Stream

Join this community to post or comment
 
Visual Studio Code, a cross platform editor for modern application development, has been released as 1.0

http://code.visualstudio.com/
2M installs. This free and open-source text editor runs on any platform and is optimized for building and debugging modern web and cloud applications.
3
3
Brad Chesney's profile photoDmitry Kapustin's profile photomohamed abdelmoty's profile photoJosh Millikan's profile photo
 
I am afraid I will never feel comfortable supporting anything from a company that legitimately held an "embrace, extend, & extinguish" policy while creating something so wholly half assed and doing everything it could to make sure that crummy product would prevail.
I will sit and wonder how many clock cycles have gone to waste due to applications on Windows servers.
Add a comment...
 
Hi everyone. I wish to give thanks to +Noreen Whysel our community manager at OWASP for all her hard work. She is moving on to bigger and brighter things.

I wish to shout out my appreciation to all her amazing efforts here and all our other social communities. She will be missed for sure. 
2
Add a comment...

Zariga Tongy

Discussion  - 
 
How to execute command while download 
Command Injection Tutorial 
#XSS #CommadInjection #Pentesteing #hacking #WebSecurity  #owsap #java 
https://goo.gl/JTZJdS
1
Add a comment...
 
Deadline is Approaching February 19th

Hello Project Leaders:

Google is now accepting applications for mentoring organizations for GSoC 2016! We are looking for your project ideas and making the initiative a success!

For those of you that have participated in the program, this is the time of the year to start outlining your ideas for projects here:

https://www.owasp.org/index.php/GSOC2016_Ideas

For the rest of you the Google Summer of Code (https://summerofcode.withgoogle.com/) is an amazing opportunity to get some work done on your project.
2
Brad Chesney's profile photo
2 comments
 
+Noreen Whysel, thank you for posting. Application completed. At worst I will assume full responsibility as the other members have not been involved in electing to participate. I am a little excited to see the applications that may come in.
Add a comment...
 
Chapter Funding for 2016

$33,000 distributed to chapters in January!

Join us TODAY at Noon ET for a discussion of Chapter Funding for 2016.

https://docs.google.com/document/d/1mLqBQcQvxYeaefQpGfsyoK4CxMoqScEJEx90c9qsnbA/edit?usp=sharing
1
Owasp Foundation's profile photo
2 comments
 
A series of calls for 2016 Project Funding Ideas is being planned. Stay tuned!
Add a comment...
 
OWASP Community,

In late 2015, the OWASP Board approved an initiative to assess and update our Wiki and internal infrastructure. The following RFP request includes the feedback & requirements received from various community leaders in order to capture various viewpoints from our diverse community.

If you know of a consultant, service provider or expert who would like respond to this RFP, please forward to their attention.

Details about the RFP objectives and requirements are available in the attached document. The document is also available here: https://drive.google.com/file/d/0BxI4iTO_QojvY0ItSk56aWY3WXM/view?usp=sharing and on the wiki here: https://www.owasp.org/index.php/OWASP_Initiatives_Global_Strategic_Focus#Active_Initiatives

Submission Information

RFP open: February 3, 2016
RFP close: February 29, 2016

Please email proposals to owasp.foundation@owasp.org

Sincerely,
The OWASP Foundation
1
Add a comment...
 
So since the ASVS 3.0 retired much of the malicious code requirements, and after actually doing a line by line search of ~20 kLOC of dense J2EE authentication code, I've been thinking about various methods that backdoors might be created and not be findable by both automated and line by line searches.

This obviously has an issue with the recent Juniper revelation that they found a backdoor in the VPN code of their SOHO device firmware. It also feels like the sort of thing that Apple suffered with GOTO FAIL, and Linux suffered a long time ago with the wait4 backdoor.

https://freedom-to-tinker.com/blog/felten/the-linux-backdoor-attempt-of-2003/

So basically, I've been thinking that there obviously has to be a group dedicated to obfuscated backdooring. Making code that passes the visual and automated muster of specialists like me. There is probably another group or portion of the same group that sets about gaining sufficient privileges to make these changes without being noticed.

So before anyone goes badBIOS on me, I think it would be useful if we started to learn what malicious coding looks like in every language likely to be backdoored.

We can help prevent these attacks by improving the agile SDLC process, and keeping closer tabs on our repos. We can also make it more difficult to slip these things in if folks stuck to an agreed formatting style that made slipping in these types of attacks much harder, primarily by using automated indentation and linting that detected the lack of block control and assignment during conditionals. Yes, this will make some code visually longer, but we cannot tolerate more backdoors.

This is important as we're starting to see an explosion in language use. It's not merely enough to understand how these things are done in C or C++, but any system language, and any up and coming languages, many of whom we have zilch, nada, nothing in the way of automated tools, code quality tools, and specialists familiar with Go, Clojure, Haskell, and any number of other languages I see pop up from time to time.

What I think doesn't work is line by line reviewing. All of these pieces of code must be have been looked at by many people (the many eyeballs fallacy), but who knows how many secure code review specialists like me? We need better knowledge and better techniques.

Josh wrote recently about a serious security bug that appeared in Debian Linux back in 2006, and whether it was really a backdoor inserted by the NSA. (He concluded that it probably was not.) Today I want to write about another incident, in 2003, in which someone tried to backdoor the Linux ...
1
1
Darren Alder's profile photo
Add a comment...
 
I've put out a call for translators of the OWASP Application Security Verification Standard 3.0! If you can assist in translating the standard into your language, that would be great, particularly if English is not commonly spoken in your country.

You can get the original here, and log issues:
https://github.com/OWASP/ASVS

I've committed v3.0.1 into GitHub and uploaded it to Crowd In:
https://crowdin.com/project/owasp-asvs/

You don't HAVE to use Crowd In, but it would be nice to indicate to other native speakers of your language that you are willing to work together.

This is a 70 page document, and in all honesty, will take a dedicated person a week or more to translate, so please please please work together rather than apart. You have full access to the original document and the original images, so you have everything I have.

In the next month or so, I want to close out all the issues logged in GitHub, so I will give active translators a heads up of any changes to the master document, so again, a good reason to use Crowd In so I know who you are.

If there are any incomprehensible English idiom or phrases in there, please don't hesitate to ask for clarification, because if it's hard to translate, it's almost certainly wrong in English as well.
3
Brad Chesney's profile photo
 
Did you just volunteer to translate it into Australian?
Add a comment...
 
Thursday I spoke at the Columbus OWASP meeting on the topic "Analyzing (Java) Source Code for Cryptographic Weaknesses". Yesterday I just loaded the slide deck to the OWASP Education / Free Training link at https://www.owasp.org/index.php/Education/Free_Training
The ODP format includes detailed speaker's notes. Feedback appreciated. Enjoy.
3
1
yuri niddiot's profile photo
Add a comment...

About this community

The Open Web Application Security Project (OWASP) is a worldwide not-for-profit charitable organization focused on improving the security of software. Our mission is to make software security visible, so that individuals and organizations worldwide can make informed decisions about true software security risks. Website: www.owasp.org
 
GOOGLE SUMMER OF CODE 2016

Join us on making the GSOC 2016 a success!

We have 81 proposals waiting for your help and participation. More Mentors Needed!

Become a Mentor:

Choose a participating OWASP project from the wiki page listed below:

Link: https://www.owasp.org/index.php/GSOC2016_Ideas
Please contact org admins below to send you an invitation and get you started today.

Thank you in advance for your time and look forward to your participation.

Konstantinos Papapanagiotou
Konstantinos@owasp.org
Initiative Leader

Fabio Cerullo
fcerullo@owasp.org
Initiative Leader

Claudia Aviles-Casanovas
claudia.aviles-casanovas@owasp.org
Project Coordinator
Phone:973-288-1697
1
Add a comment...
 
Source Code Analysis of Web Framework from OWASP Gothenburg chapter meetup!
1
Add a comment...
1
Hans Wolters's profile photoZariga Tongy's profile photo
2 comments
 
+Hans Wolters Command Execution is the technique which occur due to the poor validation on the Input, This is just demonstration 
It will display the list in the current directory the Example used to just display the ping statistics due to poor validation command injection happens
curl 'http://zariga.com/CommandServlet'  --data 'text=ls'
Add a comment...
 
How @netflix tracks #CredentialDumps with #Scumblr (#Rails), #Sketchy (#Python) and #Workflowable (#Ruby) - [#Vimeo] http://kiq.li/1G43
1
Add a comment...

Peter Magnusson

Discussion  - 
 
Promo for the OWASP Gothenburg chapter. 3+ years, 42 presentations, 26 videos... So far :)
1
Add a comment...
 
So very pretty. We had a light shmear of cloud which prevented good eyeball observations here.
 
"Geminids of the South" is NASA's Astronomy Picture of the Day http://antwrp.gsfc.nasa.gov/apod/ap151217.html
A different astronomy and space science related image is featured each day, along with a brief explanation.
1
Add a comment...

Brett Young

Discussion  - 
 
OWASPers, I've started a community for discussions about using open-sourced solutions for process control networks and their supporting infrastructure. Join!
Open ICS Project
Open Source for Industrial Control Environments
View community
2
Add a comment...
 
Hy everyone . I'm looking for a draf of pentesting report and web pentesting report . I searched on web but I didn't find some goods. If it's in English no problem for me! Thanks for all your answers. Bye 
1
Justin Searle's profile photoClaudio Kuenzler's profile photo
2 comments
 
You could also use the "Penetration Testing Guidance" document from PCI to use as a reference what your report should contain. 
Add a comment...