Stream

Hello my friends, I made two videos showing you how to exploit HeartBleed Vulnerability on Real Websites! You will need some Python Scripts and Kali linux to exploit it successfully.   How to ...
1
1
enders t's profile photo
Add a comment...

MokiMobility

Mobile Security  - 
 
Google implements new security features to provide ongoing malware detection within apps.
2
Andre . .Sokolov's profile photo
Add a comment...
 
... Heartbleed hurts for other reasons. Notably: it’s a plain reminder of the extent to which modern, IT infrastructure has become dependent on the integrity of third-party code that too often proves to be unreliable. In fact, Heartbleed and OpenSSL may end up being the poster child for third-party code audits.

Has anyone ever completed a code audit of any open source software or system?
3
1
Khürt Williams's profile photoSergiy Shabashkevich's profile photoClinton Parham's profile photo
2 comments
 
Thanks +Clinton Parham 
Add a comment...

David Neville

Discussion  - 
 
The ankle biters of the application security world
1
2
Robert Meacham's profile photoTimur Khrotko's profile photo
Add a comment...
 
Developer Guide helpers sought. If you can create an account on Git Hub, have a look at our DevGuide repo (https://github.com/OWASP/DevGuide), and offer to write one to two paragraphs a week, we can have the Guide done by the end of the year.

There are issues with the text - feel free to create more issues, but please be specific about the text you want changed in your request. 
7
2
Andrew van der Stock's profile photoShivam Dixit's profile photoSamantha Groves's profile photoAntoine Rouyer's profile photo
3 comments
 
Go through the Dev Guide 2.0, and find a topic that needs writing in the v3 guide. I'll massage it after you've written it so don't worry about being "mature" enough - that comes with practice! :) 
Add a comment...
 
Breaking ESAPI News
3
1
Stephen de Vries's profile photoWill Stranathan's profile photoTimur Khrotko's profile photo
2 comments
 
It's the "bundling" that's the problem.  ESAPI would be more useful if developers could choose to use only the bits they needed.  I don't know of any devs who would prefer to drop Apache Shiro/Spring Security for ESAPI's auth features.  
But many would like to use the ESAPI encoders.
Add a comment...
 
Hi there, I need a junior web app pen tester with 2-5 years experience, preferably located in Melbourne, Australia. If you feel ready for a change, please send me mail privately with your CV. Figuring out my e-mail address is the easy and first part of being hired. Bonus points if you work out my work e-mail address as that's nowhere near as well known as my other e-mail addresses or phone number.
2
Brad Chesney's profile photo
 
I'm not the guy for this, but you pop up in my G+ feed now and I wish I saw more succinct applicant requests for clever candidates-- like this one. Good luck, hope you get a manageable batch of qualified individuals to choose from.
Add a comment...
 
Lunch break? Perfect chance to catch up on the week's top 5 security stories of the week:
1
Add a comment...
 
Christopher Soghoian ACLU [6:21]: “So many of the communications tools that we all rely on are not as secure as they could be. Particularly for the apps and services that are made by small companies and small groups of developers security is often an afterthought if it is a thought at all. And really what that has done is enable global passive surveillance by the US but by other governments too. [...] We need to make services secure out of the box, and that’s going to require a re-think by developers. It’s going to require that developers start to think about security early on, rather than later on down the road.” 
4
1
Timur Khrotko's profile photo
Add a comment...

About this community

The Open Web Application Security Project (OWASP) is a worldwide not-for-profit charitable organization focused on improving the security of software. Our mission is to make software security visible, so that individuals and organizations worldwide can make informed decisions about true software security risks. Website: www.owasp.org

Michael Coates
moderator

OWASP  - 
 
OWASP Community Update Call - Tuesday April, 22

Add it to your calendar!
https://plus.google.com/events/ccqlmt5bshkvdq04vj8jpenue0k

Agenda - please add any topics or questions
https://www.owasp.org/index.php/CommunityUpdates/2014-04-22
Regular OWASP community updates  - find out what's going on in the OWASP community. Questions: Submit any questions on twitter (#OWASP) or add them to the agenda. Topics for the Agenda: Anyone in the OWASP community should feel free to add topics to the agenda. Agenda listed here:  https://www.owasp.org/index.php/CommunityUpdates
1
Andrew van der Stock's profile photo
 
I would love to be there, but I am in Helsinki then. I will watch it later.
Add a comment...
 
RE: OpenSSL is written by monkeys
"Unfortunately while #OpenSSL  is open source, it periodically coughs up vulnerabilities. Part of this is due to the fact that it's a patchwork nightmare originally developed by a programmer who thought it would be a fun way to learn Bignum division. Part of it is because crypto is unbelievably complicated. Either way, there are very few people who really understand the whole codebase."
1
Timur Khrotko's profile photo
Add a comment...
 
A provocative, friendly and professional opinion worth reading: 
"...A developer friend of mine asked me the other day, if I could point him to some useful resources about web application security. First, I wanted to give him a list including the OWASP Top 10, but then I decided not to, because I didn’t want to provide him a confusing material at the very first step on his way in security..."
(The author is one of the leaders on the Hungarian pentester scene.)
2
1
Timur Khrotko's profile photoTimur Khrotko's profile photo
 
Bálint's earlier presentation on the subject at OWASP Hungary chapter meetup in November: 
https://plus.google.com/112137101792593443873/posts/N8aX51zLwRe
Add a comment...
 
Your Top 5 Security Stories of the Week: Angry Birds still leaks private player data, snooping drones are now a thing, Word suffers a zero-day flaw and more.
1
Add a comment...

Timur Khrotko

Discussion  - 
 
"9: Security in Requirements
10: Security in Architecture and Design"
Why not 1 and 2?! When promoting preventive controls let's emphasize the root causes first, please.)
"The OWASP Top Ten Proactive Controls is a list of security techniques that should be included in every software development project. This document was written by developers for developers to assist those new to secure development."
5
1
Timur Khrotko's profile photoAndrew van der Stock's profile photo
2 comments
 
My view and eventual acquiescence is that these are the top 10 things ALL high performing teams MUST do, order is not as important as it might be. 
Add a comment...

NT OBJECTives

Mobile Security  - 
 
Do you know where your SQLi vulns are? SQL Injection Vulns Hidden in New Places [Webcast] http://bit.ly/GGHh75
2
Add a comment...
 
Announcing the OWASP Passfault 0.7 "Gator" release!  This release is named for the volunteers from the University of Florida that contributed.

The goal of the next release will be towards integrating with ESAPI.  Roadmap here: https://www.owasp.org/index.php/OWASP_Passfault#tab=Road_Map_and_Getting_Involved
5
4
Cameron Morris's profile photoSamantha Groves's profile photo
Add a comment...

Sarah Vonnegut

Discussion  - 
 
They say it takes a hacker to catch one...so how do the good guys stay on top? 

Read more in the second part of our Keeping Up With The Hackers series!
1
Add a comment...