[prev in list] [next in list] [prev in thread] [next in thread]
List: owasp-dotnet
Subject: OWASP Newsletter #3: OWASP projects that need your help,
From: "Dinis Cruz" <dinis () ddplus ! net>
Date: 2007-01-23 0:37:54
Message-ID: 701fd6b60701221637v3f28b812ya6c05a8f07c5ab9c () mail ! gmail ! com
[Download RAW message or body]
Welcome to OWASP Newsletter #3. I would like to start by asking you all to
be a little bit more active on [:Category:OWASP Project|OWASP projects]
(note that the webpages the www.owasp.org website are WIKI pages which you
can edit directly (all you need is an account which you can create in 1
minute)).
We need more feedback on our tools, more comments on our documents and more
development in our projects (if you want to collaborate but are not sure
how, drop me an email and I will channel your energies to a relevant active
project).
The OWASP student
projects<http://www.owasp.org/index.php/OWASP_student_projects>page
was updated with more project ideas and I added a new section to this
newsletter called 'OWASP projects that need your help' in order to give you
a heads up on projects that need help (if you are a project leader, please
feel free to add your requests to the next version of the newsletter).
Remember that OWASP is a Open Community that is made by its members (and the
more you contribute the more you and your company will benefit).
I would like to give a big welcome to our new chapter from my home country
Portugal <http://www.owasp.org/index.php/Portuguese>, say that the latest
Beta version of OWASP Live
CD<http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project>is
now released and ready for your tests, and that projects like the
OWASP
Java Project <http://www.owasp.org/index.php/OWASP_Java_Project> (featured
below) are producing amazing material but need more collaboration (and let's
not even talk about the OWASP .NET
Project<http://www.owasp.org/index.php/OWASP_.NET_Project>which I am
supposed to managing and is currently going nowhere (with some
noble exceptions (Mike and Boris thx)).
We also updated the How OWASP
Works<http://www.owasp.org/index.php/How_OWASP_Works>page to reflect
the current structure of the OWASP Board and to show what we
are thinking of doing in the future.
If all goes as planned, next week we will be releasing the 'Release
Candidate 1' version of the OWASP Top 10 2007 document which we want you all
to take a good look at (the plan is to have a wide peer review and only
release the final version when it is ready)
As normal you can find below the links to the latest WIKI changes (with a
new section for 'Interesting Discussion Threads' on our mailing lists)
And don't forget, if you want something to appear in the next version,
please add it to OWASP Newsletter
4<http://www.owasp.org/index.php/OWASP_Newsletter_4>
Dinis Cruz
Chief OWASP Evangelist
London, UK
OWASP projects that need your help
- Java Project<http://www.owasp.org/index.php/Category:OWASP_Java_Project>:
Convert Mark Petrovic's article Discovering a Java Application's
Security Requirements<http://www.onjava.com/pub/a/onjava/2007/01/03/discovering-java-security-requirements.html>into
the WIKI (contact Stephen de Vries if you are interested)
- .NET Project<http://www.owasp.org/index.php/Category:OWASP_.NET_Project>:
Add PDP GnuCitizen
AttackAPI<http://www.gnucitizen.org/projects/attackapi>to OWASP
Site Generator
<http://www.owasp.org/index.php/OWASP_Site_Generator>and convert the
php files into
ASP.NET
- OWASP Testing Project
v2.0<http://www.owasp.org/index.php/OWASP_Testing_Project_v2.0_-_Review_Guidelines>-
Now that the The OWASP Testing Guide
v2.0 has reached the 'Release Candidate 1 milestone, the time has come
to make sure that everything is 100% and that there is nothing major missing
(review process ends on the 10th of Feb).
- OWASP WebScarab NG
Project<http://www.owasp.org/index.php/OWASP_WebScarab_NG_Project>-
New version is already very usable and we need your feedback
- Online Questionaires: I (Dinis) want to do a OWASP wide survey, what
solution should I use to create, deploy and manage it?
- WordPress guru needed: Our blogs (http://blogs.owasp.org/) still
looks miserable. We need somebody to help Mike de Libero to sort it out (and
while you're there get a feed to put on owasp.org and the next version
of the OWASP newsletter)
Featured Project: OWASP Java Project
The OWASP Java Project<http://www.owasp.org/index.php/Category:OWASP_Java_Project>'s
goal is to enable Java and J2EE developers to build secure applications
efficiently. See the OWASP Java Project Roadmap for more information on our
plans.
Some links from OWASP Java Table of
Contents<http://www.owasp.org/index.php/OWASP_Java_Table_of_Contents>:
- How to perform HTML entity encoding in
Java<http://www.owasp.org/index.php/How_to_perform_HTML_entity_encoding_in_Java>to
prevent Cross Site Scripting attacks
- JAAS Tomcat Login
Module<http://www.owasp.org/index.php/JAAS_Tomcat_Login_Module>- an
example of how to implement a time delayed JAAS login module in Tomcat
- Securing Apache
Tomcat<http://www.owasp.org/index.php/Securing_tomcat>- a guide for
deployers on how to secure Apache Tomcat
- Hashing in Java <http://www.owasp.org/index.php/Hashing_Java> - how
to securely implement cryptographic hashing in Java
- Java Security
Resources<http://www.owasp.org/index.php/Java_Security_Resources>
- Just a couple more: How to add validation logic to
HttpServletRequest<http://www.owasp.org/index.php/How_to_add_validation_logic_to_HttpServletRequest>
,Declarative Access Control in
Java<http://www.owasp.org/index.php/Declarative_Access_Control_in_Java>,
Protecting code archives with digital
signatures<http://www.owasp.org/index.php/Protecting_code_archives_with_digital_signatures>,
JAAS Timed Login
Module<http://www.owasp.org/index.php/JAAS_Timed_Login_Module>
Featured Project: OWASP Live CD
The BETA Release of OWASP LiveCD ready for testing.
This distro is Beta Version 0.8 named "LabRat" and is part of the OWASP
Autumn of Code sponsorship. The distro is focused on providing all of OWASP
tools and documents on a bootable CD. The goal is to have a portable distro
that can be used by professional penetration testers,security admins,
Students, or anyone interested in computer security to perform
work,training, or research. All you have to do is burn the .ISO to DVD or
start under Vmware/Virtual PC and you will have a full Linux desktop
environment loaded with OWASP tools and documents.
The distro can be downloaded from the PacketFocus
website<http://packetfocus.com/hackos/AOC_Labrat-ALPHA-0008.iso>(800mb).
Latest additions to the WIKI New Pages
- PDF Attack Filter for Apache mod
rewrite<http://www.owasp.org/index.php/PDF_Attack_Filter_for_Apache_mod_rewrite>-
PDF Attack Filter for Apache mod rewrite, served by Apache with
mod_rewrite installed.
- Struts XSLT Viewer<http://www.owasp.org/index.php/Struts_XSLT_Viewer>
- Reviewing code for XSS
issues<http://www.owasp.org/index.php/Reviewing_code_for_XSS_issues>
- OWASP WebScarab NG Project Technical
Info<http://www.owasp.org/index.php/OWASP_WebScarab_NG_Project_Technical_Info>,
if you want to know what is happening under the hood of the new
version of OWASP
WebScarab NG
Project<http://www.owasp.org/index.php/OWASP_WebScarab_NG_Project>
- with some content
Portuguese<http://www.owasp.org/index.php/Portuguese>(new chapter),
All
clients can be reverse engineered, monitored, and
modified<http://www.owasp.org/index.php/All_clients_can_be_reverse_engineered%2C_monitored%2C_and_modified>,
Native Methods <http://www.owasp.org/index.php/Native_Methods>, Long
long ago... <http://www.owasp.org/index.php/Long_long_ago...>, Java
applet code review<http://www.owasp.org/index.php/Java_applet_code_review>
Updated pages
- OWASP student
projects<http://www.owasp.org/index.php/OWASP_student_projects>-
Updated with new ideas for projects
- How OWASP Works <http://www.owasp.org/index.php/How_OWASP_Works> -
Updated information on OWASP's board current structure and future plans
- Phoenix/Tools <http://www.owasp.org/index.php/Phoenix/Tools>
- San_Francisco <http://www.owasp.org/index.php/San_Francisco>
- With Minor updates: Bytecode
obfuscation<http://www.owasp.org/index.php/Bytecode_obfuscation>,
Chapters Assigned <http://www.owasp.org/index.php/Chapters_Assigned>, OWASP
Top Ten Project<http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project>]
Latest Blog entries
- on Orizon post <http://blogs.owasp.org/orizon/>
- Parsing
freedom<http://blogs.owasp.org/orizon/2007/01/22/parsing-freedom/%7C>
Interesting Discussion Threads
- in Owasp-testing<http://lists.owasp.org/mailman/listinfo/owasp-testing>
- Review project and
Code-Scanning-Tool(s)<http://lists.owasp.org/pipermail/owasp-testing/2007-January/001324.html%7CCode>
- manual<http://lists.owasp.org/pipermail/owasp-testing/2007-January/001349.html%7COSSTMM>and
OSSTMM
manual, followup by Pete about
OSS<http://lists.owasp.org/pipermail/owasp-testing/2007-January/001384.html%7C>
OWASP Community
- Feb 15 (18:00h) - Seattle chapter
meeting<http://www.owasp.org/index.php/Seattle>
- Feb 13 (18:00h) - Ireland chapter
meeting<http://www.owasp.org/index.php/Ireland>
- Feb 6 (18:00h) - Melbourne chapter
meeting<http://www.owasp.org/index.php/Melbourne>
- Jan 31 (15:00h) - Mumbai chapter
meeting<http://www.owasp.org/index.php/Mumbai>
- Jan 30 (11:30h) - Austin chapter
meeting<http://www.owasp.org/index.php/Austin>
- Jan 25 (18:00h) - San Francisco chapter
meeting<http://www.owasp.org/index.php/San_Francisco>
- Jan 25 (14:30h) - Italy@ISACA
Rome<http://www.owasp.org/index.php/Italy#October_25th.2C_2007_-_Isaca_Rome>
- Jan 24 (17:30h) - 6th OWASP Israel chapter
meeting<http://www.owasp.org/index.php/Israel#6th_OWASP_IL_meeting:_Wednesday.2C_January_24th_2007>
- Jan 23 (18:00h) - Belgium chapter
meeting<http://www.owasp.org/index.php/Belgium>
Application Security News
- Web Application Security Professionals Survey (Jan.
2007)<http://jeremiahgrossman.blogspot.com/2007/01/web-application-security-professionals.html>-
Jeremiah Grossman just released his survey with lots of very
interesting
data. Make sure you check out section '11) Top 3 web application security
resources' which is a nice database of the most popular vulnerability
assessment tools and knowledge resources (#1 was RSnake's Blog, and #2 was
OWASP :) )
- Don't take security advice from the devil you
know!<http://www.securityfocus.com/news/11436?ref=rss>- He lies.
Especially about security flaws. This article notes an increase
in vulnerabilities found in open source packages and concludes that... "For
the personal sites and the mom-and-pop stores that rely on the software, it
certainly affects them," Martin said. "But larger companies likely aren't
affected." Right.
- Hackers attack MoneyGram International server, breach personal info
of 80,000 customers<http://www.scmagazine.com/asia/news/article/626120/hackers-attack-moneygram-international-server-breach-personal-info-80000-customers/>
* - A MoneyGram International server has been breached, allowing
cybercrooks access to the personal information of nearly 80,000 people.
Hackers accessed the server through the web sometime last month, the
money-transfer company said in a statement released on Friday. *
- Also worth a read: A Rude
Awakening<http://sylvanvonstuppe.blogspot.com/2007/01/rude-awakening.html>,
Making
Security Rewarding<http://sylvanvonstuppe.blogspot.com/2007/01/rude-awakening.html>
Discovering
a Java Application's Security
Requirements<http://www.onjava.com/lpt/a/6844>,
Security Startups Make
Debut<http://www.darkreading.com/document.asp?doc_id=115110&WT.svl=news1_1>,
Source Code Specialist Fortify to Buy Secure
Software<http://www.eweek.com/article2/0,1895,2085461,00.asp>, Ajax
Sniffer - Prrof of
concept<http://myappsecurity.blogspot.com/2007/01/ajax-sniffer-prrof-of-concept.html>,
Decoding the Google Blacklist<http://portal.spidynamics.com/blogs/msutton/>,
Visual WebGui Announces The Dot.Net Answer To Google's
GWT<http://newsroom.eworldwire.com/view_release.php?id=16273>
OWASP references in the Media
- Lock it down: Use the OWASP Top Ten to secure your Web applications
-- Part 1<http://builder.com.com/5100-6374_14-6151493.html?part=rss&subj=bldr>,
Builder.com, Jan 19, 2007
[Attachment #3 (text/html)]
<p>Welcome to OWASP Newsletter #3. I would like to start by asking you
all to be a little bit more active on [:Category:OWASP Project|OWASP
projects] (note that the webpages the <a \
href="http://www.owasp.org">www.owasp.org</a> website are WIKI pages which you can \
edit directly (all you need is an account which you can create in 1 minute)). \
</p><p>We need more feedback on our tools, more comments on our documents and more \
development in our projects (if you want to collaborate but are not sure how, drop me \
an email and I will channel your energies to a relevant active project).
</p><p>The <a href="http://www.owasp.org/index.php/OWASP_student_projects" \
title="OWASP student projects">OWASP student projects</a> page was updated with more \
project ideas and I added a new section to this newsletter called 'OWASP projects \
that need your help' in order to give you a heads up on projects that need help \
(if you are a project leader, please feel free to add your requests to the next \
version of the newsletter). Remember that OWASP is a Open Community that is made
by its members (and the more you contribute the more you and your
company will benefit).
</p><p>I would like to give a big welcome to our new <a \
href="http://www.owasp.org/index.php/Portuguese" title="Portuguese">chapter from my \
home country Portugal</a>, say that the latest Beta version of <a \
href="http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project" \
title="Category:OWASP Live CD Project"> OWASP Live CD</a> is now released and ready \
for your tests, and that projects like the <a \
href="http://www.owasp.org/index.php/OWASP_Java_Project" title="OWASP Java \
Project">OWASP Java Project</a> (featured below) are producing amazing material but \
need more collaboration (and let's not even talk about the <a \
href="http://www.owasp.org/index.php/OWASP_.NET_Project" title="OWASP .NET \
Project">OWASP .NET Project</a> which I am supposed to managing and is currently \
going nowhere (with some noble exceptions (Mike and Boris thx)). </p><p>We also \
updated the <a href="http://www.owasp.org/index.php/How_OWASP_Works" title="How OWASP \
Works">How OWASP Works</a> page to reflect the current structure of the OWASP Board \
and to show what we are thinking of doing in the future. </p><p>If all goes as \
planned, next week we will be releasing the 'Release Candidate 1' version of \
the OWASP Top 10 2007 document which we want you all to take a good look at (the plan \
is to have a wide peer review and only release the final version when it is ready)
</p><p>As normal you can find below the links to the latest WIKI
changes (with a new section for 'Interesting Discussion Threads' on
our mailing lists)
</p><p>And don't forget, if you want something to appear in the next version, \
please add it to <a href="http://www.owasp.org/index.php/OWASP_Newsletter_4" \
title="OWASP Newsletter 4">OWASP Newsletter 4</a> </p><p>Dinis Cruz
</p><p>Chief OWASP Evangelist
</p><p>London, UK
</p>
<a name="OWASP_projects_that_need_your_help"></a><h2> OWASP projects that need your \
help </h2> <ul><li> <a \
href="http://www.owasp.org/index.php/Category:OWASP_Java_Project" \
title="Category:OWASP Java Project">Java Project</a>: Convert Mark Petrovic's \
article <a href="http://www.onjava.com/pub/a/onjava/2007/01/03/discovering-java-security-requirements.html" \
class="external text" \
title="http://www.onjava.com/pub/a/onjava/2007/01/03/discovering-java-security-requirements.html" \
rel="nofollow"> Discovering a Java Application's Security Requirements</a> into \
the WIKI (contact Stephen de Vries if you are interested) </li><li> <a \
href="http://www.owasp.org/index.php/Category:OWASP_.NET_Project" \
title="Category:OWASP .NET Project">.NET Project</a>: Add PDP GnuCitizen <a \
href="http://www.gnucitizen.org/projects/attackapi" class="external text" \
title="http://www.gnucitizen.org/projects/attackapi" rel="nofollow"> AttackAPI</a> to \
<a href="http://www.owasp.org/index.php/OWASP_Site_Generator" title="OWASP Site \
Generator">OWASP Site Generator</a> and convert the php files into <a \
href="http://ASP.NET">ASP.NET</a> </li><li> <a \
href="http://www.owasp.org/index.php/OWASP_Testing_Project_v2.0_-_Review_Guidelines" \
title="OWASP Testing Project v2.0 - Review Guidelines"> OWASP Testing Project \
v2.0</a>
- Now that the The OWASP Testing Guide v2.0 has reached the 'Release
Candidate 1 milestone, the time has come to make sure that everything
is 100% and that there is nothing major missing (review process ends on
the 10th of Feb).
</li><li> <a href="http://www.owasp.org/index.php/OWASP_WebScarab_NG_Project" \
title="OWASP WebScarab NG Project">OWASP WebScarab NG Project</a> - New version is \
already very usable and we need your feedback </li><li> Online Questionaires: I \
(Dinis) want to do a OWASP wide survey, what solution should I use to create, deploy \
and manage it? </li><li> WordPress guru needed: Our blogs (<a \
href="http://blogs.owasp.org/" class="external free" title="http://blogs.owasp.org/" \
rel="nofollow">http://blogs.owasp.org/</a>) still looks miserable. We need somebody \
to help Mike de Libero to sort it out (and while you're there get a feed to put \
on <a href="http://owasp.org">owasp.org</a> and the next version of the OWASP \
newsletter) </li></ul>
<a name="Featured_Project:_OWASP_Java_Project"></a><h2> Featured Project: OWASP Java \
Project </h2> <p>The <a \
href="http://www.owasp.org/index.php/Category:OWASP_Java_Project" \
title="Category:OWASP Java Project">OWASP Java Project</a>'s goal is to enable \
Java and J2EE developers to build secure applications efficiently. See the OWASP Java \
Project Roadmap for more information on our plans.
</p><p>Some links from <a \
href="http://www.owasp.org/index.php/OWASP_Java_Table_of_Contents" title="OWASP Java \
Table of Contents">OWASP Java Table of Contents</a>: </p>
<ul><li> <a href="http://www.owasp.org/index.php/How_to_perform_HTML_entity_encoding_in_Java" \
title="How to perform HTML entity encoding in Java">How to perform HTML entity \
encoding in Java</a> to prevent Cross Site Scripting attacks </li><li> <a \
href="http://www.owasp.org/index.php/JAAS_Tomcat_Login_Module" title="JAAS Tomcat \
Login Module">JAAS Tomcat Login Module</a> - an example of how to implement a time \
delayed JAAS login module in Tomcat </li><li> <a \
href="http://www.owasp.org/index.php/Securing_tomcat" title="Securing tomcat"> \
Securing Apache Tomcat</a> - a guide for deployers on how to secure Apache Tomcat \
</li><li> <a href="http://www.owasp.org/index.php/Hashing_Java" title="Hashing Java"> \
Hashing in Java</a> - how to securely implement cryptographic hashing in Java \
</li><li> <a href="http://www.owasp.org/index.php/Java_Security_Resources" \
title="Java Security Resources">Java Security Resources</a> </li><li> Just a couple \
more: <a href="http://www.owasp.org/index.php/How_to_add_validation_logic_to_HttpServletRequest" \
title="How to add validation logic to HttpServletRequest">How to add validation logic \
to HttpServletRequest </a>,<a \
href="http://www.owasp.org/index.php/Declarative_Access_Control_in_Java" \
title="Declarative Access Control in Java">Declarative Access Control in Java</a>, <a \
href="http://www.owasp.org/index.php/Protecting_code_archives_with_digital_signatures" \
title="Protecting code archives with digital signatures"> Protecting code archives \
with digital signatures</a>, <a \
href="http://www.owasp.org/index.php/JAAS_Timed_Login_Module" title="JAAS Timed Login \
Module">JAAS Timed Login Module</a> </li></ul>
<a name="Featured_Project:_OWASP_Live_CD"></a><h2> Featured Project: OWASP Live CD \
</h2> <p>The BETA Release of OWASP LiveCD ready for testing.
</p><p>This distro is Beta Version 0.8 named "LabRat" and is part of
the OWASP Autumn of Code sponsorship. The distro is focused on
providing all of OWASP tools and documents on a bootable CD. The goal
is to have a portable distro that can be used by professional
penetration testers,security admins, Students, or anyone interested in
computer security to perform work,training, or research. All you have
to do is burn the .ISO to DVD or start under Vmware/Virtual PC and you
will have a full Linux desktop environment loaded with OWASP tools and
documents.
</p><p>The distro can be downloaded from the <a \
href="http://packetfocus.com/hackos/AOC_Labrat-ALPHA-0008.iso" class="external text" \
title="http://packetfocus.com/hackos/AOC_Labrat-ALPHA-0008.iso" \
rel="nofollow">PacketFocus website </a> (800mb).
</p>
<a name="Latest_additions_to_the_WIKI"></a><h2> Latest additions to the WIKI </h2>
<a name="New_Pages"></a><h4> New Pages </h4>
<ul><li> <a href="http://www.owasp.org/index.php/PDF_Attack_Filter_for_Apache_mod_rewrite" \
title="PDF Attack Filter for Apache mod rewrite">PDF Attack Filter for Apache mod \
rewrite</a> - PDF Attack Filter for Apache mod rewrite, served by Apache with \
mod_rewrite installed. </li><li> <a \
href="http://www.owasp.org/index.php/Struts_XSLT_Viewer" title="Struts XSLT \
Viewer">Struts XSLT Viewer</a> </li><li> <a \
href="http://www.owasp.org/index.php/Reviewing_code_for_XSS_issues" title="Reviewing \
code for XSS issues">Reviewing code for XSS issues</a> </li><li> <a \
href="http://www.owasp.org/index.php/OWASP_WebScarab_NG_Project_Technical_Info" \
title="OWASP WebScarab NG Project Technical Info">OWASP WebScarab NG Project \
Technical Info</a>, if you want to know what is happening under the hood of the new \
version of <a href="http://www.owasp.org/index.php/OWASP_WebScarab_NG_Project" \
title="OWASP WebScarab NG Project">OWASP WebScarab NG Project</a> </li><li> with some \
content <a href="http://www.owasp.org/index.php/Portuguese" \
title="Portuguese">Portuguese</a> (new chapter), <a \
href="http://www.owasp.org/index.php/All_clients_can_be_reverse_engineered%2C_monitored%2C_and_modified" \
title="All clients can be reverse engineered, monitored, and modified"> All clients \
can be reverse engineered, monitored, and modified</a>, <a \
href="http://www.owasp.org/index.php/Native_Methods" title="Native Methods">Native \
Methods</a>, <a href="http://www.owasp.org/index.php/Long_long_ago..." title="Long \
long ago..."> Long long ago...</a>, <a \
href="http://www.owasp.org/index.php/Java_applet_code_review" title="Java applet code \
review">Java applet code review</a> </li></ul>
<a name="Updated_pages"></a><h4> Updated pages </h4>
<ul><li> <a href="http://www.owasp.org/index.php/OWASP_student_projects" title="OWASP \
student projects">OWASP student projects</a> - Updated with new ideas for projects \
</li><li> <a href="http://www.owasp.org/index.php/How_OWASP_Works" title="How OWASP \
Works">How OWASP Works</a> - Updated information on OWASP's board current \
structure and future plans </li><li> <a \
href="http://www.owasp.org/index.php/Phoenix/Tools" \
title="Phoenix/Tools">Phoenix/Tools</a> </li><li> <a \
href="http://www.owasp.org/index.php/San_Francisco" title="San \
Francisco">San_Francisco</a> </li><li> With Minor updates: <a \
href="http://www.owasp.org/index.php/Bytecode_obfuscation" title="Bytecode \
obfuscation">Bytecode obfuscation</a>, <a \
href="http://www.owasp.org/index.php/Chapters_Assigned" title="Chapters Assigned"> \
Chapters Assigned</a>, <a \
href="http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project" \
title="Category:OWASP Top Ten Project">OWASP Top Ten Project</a>] </li></ul>
<a name="Latest_Blog_entries"></a><h4> Latest Blog entries </h4>
<ul><li> on <a href="http://blogs.owasp.org/orizon/" class="external text" \
title="http://blogs.owasp.org/orizon/" rel="nofollow">Orizon post</a> <ul><li> <a \
href="http://blogs.owasp.org/orizon/2007/01/22/parsing-freedom/%7C" class="external \
text" title="http://blogs.owasp.org/orizon/2007/01/22/parsing-freedom/|" \
rel="nofollow">Parsing freedom</a> </li></ul>
</li></ul>
<a name="Interresting_Discussion_Threads"></a><h4> Interesting Discussion Threads \
</h4> <ul><li> in <a href="http://lists.owasp.org/mailman/listinfo/owasp-testing" \
class="external text" title="http://lists.owasp.org/mailman/listinfo/owasp-testing" \
rel="nofollow">Owasp-testing</a> <ul><li><a \
href="http://lists.owasp.org/pipermail/owasp-testing/2007-January/001324.html%7CCode" \
class="external text" \
title="http://lists.owasp.org/pipermail/owasp-testing/2007-January/001324.html|Code" \
rel="nofollow">Review project and Code-Scanning-Tool(s) </a>
</li><li> <a href="http://lists.owasp.org/pipermail/owasp-testing/2007-January/001349.html%7COSSTMM" \
class="external text" \
title="http://lists.owasp.org/pipermail/owasp-testing/2007-January/001349.html|OSSTMM" \
rel="nofollow"> manual</a> and <a \
href="http://lists.owasp.org/pipermail/owasp-testing/2007-January/001384.html%7C" \
class="external text" \
title="http://lists.owasp.org/pipermail/owasp-testing/2007-January/001384.html|" \
rel="nofollow">OSSTMM manual, followup by Pete about OSS </a>
</li></ul>
</li></ul>
<a name="OWASP_Community"></a><h4> OWASP Community </h4>
<ul><li>Feb 15 (18:00h) - <a href="http://www.owasp.org/index.php/Seattle" \
title="Seattle">Seattle chapter meeting</a> </li><li>Feb 13 (18:00h) - <a \
href="http://www.owasp.org/index.php/Ireland" title="Ireland">Ireland chapter \
meeting</a> </li><li>Feb 6 (18:00h) - <a \
href="http://www.owasp.org/index.php/Melbourne" title="Melbourne">Melbourne chapter \
meeting</a> </li><li>Jan 31 (15:00h) - <a \
href="http://www.owasp.org/index.php/Mumbai" title="Mumbai">Mumbai chapter \
meeting</a> </li><li>Jan 30 (11:30h) - <a \
href="http://www.owasp.org/index.php/Austin" title="Austin">Austin chapter \
meeting</a> </li><li>Jan 25 (18:00h) - <a \
href="http://www.owasp.org/index.php/San_Francisco" title="San Francisco"> San \
Francisco chapter meeting</a> </li><li>Jan 25 (14:30h) - <a \
href="http://www.owasp.org/index.php/Italy#October_25th.2C_2007_-_Isaca_Rome" \
title="Italy">Italy@ISACA Rome</a> </li><li>Jan 24 (17:30h) - <a \
href="http://www.owasp.org/index.php/Israel#6th_OWASP_IL_meeting:_Wednesday.2C_January_24th_2007" \
title="Israel">6th OWASP Israel chapter meeting</a> </li><li>Jan 23 (18:00h) - <a \
href="http://www.owasp.org/index.php/Belgium" title="Belgium">Belgium chapter \
meeting</a> </li></ul>
<a name="Application_Security_News"></a><h4> Application Security News </h4>
<ul><li> <a href="http://jeremiahgrossman.blogspot.com/2007/01/web-application-security-professionals.html" \
class="external text" \
title="http://jeremiahgrossman.blogspot.com/2007/01/web-application-security-professionals.html" \
rel="nofollow"> Web Application Security Professionals Survey (Jan. 2007)</a>
- Jeremiah Grossman just released his survey with lots of very
interesting data. Make sure you check out section '11) Top 3 web
application security resources' which is a nice database of the most
popular vulnerability assessment tools and knowledge resources (#1 was
RSnake's Blog, and #2 was OWASP :) )
</li></ul>
<ul><li> <a href="http://www.securityfocus.com/news/11436?ref=rss" class="external \
text" title="http://www.securityfocus.com/news/11436?ref=rss" \
rel="nofollow">Don't take security advice from the devil you \
know!</a>
- He lies. Especially about security flaws. This article notes an
increase in vulnerabilities found in open source packages and concludes
that... "For the personal sites and the mom-and-pop stores that rely on
the software, it certainly affects them," Martin said. "But larger
companies likely aren't affected." Right.
</li></ul>
<ul><li> <a href="http://www.scmagazine.com/asia/news/article/626120/hackers-attack-moneygram-international-server-breach-personal-info-80000-customers/" \
class="external text" \
title="http://www.scmagazine.com/asia/news/article/626120/hackers-attack-moneygram-international-server-breach-personal-info-80000-customers/" \
rel="nofollow"> Hackers attack MoneyGram International server, breach personal info \
of 80,000 customers</a><b>
- A MoneyGram International server has been breached, allowing
cybercrooks access to the personal information of nearly 80,000 people.
Hackers accessed the server through the web sometime last month, the
money-transfer company said in a statement released on Friday. </b>
</li></ul>
<ul><li> Also worth a read: <a \
href="http://sylvanvonstuppe.blogspot.com/2007/01/rude-awakening.html" \
class="external text" \
title="http://sylvanvonstuppe.blogspot.com/2007/01/rude-awakening.html" \
rel="nofollow">A Rude Awakening </a> , <a \
href="http://sylvanvonstuppe.blogspot.com/2007/01/rude-awakening.html" \
class="external text" \
title="http://sylvanvonstuppe.blogspot.com/2007/01/rude-awakening.html" \
rel="nofollow">Making Security Rewarding</a> <a \
href="http://www.onjava.com/lpt/a/6844" class="external text" \
title="http://www.onjava.com/lpt/a/6844" rel="nofollow"> Discovering a Java \
Application's Security Requirements</a>, <a \
href="http://www.darkreading.com/document.asp?doc_id=115110&WT.svl=news1_1" \
class="external text" \
title="http://www.darkreading.com/document.asp?doc_id=115110&WT.svl=news1_1" \
rel="nofollow"> Security Startups Make Debut</a>, <a \
href="http://www.eweek.com/article2/0,1895,2085461,00.asp" class="external text" \
title="http://www.eweek.com/article2/0,1895,2085461,00.asp" rel="nofollow">Source \
Code Specialist Fortify to Buy Secure Software </a> , <a \
href="http://myappsecurity.blogspot.com/2007/01/ajax-sniffer-prrof-of-concept.html" \
class="external text" \
title="http://myappsecurity.blogspot.com/2007/01/ajax-sniffer-prrof-of-concept.html" \
rel="nofollow">Ajax Sniffer - Prrof of concept </a>, <a \
href="http://portal.spidynamics.com/blogs/msutton/" class="external text" \
title="http://portal.spidynamics.com/blogs/msutton/" rel="nofollow">Decoding the \
Google Blacklist</a>, <a \
href="http://newsroom.eworldwire.com/view_release.php?id=16273" class="external text" \
title="http://newsroom.eworldwire.com/view_release.php?id=16273" rel="nofollow"> \
Visual WebGui Announces The Dot.Net Answer To Google's GWT</a> </li></ul>
<a name="OWASP_references_in_the_Media"></a><h2> OWASP references in the Media </h2>
<ul><li> <a href="http://builder.com.com/5100-6374_14-6151493.html?part=rss&subj=bldr" \
class="external text" \
title="http://builder.com.com/5100-6374_14-6151493.html?part=rss&subj=bldr" \
rel="nofollow">Lock it down: Use the OWASP Top Ten to secure your Web applications -- \
Part 1 </a>, <a href="http://Builder.com">Builder.com</a>, Jan 19, 2007
</li></ul>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic