[prev in list] [next in list] [prev in thread] [next in thread]
List: owasp-washington
Subject: OWASP Newsletter #6 (6-Mar-2007) - AoC Finishes! and Xml Gateway Eval
From: "Dinis Cruz" <dinis () ddplus ! net>
Date: 2007-03-06 21:01:41
Message-ID: 701fd6b60703061301o1a2e1ec3y8e97541a0bb7e747 () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (text/plain)]
Welcome to the 6th OWASP Newsletter, again filled with the latest OWASP and
Web Application Security updates (also available online:
https://www.owasp.org/index.php/OWASP_Newsletter_6).
If you have any content to add to the next edition, feel free to add it
directly to its WIKI page (OWASP Newsletter
7<https://www.owasp.org/index.php?title=OWASP_Newsletter_7&action=edit>).
As Dinis is very busy this week, I helped him out with this Newsletter.
Sebastien Deleersnyder
Belgium Chapter Leader
Featured Item: OWASP Autumn of Code 2006 finished!
All the OWASP Autumn of Code 2006 projects are completed. Congratulations to
all contributors and project leaders!
- WebScarab NG<https://www.owasp.org/index.php/OWASP_Autumn_of_Code_2006_-_Projects:_WebScarab_NG>:
A working beta version is now available for WebScaraB which implements a
complete new user interface and is much more usable and practical (although
still doesn't have all features from the current version)
- Live CD<https://www.owasp.org/index.php/OWASP_Autumn_of_Code_2006_-_Projects:_Live_CD>:
The Live CD is a valuable addition to the OWASP collection, since it allows
the easy access, use and testing of several OWASP tools and documents
- CAL9000<https://www.owasp.org/index.php/OWASP_Autumn_of_Code_2006_-_Projects:_CAL9000>:
A new version of CAP 9000 is now released containing several new features
and with extended support for more browsers
- SiteGenerator and
ORG<https://www.owasp.org/index.php/OWASP_Autumn_of_Code_2006_-_Projects:_SiteGenerator_and_ORG>
:Both
OWASP Report
Generator<https://www.owasp.org/index.php/OWASP_Report_Generator>(ORG)
and OWASP Site
Generator<https://www.owasp.org/index.php/OWASP_Site_Generator>(OSG)
receive large number of enhancements. In ORG tons of small/medium bugs
were fixed and several new major features where added (in addition to an
update to .NET 2.0). In OSG, HttpModule was re-implemented to use TCP,
several nasty bugs were fixed and new OSG vulnerabilities where added.
- Pantera<https://www.owasp.org/index.php/OWASP_Autumn_of_Code_2006_-_Projects:_Pantera>:
Simon delivered a new version of Pantera which contains several new features
and is more optimized
- Web Goat<https://www.owasp.org/index.php/OWASP_Autumn_of_Code_2006_-_Projects:_Web_Goat>:
12 new lessons where added to WebGoat (for example: DOM/XML Injection, JSON
Injection, Cross-Site Request Forgery , HTTP Splitting, etc..)
- Testing Guide<https://www.owasp.org/index.php/OWASP_Autumn_of_Code_2006_-_Projects:_Testing_Guide>:The
previous Guide was greatly enhanced where large portions were re-writen and
new material added. This Guide is an important addition to the OWASP
catalogue.
- Owasp .Net
Tools<https://www.owasp.org/index.php/OWASP_Autumn_of_Code_2006_-_Projects:_Owasp_.Net_Tools>:
The OWASP .Net tools SAM'SHE and ANSA are in integrated into a new client
server architecture which contains a 'built from scratch' client application
which 'consumes' the results from the .Net tests. This new tools (called
OWASP Tiger) could be the beginning of a standard vulnerability collector.
- Owasp Website<https://www.owasp.org/index.php/OWASP_Autumn_of_Code_2006_-_Projects:_Website_and_Branding>:
Multiple sections of OWASP.org website where re-organized (for example
the Projects Page), the OWASP newsletter was created and several pages
received improvements in their layout
More details on OWASP Autumn Of Code
2006<http://www.owasp.org/index.php/OWASP_Autumn_Of_Code_2006>.
We are also just about to lauch the "SpoC 007" (do you get the joke?), which
is the OWASP Spring of Code 2007.
Featured Project: XML Gateway Eval Project
This OWASP Project<http://www.owasp.org/index.php/Category:OWASP_XML_Security_Gateway_Evaluation_Criteria_Project>defines
an open standard for evaluating XML Security Gateways. This criteria
will provide the OWASP community a set of standard evaluation criteria to
assess the functionality and quality of XML Security Gateways. The main
driver for this project is to reduce the confusion and complexity in
assessing the strengths and weaknesses of solutions in this the XML Security
space, and enlightening the community as to the utility of XML Security
Gateways to deliver a number of valuable security services.
Latest additions to the WIKI
The OWASP Blogs <http://blogs.owasp.org/> have been integrated in the OWASP
web site.
Do not hesitate to start your own Web Application Security blog.
New Pages
- Hacking Java Clients<https://www.owasp.org/index.php/Hacking_Java_Clients>
- OWASP Testing Guide
Presentations<https://www.owasp.org/index.php/OWASP_Testing_Guide_Presentations>
- InfoSecurity Milano
2007<https://www.owasp.org/index.php/InfoSecurity_Milano_2007>
- OWASP Education
Project<https://www.owasp.org/index.php/Category:OWASP_Education_Project>
- Mark O'Neill <https://www.owasp.org/index.php/Mark_O%27Neill>
- consolidation page of OWASP
presentations<https://www.owasp.org/index.php/OWASP_Education_Presentation>
- J2EE Bad Practices: JSP
Expressions<https://www.owasp.org/index.php/J2EE_Bad_Practices:_JSP_Expressions>
Updated pages
Updated chapter pages:
- New Jersey <https://www.owasp.org/index.php/New_Jersey>
- Virginia (Northern
Virginia)<https://www.owasp.org/index.php/Virginia_%28Northern_Virginia%29>
- Germany <https://www.owasp.org/index.php/Germany>
- San Francisco <https://www.owasp.org/index.php/San_Francisco>
- Ottawa <https://www.owasp.org/index.php/Ottawa>
- London <https://www.owasp.org/index.php/London>
- Bostoný <https://www.owasp.org/index.php/Boston>
- France <https://www.owasp.org/index.php/France>
- Helsinkiý <https://www.owasp.org/index.php/Helsinki>
Other pages:
- OWASP Sprajax
Project<https://www.owasp.org/index.php/Category:OWASP_Sprajax_Project>
- Appendix A: Testing
Tools<https://www.owasp.org/index.php/Appendix_A:_Testing_Tools>
- Access Control In Your J2EE
Application<https://www.owasp.org/index.php/Access_Control_In_Your_J2EE_Application>
- Hashing Java <https://www.owasp.org/index.php/Hashing_Java>
- How to add validation logic to
HttpServletRequestý<https://www.owasp.org/index.php/How_to_add_validation_logic_to_HttpServletRequest>
- OWASP Autumn of Code 2006 - Project
Completion<https://www.owasp.org/index.php/OWASP_Autumn_of_Code_2006_-_Project_Completion>
- OWASP XML Security Gateway Evaluation Criteria
Project<https://www.owasp.org/index.php/Category:OWASP_XML_Security_Gateway_Evaluation_Criteria_Project>
New Documents & Presentations from chapters
- XSS and XSS Worms (Sven
Vetsch)<http://www.disenchant.ch/blog/files/presentations/pres_20070206_04_svetsch_xss_worms.pdf>from
the
Switzerland <https://www.owasp.org/index.php/Switzerland> Chapter.
For a complete list of chapter presentations see the online table of
presentations <https://www.owasp.org/index.php/OWASP_Education_Presentation>.
Latest Blog entries
- Roadmap to a Partial Trust Managed Code
world<http://blogs.owasp.org/diniscruz/2007/03/05/roadmap-to-a-partial-trust-managed-code-world/>
- 'Security Awareness Modes' & the 'day Microsoft
changes'<http://blogs.owasp.org/diniscruz/2007/03/05/security-awareness-modes-the-day-microsoft-changes/>
- On Microsoft's lack of Partial Trust Managed Code (PTMC) focus and
ideas for the
future<http://blogs.owasp.org/diniscruz/2007/03/05/on-microsofts-lack-of-partial-trust-managed-code-ptmc-focus-and-ideas-for-the-future/>
- Software Security and Quality
Blog<http://blogs.owasp.org/diniscruz/2007/03/05/software-security-and-quality-blog/>
- Simple Backdoor on
WordPress<http://blogs.owasp.org/diniscruz/2007/03/03/simple-backdoor-on-wordpress/>
- iPod <http://blogs.owasp.org/seba/2007/03/03/ipod/>
- Re-writing
Exploits<http://blogs.owasp.org/dre/2007/02/27/re-writing-exploits/%7C>
- JavaScript
Badware<http://blogs.owasp.org/seba/2007/02/22/javascript-badware/%7C>
OWASP Community
- Apr 17 (18:00h) - Rochester chapter
meeting<https://www.owasp.org/index.php/Rochester>
- Apr 12 (18:00h) - Netherlands chapter
meeting<https://www.owasp.org/index.php/Netherlands>
- Apr 11 (18:00h) - Toronto chapter
meeting<https://www.owasp.org/index.php/Toronto>
- Apr 10 (18:00h) - Washington DC (N. VA) chapter
meeting<https://www.owasp.org/index.php/Virginia_%28Northern_Virginia%29>
- Apr 4 (18:30h) - Boston chapter
meeting<https://www.owasp.org/index.php/Boston>
- Apr 3 (18:00h) - Melbourne chapter
meeting<https://www.owasp.org/index.php/Melbourne>
- Mar 28 (11:30h) - San Antonio chapter
meeting<https://www.owasp.org/index.php/San_Antonio>
- Mar 22 (18:00h) - London chapter
meeting<https://www.owasp.org/index.php/London>
- Mar 21-22 -
Belgium@InfoSecurity<https://www.owasp.org/index.php/Belgium#OWASP_Top_10_2007_Update_.28Infosecurity_Belgium.2C_21_.26_.2622_Mar_2007.29>
- Mar 20 (18:00h) - Rochester chapter
meeting<https://www.owasp.org/index.php/Rochester>
- Mar 14 (18:00h) - Toronto chapter
meeting<https://www.owasp.org/index.php/Toronto>
- Mar 14 (18:00h) - Chicago chapter
meeting<https://www.owasp.org/index.php/Chicago>
- Mar 13 (18:00h) - Washington DC (N. VA) chapter
meeting<https://www.owasp.org/index.php/Virginia_%28Northern_Virginia%29>
- Mar 8 (18:00h) - Ottawa Chapter
Meeting<https://www.owasp.org/index.php/Ottawa>
- Mar 7 (18:30h) - Boston chapter
meeting<https://www.owasp.org/index.php/Boston>
- Mar 7 (18:30h) - Kansas City chapter
meeting<https://www.owasp.org/index.php/Kansas_City>
- Mar 6 (18:30h) - Philadelphia chapter
meeting<https://www.owasp.org/index.php/Philadelphia>
- Mar 6 (18:30h) - San Francisco and San Jose chapter
meeting<https://www.owasp.org/index.php/San_Francisco>
- Mar 6 (18:00h) - Melbourne chapter
meeting<https://www.owasp.org/index.php/Melbourne>
- Mar 5 (11:00h) - New Jersey chapter
meeting<https://www.owasp.org/index.php/New_Jersey>
Application Security News
- *Mar 2 - Wordpress (popular blog software)
backdoored<http://wordpress.org/development/2007/03/upgrade-212/>
*
"Long story short: If you downloaded WordPress 2.1.1 within the past 3-4
days, your files may include a security exploit that was added by a cracker,
and you should upgrade all of your files to 2.1.2 immediately."
- *Mar 1 - the Month of PHP Bugs "formerly known as
March"<http://www.php-security.org/>
*
"This initiative is an effort to improve the security of PHP. However we
will not concentrate on problems in the PHP language that might result in
insecure PHP applications, but on security vulnerabilities in the PHP core."
- *Feb 26 - Building Secure Applications: Consistent
Logging<http://www.securityfocus.com/infocus/1888>
*
SecurityFocus article, "This article examines the dismal state of
application-layer logging as observed from the authors' years of experience
in performing source code security analysis on millions of lines of code."
- *Feb 26 - Know your Enemy: Web Application
Threats<http://www.honeynet.org/papers/webapp/index.html>
*
A long paper on web application security threats released by honeynet.org.
"This paper focuses on application threats against common web applications.
After reviewing the fundamentals of a typical attack, we will go on to
describe the trends we have observed and to describe the research methods
that we currently use to observe and monitor these threats." OWASP
references in the Media
- WhiteHat Security Chief Technology Officer Jeremiah Grossman to
Present at OWASP Philadelphia
Meeting<http://sev.prnewswire.com/computer-electronics/20070302/CLF05902032007-1.html>
- ANNOUNCING THE OWASP TESTING
GUIDE<http://www.professionalsecuritytesters.org/modules.php?name=News&file=article&sid=766>
- Building Secure Applications: Consistent
Logging<http://www.securityfocus.com/infocus/1888%7C>
[Attachment #3 (text/html)]
Welcome to the 6th OWASP Newsletter, again filled with the latest OWASP and Web \
Application Security updates (also available online: <a \
href="https://www.owasp.org/index.php/OWASP_Newsletter_6">https://www.owasp.org/index.php/OWASP_Newsletter_6
</a>).
<p>If you have any content to add to the next edition, feel free to add it directly \
to its WIKI page (<a \
href="https://www.owasp.org/index.php?title=OWASP_Newsletter_7&action=edit" \
class="new" title="OWASP Newsletter 7"> OWASP Newsletter 7</a>).
</p><p>As Dinis is very busy this week, I helped him out with this Newsletter.
</p><p>Sebastien Deleersnyder
</p><p>Belgium Chapter Leader
</p>
<a name="Featured_Item:_OWASP_Autumn_of_Code_2006_finished.21"></a><h2> <span \
class="mw-headline"> Featured Item: OWASP Autumn of Code 2006 finished! </span></h2> \
<p>All the OWASP Autumn of Code 2006 projects are completed. Congratulations to all \
contributors and project leaders! </p>
<ul><li> <a href="https://www.owasp.org/index.php/OWASP_Autumn_of_Code_2006_-_Projects:_WebScarab_NG" \
title="OWASP Autumn of Code 2006 - Projects: WebScarab NG">WebScarab NG</a>: A \
working beta version is now available for WebScaraB which implements a complete new \
user interface and is much more usable and practical (although still doesn't have \
all features from the current version) </li><li> <a \
href="https://www.owasp.org/index.php/OWASP_Autumn_of_Code_2006_-_Projects:_Live_CD" \
title="OWASP Autumn of Code 2006 - Projects: Live CD">Live CD</a>: The Live CD is a \
valuable addition to the OWASP collection, since it allows the easy access, use and \
testing of several OWASP tools and documents
</li><li> <a href="https://www.owasp.org/index.php/OWASP_Autumn_of_Code_2006_-_Projects:_CAL9000" \
title="OWASP Autumn of Code 2006 - Projects: CAL9000">CAL9000</a>: A new version of \
CAP 9000 is now released containing several new features and with extended support \
for more browsers </li><li> <a \
href="https://www.owasp.org/index.php/OWASP_Autumn_of_Code_2006_-_Projects:_SiteGenerator_and_ORG" \
title="OWASP Autumn of Code 2006 - Projects: SiteGenerator and ORG">SiteGenerator and \
ORG</a> :Both <a href="https://www.owasp.org/index.php/OWASP_Report_Generator" \
title="OWASP Report Generator"> OWASP Report Generator</a>(ORG) and <a \
href="https://www.owasp.org/index.php/OWASP_Site_Generator" title="OWASP Site \
Generator">OWASP Site Generator</a> (OSG) receive large number of enhancements. In \
ORG tons of small/medium bugs were fixed and several new major features where added \
(in addition to an update to .NET 2.0). In OSG, HttpModule was re-implemented to use
TCP, several nasty bugs were fixed and new OSG vulnerabilities where
added.
</li><li> <a href="https://www.owasp.org/index.php/OWASP_Autumn_of_Code_2006_-_Projects:_Pantera" \
title="OWASP Autumn of Code 2006 - Projects: Pantera">Pantera</a>: Simon delivered a \
new version of Pantera which contains several new features and is more optimized \
</li><li> <a href="https://www.owasp.org/index.php/OWASP_Autumn_of_Code_2006_-_Projects:_Web_Goat" \
title="OWASP Autumn of Code 2006 - Projects: Web Goat">Web Goat</a>: 12 new lessons \
where added to WebGoat (for example: DOM/XML Injection, JSON Injection, Cross-Site \
Request Forgery , HTTP Splitting, etc..) </li><li> <a \
href="https://www.owasp.org/index.php/OWASP_Autumn_of_Code_2006_-_Projects:_Testing_Guide" \
title="OWASP Autumn of Code 2006 - Projects: Testing Guide">Testing Guide</a>:The \
previous Guide was greatly enhanced where large portions were re-writen and new \
material added. This Guide is an important addition to the OWASP catalogue.
</li><li> <a href="https://www.owasp.org/index.php/OWASP_Autumn_of_Code_2006_-_Projects:_Owasp_.Net_Tools" \
title="OWASP Autumn of Code 2006 - Projects: Owasp .Net Tools">Owasp .Net Tools</a>: \
The OWASP .Net tools SAM'SHE and ANSA are in integrated into a new client server \
architecture which contains a 'built from scratch' client application which \
'consumes' the results from the .Net tests. This new tools (called OWASP \
Tiger) could be the beginning of a standard vulnerability collector.
</li><li> <a href="https://www.owasp.org/index.php/OWASP_Autumn_of_Code_2006_-_Projects:_Website_and_Branding" \
title="OWASP Autumn of Code 2006 - Projects: Website and Branding">Owasp Website</a>: \
Multiple sections of OWASP.org website where re-organized (for example the Projects \
Page), the OWASP newsletter was created and several pages received improvements in \
their layout </li></ul>
<p>More details on <a href="http://www.owasp.org/index.php/OWASP_Autumn_Of_Code_2006" \
class="external text" \
title="http://www.owasp.org/index.php/OWASP_Autumn_Of_Code_2006" rel="nofollow">OWASP \
Autumn Of Code 2006</a>. We are also just about to lauch the "SpoC 007" (do \
you get the joke?), which is the OWASP Spring of Code 2007. </p>
<a name="Featured_Project:_XML_Gateway_Eval_Project"></a><h2> <span \
class="mw-headline"> Featured Project: XML Gateway Eval Project </span></h2> <p>This \
<a href="http://www.owasp.org/index.php/Category:OWASP_XML_Security_Gateway_Evaluation_Criteria_Project" \
class="external text" \
title="http://www.owasp.org/index.php/Category:OWASP_XML_Security_Gateway_Evaluation_Criteria_Project" \
rel="nofollow"> OWASP Project</a>
defines an open standard for evaluating XML Security Gateways. This
criteria will provide the OWASP community a set of standard evaluation
criteria to assess the functionality and quality of XML Security
Gateways. The main driver for this project is to reduce the confusion
and complexity in assessing the strengths and weaknesses of solutions
in this the XML Security space, and enlightening the community as to
the utility of XML Security Gateways to deliver a number of valuable
security services. </p>
<a name="Latest_additions_to_the_WIKI"></a><h2> <span class="mw-headline"> Latest \
additions to the WIKI </span></h2> <p>The <a href="http://blogs.owasp.org/" \
class="external text" title="http://blogs.owasp.org/" rel="nofollow">OWASP Blogs</a> \
have been integrated in the OWASP web site.<br> Do not hesitate to start your own Web \
Application Security blog. </p>
<a name="New_Pages"></a><h4> <span class="mw-headline"> New Pages</span></h4>
<ul><li> <a href="https://www.owasp.org/index.php/Hacking_Java_Clients" \
title="Hacking Java Clients">Hacking Java Clients</a> </li><li> <a \
href="https://www.owasp.org/index.php/OWASP_Testing_Guide_Presentations" title="OWASP \
Testing Guide Presentations">OWASP Testing Guide Presentations</a> </li><li> <a \
href="https://www.owasp.org/index.php/InfoSecurity_Milano_2007" title="InfoSecurity \
Milano 2007">InfoSecurity Milano 2007</a> </li><li> <a \
href="https://www.owasp.org/index.php/Category:OWASP_Education_Project" \
title="Category:OWASP Education Project">OWASP Education Project</a> </li><li> <a \
href="https://www.owasp.org/index.php/Mark_O%27Neill" title="Mark O'Neill">Mark \
O'Neill</a> </li><li> <a \
href="https://www.owasp.org/index.php/OWASP_Education_Presentation" title="OWASP \
Education Presentation">consolidation page of OWASP presentations</a> </li><li> <a \
href="https://www.owasp.org/index.php/J2EE_Bad_Practices:_JSP_Expressions" \
title="J2EE Bad Practices: JSP Expressions">J2EE Bad Practices: JSP Expressions</a> \
</li></ul> <a name="Updated_pages"></a><h4> <span class="mw-headline"> Updated \
pages</span></h4> <p>Updated chapter pages:
</p>
<ul><li> <a href="https://www.owasp.org/index.php/New_Jersey" title="New Jersey">New \
Jersey</a> </li><li> <a \
href="https://www.owasp.org/index.php/Virginia_%28Northern_Virginia%29" \
title="Virginia (Northern Virginia)">Virginia (Northern Virginia)</a> </li><li> <a \
href="https://www.owasp.org/index.php/Germany" title="Germany">Germany</a> </li><li> \
<a href="https://www.owasp.org/index.php/San_Francisco" title="San Francisco">San \
Francisco</a> </li><li> <a href="https://www.owasp.org/index.php/Ottawa" \
title="Ottawa">Ottawa</a> </li><li> <a href="https://www.owasp.org/index.php/London" \
title="London">London</a> </li><li> <a href="https://www.owasp.org/index.php/Boston" \
title="Boston">Bostoný</a> </li><li> <a href="https://www.owasp.org/index.php/France" \
title="France">France</a> </li><li> <a \
href="https://www.owasp.org/index.php/Helsinki" title="Helsinki">Helsinkiý</a> \
</li></ul> <p>Other pages:
</p>
<ul><li> <a href="https://www.owasp.org/index.php/Category:OWASP_Sprajax_Project" \
title="Category:OWASP Sprajax Project">OWASP Sprajax Project</a> </li><li> <a \
href="https://www.owasp.org/index.php/Appendix_A:_Testing_Tools" title="Appendix A: \
Testing Tools">Appendix A: Testing Tools</a> </li><li> <a \
href="https://www.owasp.org/index.php/Access_Control_In_Your_J2EE_Application" \
title="Access Control In Your J2EE Application">Access Control In Your J2EE \
Application</a> </li><li> <a href="https://www.owasp.org/index.php/Hashing_Java" \
title="Hashing Java">Hashing Java</a> </li><li> <a \
href="https://www.owasp.org/index.php/How_to_add_validation_logic_to_HttpServletRequest" \
title="How to add validation logic to HttpServletRequest">How to add validation logic \
to HttpServletRequestý</a> </li><li> <a \
href="https://www.owasp.org/index.php/OWASP_Autumn_of_Code_2006_-_Project_Completion" \
title="OWASP Autumn of Code 2006 - Project Completion">OWASP Autumn of Code 2006 - \
Project Completion</a> </li><li> <a \
href="https://www.owasp.org/index.php/Category:OWASP_XML_Security_Gateway_Evaluation_Criteria_Project" \
title="Category:OWASP XML Security Gateway Evaluation Criteria Project">OWASP XML \
Security Gateway Evaluation Criteria Project </a>
</li></ul>
<p><br>
</p>
<a name="New_Documents_.26_Presentations_from_chapters"></a><h4> <span \
class="mw-headline"> New Documents & Presentations from chapters</span></h4> \
<ul><li> <a href="http://www.disenchant.ch/blog/files/presentations/pres_20070206_04_svetsch_xss_worms.pdf" \
class="external text" \
title="http://www.disenchant.ch/blog/files/presentations/pres_20070206_04_svetsch_xss_worms.pdf" \
rel="nofollow"> XSS and XSS Worms (Sven Vetsch)</a> from the <a \
href="https://www.owasp.org/index.php/Switzerland" \
title="Switzerland">Switzerland</a> Chapter.<br> </li></ul>
<p>For a complete list of chapter presentations see <a \
href="https://www.owasp.org/index.php/OWASP_Education_Presentation" title="OWASP \
Education Presentation">the online table of presentations</a>. </p>
<a name="Latest_Blog_entries"></a><h4> <span class="mw-headline"> Latest Blog \
entries</span></h4> <ul><li> <a \
href="http://blogs.owasp.org/diniscruz/2007/03/05/roadmap-to-a-partial-trust-managed-code-world/" \
class="external text" \
title="http://blogs.owasp.org/diniscruz/2007/03/05/roadmap-to-a-partial-trust-managed-code-world/" \
rel="nofollow"> Roadmap to a Partial Trust Managed Code world</a>
</li><li> <a href="http://blogs.owasp.org/diniscruz/2007/03/05/security-awareness-modes-the-day-microsoft-changes/" \
class="external text" \
title="http://blogs.owasp.org/diniscruz/2007/03/05/security-awareness-modes-the-day-microsoft-changes/" \
rel="nofollow"> 'Security Awareness Modes' & the 'day Microsoft \
changes'</a> </li><li> <a \
href="http://blogs.owasp.org/diniscruz/2007/03/05/on-microsofts-lack-of-partial-trust-managed-code-ptmc-focus-and-ideas-for-the-future/" \
class="external text" \
title="http://blogs.owasp.org/diniscruz/2007/03/05/on-microsofts-lack-of-partial-trust-managed-code-ptmc-focus-and-ideas-for-the-future/" \
rel="nofollow"> On Microsoft's lack of Partial Trust Managed Code (PTMC) focus and \
ideas for the future</a> </li><li> <a \
href="http://blogs.owasp.org/diniscruz/2007/03/05/software-security-and-quality-blog/" \
class="external text" \
title="http://blogs.owasp.org/diniscruz/2007/03/05/software-security-and-quality-blog/" \
rel="nofollow"> Software Security and Quality Blog</a>
</li><li> <a href="http://blogs.owasp.org/diniscruz/2007/03/03/simple-backdoor-on-wordpress/" \
class="external text" \
title="http://blogs.owasp.org/diniscruz/2007/03/03/simple-backdoor-on-wordpress/" \
rel="nofollow">Simple Backdoor on WordPress </a>
</li><li> <a href="http://blogs.owasp.org/seba/2007/03/03/ipod/" class="external \
text" title="http://blogs.owasp.org/seba/2007/03/03/ipod/" rel="nofollow">iPod</a> \
</li><li> <a href="http://blogs.owasp.org/dre/2007/02/27/re-writing-exploits/%7C" \
class="external text" \
title="http://blogs.owasp.org/dre/2007/02/27/re-writing-exploits/|" \
rel="nofollow">Re-writing Exploits</a> </li><li> <a \
href="http://blogs.owasp.org/seba/2007/02/22/javascript-badware/%7C" class="external \
text" title="http://blogs.owasp.org/seba/2007/02/22/javascript-badware/|" \
rel="nofollow">JavaScript Badware</a> </li></ul>
<a name="OWASP_Community"></a><h4> <span class="mw-headline"> OWASP \
Community</span></h4> <ul><li> Apr 17 (18:00h) - <a \
href="https://www.owasp.org/index.php/Rochester" title="Rochester">Rochester chapter \
meeting</a> </li><li> Apr 12 (18:00h) - <a \
href="https://www.owasp.org/index.php/Netherlands" title="Netherlands">Netherlands \
chapter meeting</a> </li><li> Apr 11 (18:00h) - <a \
href="https://www.owasp.org/index.php/Toronto" title="Toronto">Toronto chapter \
meeting</a> </li><li> Apr 10 (18:00h) - <a \
href="https://www.owasp.org/index.php/Virginia_%28Northern_Virginia%29" \
title="Virginia (Northern Virginia)">Washington DC (N. VA) chapter meeting</a> \
</li><li> Apr 4 (18:30h) - <a href="https://www.owasp.org/index.php/Boston" \
title="Boston">Boston chapter meeting</a> </li><li> Apr 3 (18:00h) - <a \
href="https://www.owasp.org/index.php/Melbourne" title="Melbourne">Melbourne chapter \
meeting</a> </li><li> Mar 28 (11:30h) - <a \
href="https://www.owasp.org/index.php/San_Antonio" title="San Antonio">San Antonio \
chapter meeting</a> </li><li> Mar 22 (18:00h) - <a \
href="https://www.owasp.org/index.php/London" title="London">London chapter \
meeting</a> </li><li> Mar 21-22 - <a \
href="https://www.owasp.org/index.php/Belgium#OWASP_Top_10_2007_Update_.28Infosecurity_Belgium.2C_21_.26_.2622_Mar_2007.29" \
title="Belgium">Belgium@InfoSecurity</a> </li><li> Mar 20 (18:00h) - <a \
href="https://www.owasp.org/index.php/Rochester" title="Rochester">Rochester chapter \
meeting</a> </li><li> Mar 14 (18:00h) - <a \
href="https://www.owasp.org/index.php/Toronto" title="Toronto">Toronto chapter \
meeting</a> </li><li> Mar 14 (18:00h) - <a \
href="https://www.owasp.org/index.php/Chicago" title="Chicago">Chicago chapter \
meeting</a> </li><li> Mar 13 (18:00h) - <a \
href="https://www.owasp.org/index.php/Virginia_%28Northern_Virginia%29" \
title="Virginia (Northern Virginia)">Washington DC (N. VA) chapter meeting</a> \
</li><li> Mar 8 (18:00h) - <a href="https://www.owasp.org/index.php/Ottawa" \
title="Ottawa">Ottawa Chapter Meeting</a> </li><li> Mar 7 (18:30h) - <a \
href="https://www.owasp.org/index.php/Boston" title="Boston">Boston chapter \
meeting</a> </li><li> Mar 7 (18:30h) - <a \
href="https://www.owasp.org/index.php/Kansas_City" title="Kansas City">Kansas City \
chapter meeting</a> </li><li> Mar 6 (18:30h) - <a \
href="https://www.owasp.org/index.php/Philadelphia" title="Philadelphia">Philadelphia \
chapter meeting</a> </li><li> Mar 6 (18:30h) - <a \
href="https://www.owasp.org/index.php/San_Francisco" title="San Francisco">San \
Francisco and San Jose chapter meeting</a> </li><li> Mar 6 (18:00h) - <a \
href="https://www.owasp.org/index.php/Melbourne" title="Melbourne">Melbourne chapter \
meeting</a> </li><li> Mar 5 (11:00h) - <a \
href="https://www.owasp.org/index.php/New_Jersey" title="New Jersey">New Jersey \
chapter meeting</a> </li></ul>
<a name="Application_Security_News"></a><h4> <span class="mw-headline"> Application \
Security News </span></h4> <ul><li> <b>Mar 2 - <a \
href="http://wordpress.org/development/2007/03/upgrade-212/" class="external text" \
title="http://wordpress.org/development/2007/03/upgrade-212/" \
rel="nofollow">Wordpress (popular blog software) backdoored </a></b>
</li></ul>
<dl><dd>"Long story short: If you downloaded WordPress 2.1.1 within the
past 3-4 days, your files may include a security exploit that was added
by a cracker, and you should upgrade all of your files to 2.1.2
immediately."
</dd></dl>
<ul><li> <b>Mar 1 - <a href="http://www.php-security.org/" class="external text" \
title="http://www.php-security.org/" rel="nofollow">the Month of PHP Bugs \
"formerly known as March"</a></b> </li></ul>
<dl><dd>"This initiative is an effort to improve the security of PHP.
However we will not concentrate on problems in the PHP language that
might result in insecure PHP applications, but on security
vulnerabilities in the PHP core."
</dd></dl>
<ul><li> <b>Feb 26 - <a href="http://www.securityfocus.com/infocus/1888" \
class="external text" title="http://www.securityfocus.com/infocus/1888" \
rel="nofollow">Building Secure Applications: Consistent Logging</a></b> </li></ul>
<dl><dd>SecurityFocus article, "This article examines the dismal state
of application-layer logging as observed from the authors' years of
experience in performing source code security analysis on millions of
lines of code."
</dd></dl>
<ul><li> <b>Feb 26 - <a href="http://www.honeynet.org/papers/webapp/index.html" \
class="external text" title="http://www.honeynet.org/papers/webapp/index.html" \
rel="nofollow">Know your Enemy: Web Application Threats</a></b>
</li></ul>
<dl><dd>A long paper on web application security threats released by
<a href="http://honeynet.org">honeynet.org</a>. "This paper focuses on \
application threats against common web applications. After reviewing the fundamentals \
of a typical attack, we will go on to describe the trends we have observed and to \
describe the research methods that we currently use to observe and monitor these
threats."
</dd></dl>
<a name="OWASP_references_in_the_Media"></a><h2> <span class="mw-headline"> OWASP \
references in the Media</span></h2> <ul><li> <a \
href="http://sev.prnewswire.com/computer-electronics/20070302/CLF05902032007-1.html" \
class="external text" \
title="http://sev.prnewswire.com/computer-electronics/20070302/CLF05902032007-1.html" \
rel="nofollow"> WhiteHat Security Chief Technology Officer Jeremiah Grossman to \
Present at OWASP Philadelphia Meeting</a> </li><li> <a \
href="http://www.professionalsecuritytesters.org/modules.php?name=News&file=article&sid=766" \
class="external text" \
title="http://www.professionalsecuritytesters.org/modules.php?name=News&file=article&sid=766" \
rel="nofollow"> ANNOUNCING THE OWASP TESTING GUIDE</a>
</li><li> <a href="http://www.securityfocus.com/infocus/1888%7C" class="external \
text" title="http://www.securityfocus.com/infocus/1888|" rel="nofollow">Building \
Secure Applications: Consistent Logging</a> </li></ul>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic