWASP_Honeycomb_Project>"In
the Honeycomb project, OWASP is assembling the most comprehensive and
integrated guide ever attempted to the fundamental building blocks of
application security (principles, threats, attacks, vulnerabilities, and
countermeasures) through collaborative community efforts."
- OWASP Application Security Assessment Standards
Project<http://www.owasp.org/index.php/Category:OWASP_Application_Security_Assessment_Standards_Project>"Currently
there is a lack of standardization over what constitutes an
application security assessment. With no single set of criteria being
referenced, it is suggested that OWASP establish a set of standards defining
and establishing a baseline approach to conducting differing types/levels of
application security assessment. The standards should be flexible in design
to accommodate a range of security assurance levels. The standards should
not be viewed as placing requirements on any party. Rather, the standards
should make recommendations about what should be done to be consistent with
what the OWASP community believes is best practice. Adhering to the
standards should help increase end user organization confidence that
assessments meet an industry agreed-upon approach.?"
- OWASP Application Security Metrics
Project<http://www.owasp.org/index.php/Category:OWASP_Application_Security_Metrics_Project>"This
OWASP Project will first identify and provide the OWASP community a
set of application security metrics that have been found by contributors to
be effective in measuring application security. This will be followed by the
development of new metrics that build on the initial metrics foundation to
fulfill unmet metrics requirements. The goals of this Project are to make a
baseline set of application security metrics available to the OWASP
community and subsequently to provide a forum for the community to
contribute metrics back into the baseline."
Latest additions to the WIKI New Pages
- Top 10 2007 <http://www.owasp.org/index.php/Top_10_2007> - Top 10
2007 RC1 Public Comments & Review page
- Guide to SQL
Injection<http://www.owasp.org/index.php/Guide_to_SQL_Injection>-
Article examining the possibility of tampered SQL query data
exploiting
your database and/or application.
- Member Offers <http://www.owasp.org/index.php/Member_Offers> - New
offers available for all individual OWASP Members and employees of OWASP
Corporate Members.
- Announce:Web
Honeynet<http://www.owasp.org/index.php/Announce:Web_Honeynet>- Web
Honeynet project announcement by SecuriTeam and the ISOTF.
- Code Auditor Workbench
Tool<http://www.owasp.org/index.php/Code_Auditor_Workbench_Tool>-
Ideas about a source code analysis tool to aid security consultants
- OWASP News 2006 <http://www.owasp.org/index.php/OWASP_News_2006>, OWASP
Community 2006 <http://www.owasp.org/index.php/OWASP_Community_2006> -
Pages containing the OWASP news stories and community events from 2006.
Updated pages
- Membership <http://www.owasp.org/index.php/Membership> - Add
reference to the Member
Offers<http://www.owasp.org/index.php/Member_Offers>page and changed
the 'Educational Members' category to be 'Educational and
Non-Profit Members'
- Installer details for
ORG<http://www.owasp.org/index.php/ORG_%28OWASP_Report_Generator%29#Building_the_Installer>-
Information on how to build an installer for ORG using WiX
- SQL Injection <http://www.owasp.org/index.php/SQL_Injection> -
Updated with links to the SQL Injection pages in the OWASP Guide, OWASP Code
Review and OWASP Testing Guide
- OWASP Stinger
Projectý<http://www.owasp.org/index.php/Category:OWASP_Stinger_Project>-
Updated with new release information (
2.4 RC1)
- .Net Research
Links<http://www.owasp.org/index.php/.Net_Research_Links>- Several new
CLR links
- Fuzzing <http://www.owasp.org/index.php/Fuzzing>
- Testing for SQL
Injection<http://www.owasp.org/index.php/Testing_for_SQL_Injection>,
Testing:
Information Gathering<http://www.owasp.org/index.php/Testing:_Information_Gathering>,
Reviewing
Code for SQL
Injection<http://www.owasp.org/index.php/Reviewing_Code_for_SQL_Injection>
- minor edits or comments: Talk:JAAS Tomcat Login
Module<http://www.owasp.org/index.php/Talk:JAAS_Tomcat_Login_Module>,
(added link to Orizon Blog) , OWASP
Stinger 3 Ideas <http://www.owasp.org/index.php/OWASP_Stinger_3_Ideas>
New Documents & Presentations from chapters
- OWASP Testing Guide
Presentation<http://www.owasp.org/index.php/Image:OWASP_Testing_Guide_Presentation.zip>
- OWASP Top 10 2007
RC1.pdf<http://www.owasp.org/index.php/Image:OWASP_Top_10_2007_RC1.pdf>or
OWASP
Top 10 2007 RC1.doc<http://www.owasp.org/index.php/Image:OWASP_Top_10_2007_RC1.doc>-
the new version of the OWASP Top 10 (Release Candidate 1)
- From the Belgium <http://www.owasp.org/index.php/Belgium> chapter:
- Jan 07:
- OWASP BE 2007-01-23 OWASP
Update.zip<http://www.owasp.org/index.php/Image:OWASP_BE_2007-01-23_OWASP_Update.zip>-
OWASP Update including 2006 poll results
- OWASP BE 2007-01-23 AOP
security.zip<http://www.owasp.org/index.php/Image:OWASP_BE_2007-01-23_AOP_security.zip>-
AOP Security presentation
- From the Israel <http://www.owasp.org/index.php/Israel>chapter
- Jan 07
- of the Universal XSS PDF vulnerability - Cause,
Solutions and Fun
Stuff<http://www.owasp.org/images/4/4b/OWASP_IL_The_Universal_XSS_PDF_Vulnerability.pdfAnalysis>
- Nov 06 (OWASP IL mini conference):
- Malicious content in enterprise
portals<http://www.owasp.org/images/8/89/Enterprise_portals_security.pdf>
- Real vs. Virtual
Patching<http://www.owasp.org/images/6/65/Secure_coding.pdf>
- "The Core Rule Set": Generic detection of application
layer attacks<http://www.owasp.org/images/d/dd/The_Core_Rule_Set.pdf>
- The OWASP Top Ten
Backdoors<http://www.owasp.org/images/a/ae/OWASP_10_Most_Common_Backdoors.pdf>
- Hacking The
Framework<http://www.owasp.org/images/2/22/Hacking_The_FrameWork.ppt>
- Jul 06:
- Exposing cryptography for software
developers<http://www.owasp.org/images/3/36/OWASP_IL_0706_Comsec_ShayZ_Crypto_1_0_2.pdf>
- Preventing Spoofing, Phishing and Spamming by Secure
Usability and
Cryptography<http://www.owasp.org/images/1/10/OWASP_IL_Preventing_spoofing_phishing_and_spam.pdf>
- ValidationQuestionnaire.doc<http://www.owasp.org/index.php/Image:ValidationQuestionnaire.doc>
Latest Blog entries
- from Life of an OWASP Chapter Leader <http://blogs.owasp.org/seba/>
- SDLC for the
"Geek"<http://blogs.owasp.org/seba/2007/01/29/sdlc-for-the-geek/>
- Cross-Chapter
cooperation<http://blogs.owasp.org/seba/2007/01/23/cross-chapter-cooperation/>
- from /dev/sec/webapp <http://blogs.owasp.org/dacort/>
- Reporting Web
Vulns<http://blogs.owasp.org/dacort/2007/01/31/reporting-web-vulns/>
- from Security Tales From The .Net
Crypt<http://blogs.owasp.org/keremkusmezer/>
- Weird Thing<http://blogs.owasp.org/keremkusmezer/2007/01/22/weird-thing/>
- System.Net Logging
Tips<http://blogs.owasp.org/keremkusmezer/2007/01/23/systemnet-logging-tips/>
- Great Project About
Reflection<http://blogs.owasp.org/keremkusmezer/2007/01/23/great-project-about-reflection/>(.Net
not Java)
- Buffer OverFlow in ILASM and
ILDASM<http://blogs.owasp.org/keremkusmezer/2007/01/23/buffer-overflow-in-ilasm-and-ildasm/>
- from Orizon post <http://blogs.owasp.org/orizon/>
- XML galore<http://blogs.owasp.org/orizon/2007/01/23/xml-galore/>
- Parsing
freedom<http://blogs.owasp.org/orizon/2007/01/22/parsing-freedom/>
- from Dinis Cruz Blog <http://blogs.owasp.org/diniscruz/>
- An example of a flawed XSS BlackList
filter<http://blogs.owasp.org/diniscruz/2007/01/23/an-example-of-a-flawed-xss-blacklist-filter/>
OWASP Community
- Feb 26-Mar 1 - Black Hat DC <http://www.blackhat.com/>
OWASP members receive a $100 Briefings discount by inserting BH7DCASSOC in
the box marked "Coupon Codes"
- Feb 22 (18:00h) - London chapter
meeting<http://www.owasp.org/index.php/London>
- Feb 20 (18:00h) - Rochester chapter
meeting<http://www.owasp.org/index.php/Rochester>
- Feb 15 (18:00h) - Seattle chapter
meeting<http://www.owasp.org/index.php/Seattle>
- Feb 15 (18:00h) - Washington DC (MD) chapter
meeting<http://www.owasp.org/index.php/Washington_DC>
- Feb 15 (18:00h) - Washington DC (N. VA) chapter
meeting<http://www.owasp.org/index.php/Virginia_%28Northern_Virginia%29>
- Feb 15 (18:00h) - Seattle chapter
meeting<http://www.owasp.org/index.php/Seattle>
- Feb 14 (18:00h) - Toronto chapter
meeting<http://www.owasp.org/index.php/Toronto>
- Feb 13 (18:00h) - Ireland chapter
meeting<http://www.owasp.org/index.php/Ireland>
- Feb 12 (18:30h) - Switzerland chapter
meeting<http://www.owasp.org/index.php/Switzerland>
- Feb 7 (18:30h) - Boston chapter
meeting<http://www.owasp.org/index.php/Boston>
- Feb 6-7 - Italy@InfoSecurity<http://www.owasp.org/index.php/Italy#February_6th-8th.2C_2007_-_InfoSecurity>
- Feb 6 (18:00h) - Melbourne chapter
meeting<http://www.owasp.org/index.php/Melbourne>
- Feb 2 (14:00h) - Chennai chapter
meeting<http://www.owasp.org/index.php/Chennai>
- Jan 31 (15:00h) - Mumbai chapter
meeting<http://www.owasp.org/index.php/Mumbai>
- Jan 30 (11:30h) - Austin chapter
meeting<http://www.owasp.org/index.php/Austin>
Application Security News
- Jan 23 - Greasemonkey Backdoor Proof of
Concept<http://www.gnucitizen.org/projects/greasecarnaval>- A simple
Greasemonkey <http://greasemonkey.mozdev.org/> script that illustrates
the potential for abuse by hooking a backdoor to your browser using
Javascipt and AJAX techniques.
- Jan 23 - Web Honeynet Project
Announcement<http://www.owasp.org/index.php/Announce:Web_Honeynet>-
The newly formed Web Honeynet Project from SecuriTeam and the ISOTF
will
in the next few months announce research on real-world web server attacks
which infect web servers with: Tools, connect-back shells, bots,
downloaders, malware, etc. which are all cross-platform (for web servers)
and currently exploited in the wild.
OWASP References in the Media
This week we have two examples of non compliance with the OWASP brand usage
rules <http://www.owasp.org/index.php/OWASP_brand_usage_rules>, namely the #
*8. The OWASP Brand must not be used in any materials that could mislead
readers by narrowly interpreting a broad application security category. For
example, a vendor product that can find or protect against forced browsing
must not claim that they address all of the access control category.*
- Java Source Code Analysis Available for Developers to Improve
Software Security and
Quality<http://www.embedded-computing.com/news/db/?5197>- quote
*"Java Security Analysis Aligned with OWASP -- KDJ's vulnerability
analysis provides excellent coverage of the vulnerabilities from the OWASP
Top 10 list."*
- Ounce Labs Simplifies Regulatory and Policy Compliance With New
SmartAudit<http://www.marketwire.com/mw/release_html_b1?release_id=208677>-
quote :
*"1. OWASP Top Ten: Identifies the existence and location in the
source code of any of the Top 10 most critical web application security
vulnerabilities, a list complied by the Open Web Application Security
Project."*
The problem with these claims is that it is very hard to know what exactly
do they mean. At least in KDJ's case they say *"...excellent
coverage..."*versus Ounce Labs'
*"...any of the Top 10..."*.
One idea that is currently being debated is if OWASP brand usage rules
should state that if a company makes claims such as the ones above in
relation with the OWASP Top 10 (or other OWASP materials), they MUST include
a reference to a publicly accessible page that 'explains' how well they
'think' each element of the Top 10 is covered.
[Attachment #3 (text/html)]
Welcome to OWASP Newsletter #4
<dl><dt> <b><a href="http://www.owasp.org/index.php/Top_10_2007" title="Top 10 \
2007">OWASP Top 10 2007 RC1</a></b> </dt><dd> As mentioned last week, we finally got \
the new version RC1 (Release Candidate 1) of the OWASP Top 10 out for review, \
criticism and comment. We take all comments very seriously (see <a \
href="http://sylvanvonstuppe.blogspot.com/2007/01/owasp-top-10-2007-update-rc1.html" \
class="external text" \
title="http://sylvanvonstuppe.blogspot.com/2007/01/owasp-top-10-2007-update-rc1.html" \
rel="nofollow"> Sylvan von Stuppe</a>, so please do spend the time to check this \
version and speak up your mind. </dd></dl>
<dl><dt> <b><a href="http://www.owasp.org/index.php/OWASP_WebGoat_Project" \
title="OWASP WebGoat Project">WebGoat</a></b> </dt><dd> See below for a feature on \
one of our longest and most famous projects, which has released WebGoat 5.0 RC1 \
containing a bunch of new lessons created via an <a \
href="http://www.owasp.org/index.php/Owasp_Autumn_Of_Code_2006" title="Owasp Autumn \
Of Code 2006">OWASP Autumn of Code</a> sponsorship. </dd></dl>
<dl><dt> <b>OWASP Grants</b>
</dt><dd> Talking about the AoC (Autumn of Code), if all goes well we
will close it officially next week, and will announce the SpoC. SpoC
has you must be guessing by now, is the OWASP Spring of Code (still
with no connection with Google's Summer of Code) :) </dd></dl>
<dl><dt> <b>Support for Non-Profits</b>
</dt><dd> As you can see on the updated pages section, we also made a
small change in our membership criteria, where we changed the
'Educational Members' category to be 'Educational and Non-Profit
Members'.
</dd></dl>
<dl><dt> <b>RSA Meetup</b>
</dt><dd> If you are going to the RSA conference next week, drop a line
to Brian Bertacini from the San Jose OWASP Chapter for details on an
OWASP get-together.
</dd></dl>
<p><b>Recommended Reading</b>
</p>
<ul><li> The brilliant <a \
href="http://www.owasp.org/index.php/Image:OWASP_Testing_Guide_Presentation.zip" \
title="Image:OWASP Testing Guide Presentation.zip">OWASP Testing Guide \
Presentation</a> </li><li> <a \
href="http://blogs.owasp.org/seba/2007/01/29/sdlc-for-the-geek/" class="external \
text" title="http://blogs.owasp.org/seba/2007/01/29/sdlc-for-the-geek/" \
rel="nofollow">SDLC for the "Geek"</a>,<a \
href="http://blogs.owasp.org/seba/2007/01/23/cross-chapter-cooperation/" \
class="external text" \
title="http://blogs.owasp.org/seba/2007/01/23/cross-chapter-cooperation/" \
rel="nofollow"> Cross-Chapter cooperation</a>
</li><li> <a href="http://blogs.owasp.org/dacort/2007/01/31/reporting-web-vulns/" \
class="external text" \
title="http://blogs.owasp.org/dacort/2007/01/31/reporting-web-vulns/" \
rel="nofollow">Reporting Web Vulns</a> </li><li> the <a \
href="http://www.waterfall2006.com/" class="external text" \
title="http://www.waterfall2006.com/" rel="nofollow">Waterfall 2006</a> conference (I \
think next year I will be doing a presentation on 'Security by Obscurity, \
don't advertise (or link to) your site' :) </li><li> <a \
href="http://www.securitybullshit.com/" class="external free" \
title="http://www.securitybullshit.com" \
rel="nofollow">http://www.securitybullshit.com</a> - <i>"Humorous look at an \
industry spinning out of control" </i> by the uncompromising Mark Curphey
</li></ul>
<p>Don't forget, if you want something to appear in the next version, please add \
it to <a href="http://www.owasp.org/index.php/OWASP_Newsletter_5" title="OWASP \
Newsletter 5">OWASP Newsletter 5</a>. </p><p>Dinis Cruz<br>Chief OWASP \
Evangelist<br>London, UK </p>
<a name="OWASP_projects_that_need_your_help"></a><h2> OWASP projects that need your \
help </h2> <ul><li> <a href="http://www.owasp.org/index.php/Top_10_2007" title="Top \
10 2007">OWASP Top 10 2007 RC1</a> - Convert the Word (or PDF) file to wiki pages on \
<a href="http://owasp.org">owasp.org</a> (open to all since anybody can edit the <a \
href="http://owasp.org">owasp.org</a> website). </li><li> <a \
href="http://www.owasp.org/index.php/Top_10_2007" title="Top 10 2007">OWASP Top 10 \
2007 RC1</a>
- We are opening review of the Top 10 2007 until February 28, 2007.
Please review the document and provide feedback to the
<a href="mailto:owasp-topten@lists.owasp.org">owasp-topten@lists.owasp.org</a> mail \
list. If you cannot make public submissions or feedback but still wish to make your \
voice heard, please mail vanderaj (at) <a href="http://owasp.org">owasp.org</a>. \
<b>Please note: This document is not to be used or referenced until after its \
release.</b> </li><li> <a \
href="http://www.owasp.org/index.php/OWASP_Testing_Project_v2.0_-_Review_Guidelines" \
title="OWASP Testing Project v2.0 - Review Guidelines"> OWASP Testing Project \
v2.0</a>
- Now that the The OWASP Testing Guide v2.0 has reached the 'Release
Candidate 1 milestone, the time has come to make sure that everything
is 100% and that there is nothing major missing (review process ends on
the 10th of Feb).
</li><li> Online Questionaires: I (Dinis) want to do a OWASP wide survey, what \
solution should I use to create, deploy and manage it? </li><li> WordPress guru \
needed: Our blogs (<a href="http://blogs.owasp.org/" class="external free" \
title="http://blogs.owasp.org/" rel="nofollow">http://blogs.owasp.org/</a>) still \
looks miserable. We need somebody to help Mike de Libero to sort it out (and while \
you're there get a feed to put on <a href="http://owasp.org">owasp.org</a> and \
the next version of the OWASP newsletter)
</li></ul>
<a name="Featured_Project:_WebGoat_5.0_RC1"></a><h2> Featured Project: WebGoat 5.0 \
RC1 </h2> <p><b>WebGoat Overview</b>
</p><p><a href="http://www.owasp.org/index.php/Category:OWASP_WebGoat_Project" \
title="Category:OWASP WebGoat Project">WebGoat</a> is a deliberately insecure J2EE \
web application maintained by OWASP designed to teach web application security \
lessons. In each lesson, users must demonstrate their understanding of a security \
issue by exploiting a real vulnerability in the WebGoat application. For
example, in one of the lessons the user must use SQL injection to steal
fake credit card numbers. The application is a realistic teaching
environment, providing users with hints and code to further explain the
lesson.
</p><p>To get started, read the <a \
href="http://www.owasp.org/index.php/WebGoat_User_and_Install_Guide_Table_of_Contents%7CWebGoat" \
class="external text" \
title="http://www.owasp.org/index.php/WebGoat_User_and_Install_Guide_Table_of_Contents|WebGoat" \
rel="nofollow"> User and Install Guide</a>
</p><p><br>
<b>WebGoat 5.0 Release Candidate 1</b>
</p><p>Thursday January 17th, WebGoat 5.0 Release Candidate 1 was
released. Special thanks to the many people who have sent comments and
suggestions and those who have put in the effort to contribute their
time to this release.
</p><p>The 5.0 release would not have been possible without the efforts of Sherif \
Koussa and <a href="http://www.owasp.org/index.php/Owasp_Autumn_Of_Code_2006" \
title="Owasp Autumn Of Code 2006">OWASP Autumn of Code 2006</a>
.
</p><p>This version can be downloaded from OWASP's Sourceforce repository: <a \
href="http://sourceforge.net/project/showfiles.php?group_id=64424&package_id=61824" \
class="external text" \
title="http://sourceforge.net/project/showfiles.php?group_id=64424&package_id=61824" \
rel="nofollow"> WebGoat 5.0 RC1</a>
</p><p>Please send all comments to webgoat AT g2-inc DOT com regarding this release \
candidate. </p>
<a name="Featured_Item:_OWASP_Documentation_Projects"></a><h2> Featured Item: OWASP \
Documentation Projects </h2> <p>I wrote this on an email the other day, and realized \
that it was a good list of our best documentation projects: </p>
<ul><li> <a href="http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project" \
title="Category:OWASP Top Ten Project">OWASP Top Ten Project</a> "The OWASP Top \
Ten provides a powerful awareness document for web application security. The OWASP \
Top Ten represents a broad consensus about what the most critical web application \
security flaws are. Project members include a variety of security experts from around \
the world who have shared their expertise to produce this list"
</li><li> <a href="http://www.owasp.org/index.php/Category:OWASP_Guide_Project" \
title="Category:OWASP Guide Project">OWASP Guide Project</a> "The Guide is aimed \
at architects, developers, consultants and auditors and is a comprehensive manual for \
designing, developing and deploying secure web applications."
</li><li> <a href="http://www.owasp.org/index.php/Category:OWASP_AppSec_FAQ_Project" \
title="Category:OWASP AppSec FAQ Project">OWASP AppSec FAQ Project</a> "This FAQ \
answers some of the questions that developers have about Web Application Security. \
This FAQ is not specific to a particular platform or language. It addresses the \
common threats to web applications and are applicable to any platform."
</li><li> <a href="http://www.owasp.org/index.php/Category:OWASP_Testing_Project" \
title="Category:OWASP Testing Project">OWASP Testing Guide</a> "This \
project's goal is to create a "best practices" penetration testing \
framework which users can implement in their own organizations and a "low \
level" penetration testing guide that describes how to find certain \
issues." </li><li> <a \
href="http://www.owasp.org/index.php/Category:OWASP_CLASP_Project" \
title="Category:OWASP CLASP Project">OWASP CLASP Project</a> "CLASP \
(Comprehensive, Lightweight Application Security Process) provides a well-organized \
and structured approach for moving security concerns into the early stages of the \
software development lifecycle, whenever possible."
</li><li> <a href="http://www.owasp.org/index.php/Category:OWASP_Honeycomb_Project" \
title="Category:OWASP Honeycomb Project">OWASP Honeycomb Project</a> "In the \
Honeycomb project, OWASP is assembling the most comprehensive and integrated guide \
ever attempted to the fundamental building blocks of application security \
(principles, threats, attacks, vulnerabilities, and countermeasures) through \
collaborative community efforts." </li><li> <a \
href="http://www.owasp.org/index.php/Category:OWASP_Application_Security_Assessment_Standards_Project" \
title="Category:OWASP Application Security Assessment Standards Project">OWASP \
Application Security Assessment Standards Project </a>
"Currently there is a lack of standardization over what constitutes an
application security assessment. With no single set of criteria being
referenced, it is suggested that OWASP establish a set of standards
defining and establishing a baseline approach to conducting differing
types/levels of application security assessment. The standards should
be flexible in design to accommodate a range of security assurance
levels. The standards should not be viewed as placing requirements on
any party. Rather, the standards should make recommendations about what
should be done to be consistent with what the OWASP community believes
is best practice. Adhering to the standards should help increase end
user organization confidence that assessments meet an industry
agreed-upon approach.?"
</li><li> <a href="http://www.owasp.org/index.php/Category:OWASP_Application_Security_Metrics_Project" \
title="Category:OWASP Application Security Metrics Project">OWASP Application \
Security Metrics Project</a> "This OWASP Project will first identify and provide \
the OWASP community a set of application security metrics that have been found by
contributors to be effective in measuring application security. This
will be followed by the development of new metrics that build on the
initial metrics foundation to fulfill unmet metrics requirements. The
goals of this Project are to make a baseline set of application
security metrics available to the OWASP community and subsequently to
provide a forum for the community to contribute metrics back into the
baseline."
</li></ul>
<a name="Latest_additions_to_the_WIKI"></a><h2> Latest additions to the WIKI </h2>
<a name="New_Pages"></a><h4> New Pages </h4>
<ul><li> <a href="http://www.owasp.org/index.php/Top_10_2007" title="Top 10 2007">Top \
10 2007</a> - Top 10 2007 RC1 Public Comments & Review page </li><li> <a \
href="http://www.owasp.org/index.php/Guide_to_SQL_Injection" title="Guide to SQL \
Injection">Guide to SQL Injection</a> - Article examining the possibility of tampered \
SQL query data exploiting your database and/or application. </li><li> <a \
href="http://www.owasp.org/index.php/Member_Offers" title="Member Offers">Member \
Offers</a> - New offers available for all individual OWASP Members and employees of \
OWASP Corporate Members. </li><li> <a \
href="http://www.owasp.org/index.php/Announce:Web_Honeynet" title="Announce:Web \
Honeynet">Announce:Web Honeynet</a> - Web Honeynet project announcement by SecuriTeam \
and the ISOTF. </li><li> <a \
href="http://www.owasp.org/index.php/Code_Auditor_Workbench_Tool" title="Code Auditor \
Workbench Tool">Code Auditor Workbench Tool</a> - Ideas about a source code analysis \
tool to aid security consultants </li><li> <a \
href="http://www.owasp.org/index.php/OWASP_News_2006" title="OWASP News 2006">OWASP \
News 2006</a>, <a href="http://www.owasp.org/index.php/OWASP_Community_2006" \
title="OWASP Community 2006">OWASP Community 2006 </a> - Pages containing the OWASP \
news stories and community events from 2006. </li></ul>
<a name="Updated_pages"></a><h4> Updated pages </h4>
<ul><li> <a href="http://www.owasp.org/index.php/Membership" \
title="Membership">Membership</a> - Add reference to the <a \
href="http://www.owasp.org/index.php/Member_Offers" title="Member Offers">Member \
Offers</a> page and changed the 'Educational Members' category to be \
'Educational and Non-Profit Members' </li><li> <a \
href="http://www.owasp.org/index.php/ORG_%28OWASP_Report_Generator%29#Building_the_Installer" \
title="ORG (OWASP Report Generator)">Installer details for ORG</a> - Information on \
how to build an installer for ORG using WiX </li><li> <a \
href="http://www.owasp.org/index.php/SQL_Injection" title="SQL Injection">SQL \
Injection</a> - Updated with links to the SQL Injection pages in the OWASP Guide, \
OWASP Code Review and OWASP Testing Guide </li><li> <a \
href="http://www.owasp.org/index.php/Category:OWASP_Stinger_Project" \
title="Category:OWASP Stinger Project">OWASP Stinger Projectý</a> - Updated with new \
release information (2.4 RC1) </li><li> <a \
href="http://www.owasp.org/index.php/.Net_Research_Links" title=".Net Research \
Links">.Net Research Links</a> - Several new CLR links </li><li> <a \
href="http://www.owasp.org/index.php/Fuzzing" title="Fuzzing">Fuzzing</a> </li><li> \
<a href="http://www.owasp.org/index.php/Testing_for_SQL_Injection" title="Testing for \
SQL Injection">Testing for SQL Injection</a> , <a \
href="http://www.owasp.org/index.php/Testing:_Information_Gathering" title="Testing: \
Information Gathering">
Testing: Information Gathering</a> , <a \
href="http://www.owasp.org/index.php/Reviewing_Code_for_SQL_Injection" \
title="Reviewing Code for SQL Injection">Reviewing Code for SQL Injection</a> \
</li><li> minor edits or comments: <a \
href="http://www.owasp.org/index.php/Talk:JAAS_Tomcat_Login_Module" title="Talk:JAAS \
Tomcat Login Module">Talk:JAAS Tomcat Login Module</a> , (added link to Orizon Blog) \
, <a href="http://www.owasp.org/index.php/OWASP_Stinger_3_Ideas" title="OWASP Stinger \
3 Ideas"> OWASP Stinger 3 Ideas</a>
</li></ul>
<a name="New_Documents_.26_Presentations_from_chapters"></a><h4> New Documents & \
Presentations from chapters </h4> <ul><li> <a \
href="http://www.owasp.org/index.php/Image:OWASP_Testing_Guide_Presentation.zip" \
title="Image:OWASP Testing Guide Presentation.zip">OWASP Testing Guide \
Presentation</a> </li><li> <a \
href="http://www.owasp.org/index.php/Image:OWASP_Top_10_2007_RC1.pdf" \
title="Image:OWASP Top 10 2007 RC1.pdf">OWASP Top 10 2007 RC1.pdf</a> or <a \
href="http://www.owasp.org/index.php/Image:OWASP_Top_10_2007_RC1.doc" \
title="Image:OWASP Top 10 2007 RC1.doc"> OWASP Top 10 2007 RC1.doc</a> - the new \
version of the OWASP Top 10 (Release Candidate 1) </li><li> From the <a \
href="http://www.owasp.org/index.php/Belgium" title="Belgium">Belgium</a> chapter: \
<ul><li> Jan 07: <ul><li> <a \
href="http://www.owasp.org/index.php/Image:OWASP_BE_2007-01-23_OWASP_Update.zip" \
title="Image:OWASP BE 2007-01-23 OWASP Update.zip">OWASP BE 2007-01-23 OWASP \
Update.zip</a> - OWASP Update including 2006 poll results </li><li> <a \
href="http://www.owasp.org/index.php/Image:OWASP_BE_2007-01-23_AOP_security.zip" \
title="Image:OWASP BE 2007-01-23 AOP security.zip">OWASP BE 2007-01-23 AOP \
security.zip</a> - AOP Security presentation </li></ul>
</li></ul>
</li><li> From the <a href="http://www.owasp.org/index.php/Israel" \
title="Israel">Israel</a> chapter <ul><li> Jan 07
<ul><li> <a href="http://www.owasp.org/images/4/4b/OWASP_IL_The_Universal_XSS_PDF_Vulnerability.pdfAnalysis" \
class="external text" \
title="http://www.owasp.org/images/4/4b/OWASP_IL_The_Universal_XSS_PDF_Vulnerability.pdfAnalysis" \
rel="nofollow"> of the Universal XSS PDF vulnerability - Cause, Solutions and Fun \
Stuff</a> </li></ul>
</li><li> Nov 06 (OWASP IL mini conference):
<ul><li> <a href="http://www.owasp.org/images/8/89/Enterprise_portals_security.pdf" \
class="external text" \
title="http://www.owasp.org/images/8/89/Enterprise_portals_security.pdf" \
rel="nofollow">Malicious content in enterprise portals </a>
</li><li> <a href="http://www.owasp.org/images/6/65/Secure_coding.pdf" \
class="external text" title="http://www.owasp.org/images/6/65/Secure_coding.pdf" \
rel="nofollow">Real vs. Virtual Patching</a> </li><li> <a \
href="http://www.owasp.org/images/d/dd/The_Core_Rule_Set.pdf" class="external text" \
title="http://www.owasp.org/images/d/dd/The_Core_Rule_Set.pdf" \
rel="nofollow">"The Core Rule Set": Generic detection of application layer \
attacks </a>
</li><li> <a href="http://www.owasp.org/images/a/ae/OWASP_10_Most_Common_Backdoors.pdf" \
class="external text" \
title="http://www.owasp.org/images/a/ae/OWASP_10_Most_Common_Backdoors.pdf" \
rel="nofollow">The OWASP Top Ten Backdoors </a>
</li><li> <a href="http://www.owasp.org/images/2/22/Hacking_The_FrameWork.ppt" \
class="external text" \
title="http://www.owasp.org/images/2/22/Hacking_The_FrameWork.ppt" \
rel="nofollow">Hacking The Framework</a> </li></ul>
</li><li> Jul 06:
<ul><li> <a href="http://www.owasp.org/images/3/36/OWASP_IL_0706_Comsec_ShayZ_Crypto_1_0_2.pdf" \
class="external text" \
title="http://www.owasp.org/images/3/36/OWASP_IL_0706_Comsec_ShayZ_Crypto_1_0_2.pdf" \
rel="nofollow">Exposing cryptography for software developers </a>
</li><li> <a href="http://www.owasp.org/images/1/10/OWASP_IL_Preventing_spoofing_phishing_and_spam.pdf" \
class="external text" \
title="http://www.owasp.org/images/1/10/OWASP_IL_Preventing_spoofing_phishing_and_spam.pdf" \
rel="nofollow"> Preventing Spoofing, Phishing and Spamming by Secure Usability and \
Cryptography</a> </li></ul>
</li></ul>
</li><li> <a href="http://www.owasp.org/index.php/Image:ValidationQuestionnaire.doc" \
title="Image:ValidationQuestionnaire.doc">ValidationQuestionnaire.doc</a> </li></ul>
<a name="Latest_Blog_entries"></a><h4> Latest Blog entries </h4>
<ul><li> from <a href="http://blogs.owasp.org/seba/" class="external text" \
title="http://blogs.owasp.org/seba/" rel="nofollow">Life of an OWASP Chapter \
Leader</a> <ul><li> <a \
href="http://blogs.owasp.org/seba/2007/01/29/sdlc-for-the-geek/" class="external \
text" title="http://blogs.owasp.org/seba/2007/01/29/sdlc-for-the-geek/" \
rel="nofollow">SDLC for the "Geek"</a> </li><li> <a \
href="http://blogs.owasp.org/seba/2007/01/23/cross-chapter-cooperation/" \
class="external text" \
title="http://blogs.owasp.org/seba/2007/01/23/cross-chapter-cooperation/" \
rel="nofollow">Cross-Chapter cooperation </a>
</li></ul>
</li><li> from <a href="http://blogs.owasp.org/dacort/" class="external text" \
title="http://blogs.owasp.org/dacort/" rel="nofollow">/dev/sec/webapp</a> <ul><li> <a \
href="http://blogs.owasp.org/dacort/2007/01/31/reporting-web-vulns/" class="external \
text" title="http://blogs.owasp.org/dacort/2007/01/31/reporting-web-vulns/" \
rel="nofollow">Reporting Web Vulns</a> </li></ul>
</li><li> from <a href="http://blogs.owasp.org/keremkusmezer/" class="external text" \
title="http://blogs.owasp.org/keremkusmezer/" rel="nofollow">Security Tales From The \
.Net Crypt</a> <ul><li> <a \
href="http://blogs.owasp.org/keremkusmezer/2007/01/22/weird-thing/" class="external \
text" title="http://blogs.owasp.org/keremkusmezer/2007/01/22/weird-thing/" \
rel="nofollow">Weird Thing</a> </li><li> <a \
href="http://blogs.owasp.org/keremkusmezer/2007/01/23/systemnet-logging-tips/" \
class="external text" \
title="http://blogs.owasp.org/keremkusmezer/2007/01/23/systemnet-logging-tips/" \
rel="nofollow">System.Net Logging Tips </a>
</li><li> <a href="http://blogs.owasp.org/keremkusmezer/2007/01/23/great-project-about-reflection/" \
class="external text" \
title="http://blogs.owasp.org/keremkusmezer/2007/01/23/great-project-about-reflection/" \
rel="nofollow"> Great Project About Reflection</a> (.Net not Java)
</li><li> <a href="http://blogs.owasp.org/keremkusmezer/2007/01/23/buffer-overflow-in-ilasm-and-ildasm/" \
class="external text" \
title="http://blogs.owasp.org/keremkusmezer/2007/01/23/buffer-overflow-in-ilasm-and-ildasm/" \
rel="nofollow"> Buffer OverFlow in ILASM and ILDASM</a>
</li></ul>
</li><li> from <a href="http://blogs.owasp.org/orizon/" class="external text" \
title="http://blogs.owasp.org/orizon/" rel="nofollow">Orizon post</a> <ul><li> <a \
href="http://blogs.owasp.org/orizon/2007/01/23/xml-galore/" class="external text" \
title="http://blogs.owasp.org/orizon/2007/01/23/xml-galore/" rel="nofollow">XML \
galore</a> </li><li> <a \
href="http://blogs.owasp.org/orizon/2007/01/22/parsing-freedom/" class="external \
text" title="http://blogs.owasp.org/orizon/2007/01/22/parsing-freedom/" \
rel="nofollow">Parsing freedom</a> </li></ul>
</li><li> from <a href="http://blogs.owasp.org/diniscruz/" class="external text" \
title="http://blogs.owasp.org/diniscruz/" rel="nofollow">Dinis Cruz Blog</a> <ul><li> \
<a href="http://blogs.owasp.org/diniscruz/2007/01/23/an-example-of-a-flawed-xss-blacklist-filter/" \
class="external text" \
title="http://blogs.owasp.org/diniscruz/2007/01/23/an-example-of-a-flawed-xss-blacklist-filter/" \
rel="nofollow"> An example of a flawed XSS BlackList filter</a>
</li></ul>
</li></ul>
<p><br>
</p>
<a name="OWASP_Community"></a><h4> OWASP Community </h4>
<ul><li>Feb 26-Mar 1 - <a href="http://www.blackhat.com/" class="external text" \
title="http://www.blackhat.com" rel="nofollow">Black Hat DC</a> </li></ul>
<dl><dd> OWASP members receive a $100 Briefings discount by inserting BH7DCASSOC in \
the box marked "Coupon Codes" </dd></dl>
<ul><li>Feb 22 (18:00h) - <a href="http://www.owasp.org/index.php/London" \
title="London">London chapter meeting</a> </li><li>Feb 20 (18:00h) - <a \
href="http://www.owasp.org/index.php/Rochester" title="Rochester">Rochester chapter \
meeting</a> </li><li>Feb 15 (18:00h) - <a \
href="http://www.owasp.org/index.php/Seattle" title="Seattle">Seattle chapter \
meeting</a> </li><li>Feb 15 (18:00h) - <a \
href="http://www.owasp.org/index.php/Washington_DC" title="Washington DC">Washington \
DC (MD) chapter meeting</a> </li><li>Feb 15 (18:00h) - <a \
href="http://www.owasp.org/index.php/Virginia_%28Northern_Virginia%29" \
title="Virginia (Northern Virginia)">Washington DC (N. VA) chapter meeting</a> \
</li><li>Feb 15 (18:00h) - <a href="http://www.owasp.org/index.php/Seattle" \
title="Seattle">Seattle chapter meeting</a> </li><li>Feb 14 (18:00h) - <a \
href="http://www.owasp.org/index.php/Toronto" title="Toronto">Toronto chapter \
meeting</a> </li><li>Feb 13 (18:00h) - <a \
href="http://www.owasp.org/index.php/Ireland" title="Ireland">Ireland chapter \
meeting</a> </li><li>Feb 12 (18:30h) - <a \
href="http://www.owasp.org/index.php/Switzerland" title="Switzerland">Switzerland \
chapter meeting</a> </li><li>Feb 7 (18:30h) - <a \
href="http://www.owasp.org/index.php/Boston" title="Boston">Boston chapter \
meeting</a> </li><li>Feb 6-7 - <a \
href="http://www.owasp.org/index.php/Italy#February_6th-8th.2C_2007_-_InfoSecurity" \
title="Italy">Italy@InfoSecurity</a> </li><li>Feb 6 (18:00h) - <a \
href="http://www.owasp.org/index.php/Melbourne" title="Melbourne">Melbourne chapter \
meeting</a> </li><li>Feb 2 (14:00h) - <a \
href="http://www.owasp.org/index.php/Chennai" title="Chennai">Chennai chapter \
meeting</a> </li><li>Jan 31 (15:00h) - <a \
href="http://www.owasp.org/index.php/Mumbai" title="Mumbai">Mumbai chapter \
meeting</a> </li><li>Jan 30 (11:30h) - <a \
href="http://www.owasp.org/index.php/Austin" title="Austin">Austin chapter \
meeting</a> </li></ul>
<a name="Application_Security_News"></a><h4> Application Security News </h4>
<ul><li> Jan 23 - <a href="http://www.gnucitizen.org/projects/greasecarnaval" \
class="external text" title="http://www.gnucitizen.org/projects/greasecarnaval" \
rel="nofollow">Greasemonkey Backdoor Proof of Concept</a> - A simple <a \
href="http://greasemonkey.mozdev.org/" class="external text" \
title="http://greasemonkey.mozdev.org/" rel="nofollow">Greasemonkey</a> script that \
illustrates the potential for abuse by hooking a backdoor to your browser using \
Javascipt and AJAX techniques. </li></ul>
<ul><li> Jan 23 - <a href="http://www.owasp.org/index.php/Announce:Web_Honeynet" \
title="Announce:Web Honeynet">Web Honeynet Project Announcement</a>
- The newly formed Web Honeynet Project from SecuriTeam and the ISOTF
will in the next few months announce research on real-world web server
attacks which infect web servers with: Tools, connect-back shells,
bots, downloaders, malware, etc. which are all cross-platform (for web
servers) and currently exploited in the wild.
</li></ul>
<a name="OWASP_References_in_the_Media"></a><h2> OWASP References in the Media </h2>
<p>This week we have two examples of non compliance with the <a \
href="http://www.owasp.org/index.php/OWASP_brand_usage_rules" title="OWASP brand \
usage rules">OWASP brand usage rules</a>, namely the #<i>8. The OWASP Brand must not \
be used in any materials that could mislead readers by narrowly interpreting a broad \
application security category. For example, a vendor product that can find or protect \
against forced browsing must not claim that they address all of the access control
category.</i>
</p>
<ul><li> <a href="http://www.embedded-computing.com/news/db/?5197" class="external \
text" title="http://www.embedded-computing.com/news/db/?5197" rel="nofollow">Java \
Source Code Analysis Available for Developers to Improve Software Security and \
Quality </a> - quote <i>"Java
Security Analysis Aligned with OWASP -- KDJ's vulnerability analysis
provides excellent coverage of the vulnerabilities from the OWASP Top
10 list."</i>
</li><li> <a href="http://www.marketwire.com/mw/release_html_b1?release_id=208677" \
class="external text" \
title="http://www.marketwire.com/mw/release_html_b1?release_id=208677" \
rel="nofollow">Ounce Labs Simplifies Regulatory and Policy Compliance With New \
SmartAudit </a> - quote : <i>"1.
OWASP Top Ten: Identifies the existence and location in the source code
of any of the Top 10 most critical web application security
vulnerabilities, a list complied by the Open Web Application Security
Project."</i>
</li></ul>
<p>The problem with these claims is that it is very hard to know what exactly do they \
mean. At least in KDJ's case they say <i>"...excellent coverage..."</i> \
versus Ounce Labs' <i>"...any of the Top 10..." </i>.
</p><p>One idea that is currently being debated is if OWASP brand usage
rules should state that if a company makes claims such as the ones
above in relation with the OWASP Top 10 (or other OWASP materials),
they MUST include a reference to a publicly accessible page that
'explains' how well they 'think' each element of the Top 10 is covered.
</p>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic