Opinions & News
Weekly news and opinions from OWASP leadership, staff, and community members. Have an idea you’d like to see here? Submit to News today!
More than a Password Day 2024
Tuesday, November 12, 2024
Welcome to the annual More than a Password Day! To celebrate this year’s event, OWASP is enabling multi-factor authentication across the OWASP Foundation’s infrastructure. This is a significant step forward in securing our systems and data. At the start of this year’s event, we had only 21% of all OWASP accounts enrolled in MFA. We’re aiming to increase this to 100% by the end of the year.
... moreA workaround for OWASP Foundation emails being blocked by Microsoft Office 365
Wednesday, October 30, 2024
Over the last several months, OWASP, particularly the owasp.com domain, has been blocked from sending messages to tenants of the Microsoft Office 365 platform or those using Microsoft Defender for Office 365, where messages end up blacklisted in quarantine or never received. Organizations that have failed to receive our emails includes legal firms, our HR firm, our accountants, our European affiliate’s accountants and VAT specialists, and many others, including potential sponsors, donors, and members.
This is an untenable situation, and extremely disappointing that we have been unable to resolve this issue with Microsoft. So we have to use a workaround domain, owaspfoundation.org to send emails to Microsoft 365 tenants. This is not ideal, but we have no other choice. We will never use owaspfoundation.org for any other purpose other than to get around this spam filter insanity. We will never send any marketing or other unsolicited emails from this domain, it will not be linked to our MailChimp or our accounting system. Only select staff have access to this domain, and we will only use it when all else fails.
... moreSecuring React Native Mobile Apps with OWASP MAS
Wednesday, October 2, 2024
React Native is a popular cross-platform mobile development framework that allows developers to build native-looking apps for iOS and Android using a single codebase. Like any other software, React Native apps are also vulnerable to a variety of security threats.
... moreOWASP Email Problems (and solutions)
Thursday, August 1, 2024
Recently, Google, Microsoft, and Yahoo and other major email providers have been implementing stricter email authentication controls. This is a good thing, as it helps to reduce the amount of spam and phishing emails that we all receive. However, it can also cause problems for legitimate email senders, such as OWASP. In the last month or so, we have experienced great difficulty in sending emails to Microsoft email addresses (Office 365, Exchange Online, Outlook, Hotmail, Live, etc). This has been a major problem for us, as many of our members and volunteers use Microsoft email addresses. We have been working hard to resolve this issue. In this post, we document a solution that every Microsoft user needs to do to reliably receive our email.
We have created staff accounts on owaspfoundation.org. Our staff will only let you know how to un-quarantine our emails, with a link to this blog post, and to ask that you reply to the original email once restored to your Inbox.
... moreNew Articles of Incorporation and Bylaws for the OWASP Foundation!
Tuesday, July 9, 2024
I’m excited to announce that OWASP’s restated Articles and Certificate of Incorporation and new Bylaws have been approved by the Delaware Secretary of State. These documents are the foundation of our governance and provide the framework for how the Foundation operates. The new bylaws are the result of a comprehensive review and update process that began in 2021. The changes are designed to modernize and streamline the governance of the Foundation, and to ensure that we are operating in the best interests of our members and the broader community.
... moreUpdate on the ASVS Community Meetup
Wednesday, July 3, 2024
The OWASP Application Security Verification Standard (ASVS) Project held it’s first ever, in-person, community meetup during last week’s Global AppSec Lisbon conference. This was an exciting opportunity for anyone interested in the project to come and meet some of the leaders, discover how to get involved and learn about our upcoming plans. We are super grateful to our friends at Jit for their supporting in running the event.
This post is a quick summary of the meetup including key information on how you can get involved!
... moreSecureFlag and OWASP partner to offer Threat Modeling Automation tool ThreatCanvas to Members
Thursday, May 30, 2024
SecureFlag and OWASP partner to offer Threat Modeling Automation tool ThreatCanvas to Members
OWASP members will gain extra benefits on the SecureFlag platform with access to ThreatCanvas to automate expert-level threat models.
... moreThe OWASP Foundation appoints Starr Brown as Director of Projects
Monday, April 22, 2024
Colorado Springs, CO, April 22, 2024 – OWASP is thrilled to announce the addition of Starr Brown to the OWASP Foundation team. As the newly appointed Director of Projects, Starr brings a wealth of expertise and a fresh perspective to our community.
... moreThe OWASP Foundation Celebrates 20th Anniversary
Sunday, April 21, 2024
Colorado Springs, April 21, 2024 – Although the OWASP community is 23 years old, today the OWASP Foundation proudly commemorates its 20th year in operation, marking two decades of unwavering commitment to securing the digital landscape. As a global leader in open-source information, industry-leading projects, and a thriving community of peers, OWASP has left an indelible mark on application security and DevSecOps.
... moreCheckmarx and OWASP Launch First-ever Global Codebashing Learning Initiative
Thursday, April 18, 2024
OWASP chapters and members gain Codebashing access to boost adoption of application security and compliance standards while building trust between security and development teams. Read on to learn more about the Codebashing AppSec Training Initiative.
... moreCycloneDX v1.6 Released, Advances Software Supply Chain Security with Cryptographic Bill of Materials and Attestations
Tuesday, April 9, 2024
The OWASP Foundation today announced the availability of CycloneDX v1.6. This significant release strengthens software supply chain security with the introduction of two innovative capabilities: Cryptographic Bill of Materials (CBOM), developed by IBM Research, and CycloneDX Attestations (CDXA).
... moreOWASP Data Leak Notification
Friday, March 29, 2024
In late February 2024, after receiving a few support requests, the OWASP Foundation became aware of a misconfiguration of OWASP’s old Wiki web server, leading to a data leak involving decade+-old member resumes.
... moreTraefik Labs Joins OWASP and Integrates Coraza and Core Rule Set Projects
Tuesday, March 19, 2024
Addresses crucial role of Web Application Firewall (WAF) in modern API infrastructure and integrates two leading OWASP projects into Traefik OSS stack
KubeCon, PARIS, March 19, 2024 – Traefik Labs, creator of the world’s most popular cloud-native application proxy, today announced a significant addition to their portfolio that addresses the escalating cyber threats to modern API infrastructure.
“We are at a pivotal moment in the evolution of digital infrastructure, where the integration of robust security measures within our API gateways is not just an option, but a necessity,” said Sudeep Goswami, CEO of Traefik Labs. “By weaving the Coraza WAF and the OWASP Core Rule Set directly into Traefik Proxy v3, we are not merely responding to the current cybersecurity landscape but are proactively setting a new benchmark for API security. This step reaffirms our dedication to providing the most secure, cutting-edge solutions to our users, ensuring they remain not just compliant, but ahead of the curve in the face of emerging cyber threats.”
... moreOWASP CycloneDX is ready to support your CRA compliance journey!
Thursday, March 7, 2024
Software development aimed at selling products in the European Union will soon change forever. Regardless of whether the product is an IoT device, a child’s toy with embedded software, a server-side application, or a mobile app - the software will have to be marked with the CE symbol, which will include cybersecurity aspects on the product. At the heart of the new regulation, the EU Cyber Resilience Act, is the software bill of materials (SBOM). OWASP CycloneDX stands well prepared with specifications of bill-of-materials and an arsenal of tools that will help manufacturers in their compliance process.
... moreIntroducing the OWASP IoT Security Testing Guide (ISTG)
Friday, March 1, 2024
The multitude of networked devices contributing the Internet of Things (IoT) poses new risks for manufacturers, operators, and end users of solutions. Every IoT device represents potential threats to user data and supporting infrastructure when a single manipulated device has potential to endanger an ecosystem. Due to the interconnection of an array of technologies, standards and protocols, a considerable amount of effort is necessary to build and maintain a homogeneous level of IoT security.
To reduce the risk of successful attacks, manufacturers and operators must periodically assess the security level of their IoT solutions. An instrument for this purpose is penetration testing such as goal based security assessments tailored toward target systems. We are excited to announce that the OWASP IoT Security Testing Guide project published its first release on March 1, 2024. This guide aims to provide comprehensive insights into testing the security of IoT devices and systems.
... moreOWASP appoints Jason C. McDonald as Director of Community Development
Monday, February 12, 2024
Colorado Springs, February 12th 2024 /PRNewsWire/ - The OWASP Foundation, Inc. is excited to announce the appointment of Jason C. McDonald to the position of Director of Community Development. Jason’s responsibilities will include fundraising, grant writing for projects, and community liaison with our tens of thousands of community participants, developers, and external development organizations. He starts on February 12th, 2024.
... moreOWASP joins the US AI Safety Institute Consortium (AISIC) at its launch to support collaborative efforts to safeguard AI.
Thursday, February 8, 2024
The rapid evolution of artificial intelligence (AI) technologies presents unprecedented opportunities and challenges. As AI tools and applications reshape our society, ensuring their safety and trustworthiness becomes critical.
In response, the U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) is launching the U.S. AI Safety Institute Consortium (AISIC). This initiative represents a significant step towards creating safe and reliable AI by bringing together a diverse group of participants, including Fortune 500 companies, academic teams, non-profit organizations, and government agencies.
... moreTrustwave Transfers ModSecurity Custodianship to OWASP
Tuesday, January 9, 2024
After serving as its steward for over a decade, Trustwave has agreed to transfer the reins of the renowned open-source web application firewall (WAF) engine, ModSecurity, to the Open Worldwide Application Security Project (OWASP). This landmark move promises to inject fresh energy and perspectives into the project, ensuring its continued evolution as a vital line of defense for countless websites worldwide.
The transition, commencing on January 25th, 2024, isn’t just about changing hands. OWASP, the leading open community dedicated to application security, is already responsible for the Core Rule Set, the dominant WAF rule set on the market. By formally assuming custodianship of the entire project, OWASP can now steer ModSecurity’s development with a holistic view, fostering even tighter integration between the core rule set and the underlying framework.
... moreCycloneDX v1.6 Introduces Support for Attestations of Compliance with Any Standard, Improving Compliance and Scalability for Consumers and Vendors of Third Party Software
Wednesday, December 6, 2023
Requiring Proof of Compliance: In the Real World, Scale Escalates Quickly.
Almost every organization must wrestle with security compliance for their software. There are standards, policies, and guidelines from every conceivable source: government agencies, industry groups, open-source foundations, international organizations, and other standards bodies.
... moreOWASP offers free membership to countries affected by force majeure
Monday, November 27, 2023
OWASP’s Board of Directors approved two additions to our force majeure policy. OWASP offers free membership to those affected by force majeure events, such as war. During times of need, the last thing people need to worry about is paying for membership, so we offer free membership to those affected. The process to apply for free membership is simple and straightforward. The two new additions to the force majeure policy are: Israel and Palestine, joining Ukraine.
... moreOWASP's response to the ONCD RFI on Open Source Security and Prioritization
Wednesday, November 8, 2023
Today, the OWASP Foundation and its leaders submitted a response to the US Government’s Office of the National Cyber Director’s Request for Information on Open Source Security: Areas for Long-Term Focus and Prioritization. The response was written by OWASP’s Leaders, edited by the OWASP Foundation’s Executive Director, Andrew van der Stock, and reviewed by those active in our community.
... moreChanges to OWASP's Accounting Services
Friday, October 27, 2023
Many leaders may have already had an inkling that something was up with OWASP’s accounting services. We’ve been working on a solution for some time, and we’re pleased to announce that we’ve found a new accounting firm to work with.
... moreShift Left With OWASP IDEVulScanner
Thursday, October 26, 2023
What is shift left security?
Shift-Left Security is the practice of moving security checks as early and often in the SDLC as possible as part of a DevSecOps shift. Vulnerabilities found earlier in development are much easier and cheaper to fix.
OWASP IDE-VulScanner
OWASP IDE VulScanner v1.0.1
We are glad to release our latest version of IDE VulScanner plugin, this enables developers to perform component scanning in early phases of implementations.
Board Strategy September 2023
Wednesday, October 25, 2023
Three days (totally nearly 30 hours) with four remote joiners and four in-person. One boardroom, one Zoom session (each day - recordings to be made available soon), many litres of coffee and a single focus on OWASP and securing the future of this Foundation.
So, what did we cover? What did we decide? What are the next steps?
Warning it’s long read…
... moreOWASP Foundation Pursues Ecma International Standardization of CycloneDX - How This Benefits CycloneDX Adopters
Wednesday, October 11, 2023
The OWASP Foundation recently announced its membership in Ecma International, a leading standards development organization comprised of key global technology companies.
... moreOWASP Juice Shop 2023 achievements and beyond
Tuesday, October 10, 2023
OWASP Juice Shop had a great year in 2023! Two successful GSoC projects, a brand-new Score Board, MultiJuicer joining the project scope and much more! Read on to learn all about this as well as the team’s plans for the 10th anniversary of OWASP Juice Shop in 2024!
... moreAppThreat dep-scan is now OWASP dep-scan
Thursday, October 5, 2023
We are super excited to announce a free open-source dependency audit tool, OWASP dep-scan. The project enables auditing the software supply-chain dependencies, container images, and operating system for known vulnerabilities, and advisories. Special thanks to AppThreat for donating the project.
... moreOWASP CycloneDX - The Missing Standard For Describing Cryptography in Software
Tuesday, October 3, 2023
The CycloneDX Cryptography Working Group felt that the lack of a standard for describing cryptographic assets such as algorithms, certificates, or keys was a good starting point for working with the CycloneDX community to develop such. As part of our day-to-day work, it is not only important to have a consistent standard for representing cryptographic information, but also to establish it as part of a large ecosystem. Documenting the data and services placed at risk by a compromised cryptographic system is an investment in faster, more effective vulnerability response in the future.
... moreOpenCRE Introduces ChatCRE
Monday, September 11, 2023
Would you trust generative AI with an important cyber security question?
We are super excited to announce the world’s first security-specialized chatbot: the powerful OpenCRE-Chat. Using Google’s great conversational PaLM AI technology, we created a large language model that uses the standards collected in OpenCRE as main resource for answering questions about information security. The advantage of this approach is that the answers are more reliable, since they come from vetted and leading standards (ISO, NIST, CAPEC, Mitre, OWASP etc.), plus the Chatbot provides the right references with the answers. In contrast, regular chatbots typically do not provide references, and they take their information from the entire internet, which can be a problem if the answer is an hallucination, or from an unreliable, outdated or even manipulated source.
... moreZAP Core Team to move to Linux Foundation
Wednesday, August 2, 2023
Congratulations to the ZAP Core Team
I want to express my heartfelt congratulations to two members of the ZAP core team, Simon Bennetts and Ricardo Pereira, for joining the Linux Foundation full-time. This move brings about something that Simon has long wished for, that is described in the Open Letter he mentions and that he talked about during his keynote address in Dublin 2022. That is, a place for him to work on ZAP full time, and a place for him to build a team around doing that, which means the money to do both.
... moreOWASP API Security Top 10 2023 has been released
Monday, July 3, 2023
The OWASP API Security Project has just released an updated version of the OWASP Top 10 for APIs.
A lot has changed in the field of API Security since the first edition was published four years ago (2019). Updating the list required us to keep up with new trends and talk to security experts from different industries to make the information more accessible to everyone.
The 2023 list is a result of the amazing effort put in by the OWASP community and project contributors.
Here are three new trends from the list:
- Authorization remains the biggest challenge in API Security. Three out of the top five items are related to authorization (access control). Modern API-based applications are becoming increasingly complex, with thousands of API endpoints and countless parameters. When you add user hierarchies into the mix, it becomes a recipe for unpredictable behaviors that may not only hurt the system but also organizations’ reputation.
- We’ve added a new item called “Unrestricted Access to Sensitive Business Flows” to address emerging risks like Scalping and Fake Account Creation. This trend highlights the importance of not only secure coding but also secure planning and design when building a new application. With APIs allowing easy access for bots, it’s crucial to identify sensitive business flows and choose appropriate protection measures.
- Server Side Request Forgery (SSRF) has been added to the list. While SSRF is not a new vulnerability, it has become more prevalent and severe in API-based applications. The popularity of web hooks, for example, has made it easier for hackers to exploit SSRF vulnerabilities. Furthermore, the management/control REST APIs of Cloud, K8S, and Docker make exploitation easier.
If you want to learn more, please check the project page or the OWASP API Security Top 10 website.
Thanks, The OWASP API Security Project team
... moreHow CycloneDX v1.5 Increases Trust and Transparency in More Industries
Friday, June 23, 2023
OWASP is often the first to reveal new, innovative ways to leverage SBOM. The release of CycloneDX version 1.5 is no different, opening up SBOM adoption to new industries and introducing numerous ways to customize CycloneDX SBOMs to indicate quality, show transparency, and expedite vulnerability remediation while increasing trust in the supply chain.
... moreCoraza v 3.0.0 Release!
Thursday, June 1, 2023
Exciting news from the Coraza family! 🎉
Today, we’re thrilled to announce the release of OWASP Coraza Web Application Firewall (WAF) version v3.0.0, a groundbreaking update to our beloved security tool. This major release significantly reworks Coraza, making it faster, more developer-friendly, and thoroughly cloud-native. Key Updates Include:
1️⃣ Performance Boost: We’ve improved performance up to 100 times through several enhancements. Special mention goes to our new debug logs system based on Zerolog, optimized variable collection types, and the cache transformation logic across the same transaction.
2️⃣ Revamped API: We’ve made our API more user-friendly and straightforward.
... moreTwo Year OWASP Membership Drive
Thursday, May 25, 2023
OWASP is a global community of volunteers who are passionate about improving the security of software. We are excited to announce a two year membership drive to help us grow our community and increase our impact. From May 25 until the end of June, the price of Two Year Individual Membership has been reduced by 15% for standard and regional membership types. This is a great opportunity to join OWASP or extend your existing membership at a discounted rate.
... moreOWASP @ RSA
Friday, May 5, 2023
OWASP was invited to RSA this year and given both a table in the exhibitor hall and a whole morning track upstairs from the hall. Several board members made the trip out and we manned the booth and presented there.
The booth in the exhibitor hall was not huge and in traditional OWASP style it was not ostentatious, however, it did have loads of OWASP branded swag that turned out to be very popular with the attendees. We had over a 1,000 conversations at RSA this year and (almost) everyone knew who we were,1 and they were all very happy to see us.
-
There was one person who didn’t, but he worked AV and was trolling the vendor hall looking for swag. He did leave enlightened however (and with a beach-ball for his kids)! ↩
Strategic direction of OWASP (part 1)
Friday, March 31, 2023
The board and I have had an interesting three months thus far, what with the open letter the resignation of Mark Curphey and a record number of board meetings (8) and scheduled board hours (20) for this period of the year (only 3 months so far). But what did all that actually achieve?
... moreGSuite Account Cleanup
Thursday, March 23, 2023
Today, we crossed 10,000 accounts in our GSuite instance. This is a great milestone, but it also means that we have no more seats to give to new members. We currently have 6600 financial members, so there are 3400 expired members today. We need to do a spring clean.
We will be deleting old accounts of long-expired members, initially those that are more than three years out of date. So if you’ve let your membership expire before March 2020, your data will be gone. This will affect 1400 accounts initially.
... moreResignation of Mark Curphey
Monday, March 20, 2023
At 09:30 GMT today Mark Curphey officially announced his resignation from the OWASP global board of Directors. It didn’t come as a surprise to the board, as he announced his desire to resign during the last board meeting he attended last week on Thursday the 16th of March. It also shouldn’t have come as a surprise to the OWASP community in general as Mark also announced it on LinkedIn on the Friday following that meeting.
... moreStrategic Plan 2023 - an update for the open letter
Friday, March 10, 2023
The Board is conducting the first strategic review and planning since COVID struck in 2020. The Open Letter calls for an update 30 days from publication, and that time is about up. I am writing to fill you in on where we are at and what still needs to be done.
... moreOWASP Foundation Announces CycloneDX Project Momentum with Contribution from IBM to Advance Software Supply Chain Security
Wednesday, March 1, 2023
The OWASP Foundation (Open Worldwide Application Security Project) and IBM today announced IBM’s contribution of two open source projects, SBOM Utility and License Scanner, to CycloneDX, a flagship OWASP project and a leading Bill of Materials (BOM) standard. These projects promote the validation, content analysis and accuracy of software license information included within BOMs in support of increasing trust across open hardware and software supply chains.
... moreOWASP Low-Code/No-Code Top 10 Upcoming Meetup
Wednesday, February 15, 2023
** We are thrilled to invite you to a virtual meetup for the OWASP Low-Code/No-Code Top 10 project! Join us to learn from industry experts and be part of the LCNC security community. **
... moreVulnerability and Exploitability Transparency - VDR & VEX
Tuesday, February 7, 2023
I’ve been meaning to write this article for about six months and, honestly should have done it sooner. But let’s get on with it. With the rise of SBOM and software transparency, there is an equal push to be transparent about the vulnerabilities and their exploitability in the software we create and consume. These are all good things. In this article, I’ll be discussing two very different approaches, Vulnerability Disclosure Report (VDR) and Vulnerability Exploitability eXchange (VEX).
... moreCelebrating 10 Years of OWASP Dependency-Track
Tuesday, January 10, 2023
This year, OWASP Dependency-Track is celebrating its 10th anniversary. It has been an unexpectedly wild ride, but an extremely gratifying and rewarding experience knowing that the project has helped countless individuals, organizations, and governments.
... moreUbiq OWASP Member Benefit
Wednesday, January 4, 2023
OWASP and Ubiq Partner to Offer Application-layer Encryption Member Benefit
OWASP is pleased to partner with Ubiq Security (Ubiq) to offer members advanced access to their API-based application-layer encryption and key management as code (SaaS) platform, to help them better protect sensitive application data, and not rely on ineffective storage-layer encryption solutions such as transparent data encryption or server-side encryption.
... moreShare Your Feedback And Help Improve OWASP.org Site
Tuesday, November 15, 2022
Netguru are leading a project, pro bono, as part of their #techforgood initiative, to improve the user experience of owasp.org. As part of this project, they are conducting a user experience study, to understand how people use the site today, what works and what doesn’t work.
We need your help! Please respond to this survey which consists of 11 simple questions and should take you no more than 3 minutes to complete.
Data will be only used by the project teams and deleted after the project ends.
... moreOWASP Top 10 CI/CD Security Risks
Thursday, November 10, 2022
We’re excited to announce the “Top 10 CI/CD Security Risks” framework is now officially an OWASP project, titled “OWASP Top 10 CI/CD Security Risks”!
... moreHelp OWASP SAMM Improve Global Software Security
Friday, October 28, 2022
OWASP SAMM (Software Assurance Maturity Model) is the OWASP framework to help your organization assess, formulate, and implement a strategy for software security that can be integrated into your existing Software Development Lifecycle (SDLC). OWASP SAMM is fit for most contexts, whether your organization is mainly developing, outsourcing, or acquiring software, or whether you are using a waterfall, an agile or devops method, the same model can be applied.
... moreCo-marketing and chapter meeting co-hosting procedures
Thursday, October 20, 2022
From time to time, leaders will bring an opportunity to support a similar organization, such as promoting another organization’s event or seminar, staffing a booth or desk, or running a Capture the Flag event. Often the leader wants to promote the activity through OWASP’s platforms because, in all likelihood, it will interest OWASP members. We call these arrangements “co-marketing,” and there’s a process to getting them approved so that OWASP is not abused as a free marketing tool by others.
Here’s how to get your co-marketing approved quickly and efficiently by supplying the correct information early. Not all co-marketing will be approved, as most of the requests we receive are not OWASP-like or simply trying to abuse OWASP’s large audience or as free marketing.
Here’s how to get it done:
... moreIntroducing new "Production" project maturity level
Monday, October 3, 2022
In order to distinguish projects more clearly over their lifecycle, OWASP has introduced a new Production maturity level. It offers a natural and final step for all projects of sufficient maturity and activity after Lab status, and allows to treat Flagship finally as the strategic bonus level it was always meant to be. Along with the new level, a clear guidance on progression requirements and the promotion process have been documented by the Project Committee.
... moreRaising the bar for application security assessments with the ASVS and MASVS
Tuesday, September 20, 2022
Over the years, Google has continually leveraged OWASP internally as well as externally as part of their developer education around Android and Google Cloud security best practices. This includes presentations at various conferences such as Droidcon and online guidance for Google Cloud. Earlier this year, Google started going a little further by analyzing OWASP MASVS and ASVS to see if these two standards can be used more prescriptively within their developer community.
... moreNew Recommendations to Improve The NVD
Tuesday, September 13, 2022
New recommendations drafted by members of OWASP, The Linux Foundation, Oracle, and others, aim to improve the accuracy of the NVD with a focus on modern, automated use cases. The group, informally named the “SBOM Forum”, is led by supply chain consultant and blogger, Tom Alrich. Their first paper titled A Proposal to Operationalize Component Identification for Vulnerability Management. recommends that MITRE and the NVD adopt Package URL for the identification of open source and commercial software along with multiple GS1 standards for hardware. In doing so, the accuracy of vulnerability management can be dramatically improved while increasing the efficiency and effectiveness of the teams doing it.
... moreUpdate on the bylaws
Thursday, August 25, 2022
The OWASP Foundation is currently in the process of updating the bylaws due to the existing bylaws not being valid. We have received a draft that we believe is ready to be approved, but we are still waiting upon the Board to hold an Executive Session on the status of fees and membership privileges.
Once we have clarity on the status of members’ fees and privileges, the process of ratification can begin.
... moreUpdate on COVID Restrictions
Thursday, July 28, 2022
Sadly, COVID is here to stay. We must learn to live with it. At some point in the future, the risk from COVID will be a great deal less than it is now. So it’s time to turn the temporary COVID restrictions into permanent policy. We can always amend, replace, or repeal the policy at some point in the future. Read on for more information.
... moreUpdate on the bylaw survey and sneak peek at the AMS
Tuesday, June 7, 2022
We will need to hold a member vote on the new bylaws, and for that reason, we are announcing Town Halls for June 28, with the vote likely to start on July 1, or at the latest in concert with the next Board Election starting August 15.
Thank you to everyone who participated in the Survey. I am pleased to announce that the following Members have won a ticket to a Global AppSec of their choosing:
- Marianne Busch
- Amit Dubey
- David Ochel
We are making progress on both the bylaws and the association management platform. You can also have a early sneak peek at our new AMS and the draft bylaws.
For more, please read on.
... moreRoadmap to version 5.0 of the OWASP ASVS project
Sunday, May 15, 2022
On behalf of the OWASP ASVS leadership team, we are excited to publicise the objectives and roadmap for the upcoming version 5.0 of the flagship OWASP Application Security Project. We are hoping to be able to release a final version by the end of the year but there is a lot to do and we need your help!
Our first milestone is the end of May by when we would like to have as much feedback as possible on the current standard so as to start planning how the next version will look.
You may wish to read through the full objectives and roadmap document (or keep reading this post), review the current “bleeding edge” version of the ASVS document, and check out our guide to contributing which also includes guidance of the process to go through to provide feedback.
Whilst following that guidance, you are then welcome to respond to existing issues or open a new issue if your topic has not previously been raised.
... moreOWASP Members - submit your views to our bylaw survey for a chance to win an AppSec Virtual or AppSec Global pass
Tuesday, April 12, 2022
Recently, we received legal advice on the upcoming Leaders as Members bylaw and policy changes. Long story short, we may need eligible OWASP members to vote to approve a new or updated certificate of incorporation and bylaws. The required changes are so extensive, that we may need to replace our bylaws with much newer ones. Therefore, OWASP is consulting with OWASP Members on our bylaws’ membership classes and their rights, privileges, and powers.
Bylaws and membership rights is both incredibly important and yet incredibly boring unless you are a policy wonk. To encourage survey submissions, the OWASP Foundation is offering a prize for three random OWASP members who complete the survey: a pass to any OWASP Global AppSec conference held in 2022, including OWASP 2022 Global AppSec Europe Virtual Event, OWASP 2022 Global AppSec AsiaPac Virtual Event, and OWASP 2022 Global AppSec San Francisco. See conditions of entry below for the fine print.
... moreSecurity Journey Provides Free Application Security Training Environment for OWASP Members
Thursday, April 7, 2022
OWASP ® and Security Journey partner to provide OWASP ® members access to a customized training path focused on OWASP ® Top 10 lists.
Security Journey, the leader in culture-changing web application security training, announces a partnership with OWASP, a nonprofit foundation that works to improve web application software security. Security Journey has created a custom belt path for OWASP members covering a wide variety of the content OWASP releases. The Security Journey training platform, which uses a martial arts-themed belt program to deliver lessons, includes a unique Security Journey Belt Certification for OWASP® Core Concepts with lessons for multiple OWASP projects, such as the OWASP Mobile Top 10, OWASP API Security Top 10, OWASP Proactive Controls, and the OWASP Top 10 2017 and 2021.
... moreOWASP Leader Town Halls - Leaders as Members
Monday, March 28, 2022
I have scheduled three Leader Town Halls this coming Thursday to cover all major time zones to discuss the changes required by our new AMS platform, YourMembership. From an organizational governance perspective, members are the owners of the organization, and that’s why we require Board members to be paid members. Leading governance practices often require that non-members should not be able to make decisions or lead an organization.
“A formal membership organization is a nonprofit that grants its members specific rights to participate in its internal affairs. These rights are established in the articles of incorporation and defined in more detail in the bylaws. Usually in a formal membership organization, members elect the board and/or the officers; approve changes in the bylaws; and authorize major transactions such as mergers and dissolution of the organization. In short, members have a strong interest and voice in the future of the organization and not only in the tangible benefits that they may receive as members.”
OWASP is practically unique in currently not requiring leaders be members since its inception. All the AMS systems we evaluated, and the one we selected, have a deeply built in requirement that self-service group (chapter, project, committee, etc) management is reserved for members, so it is not possible for us to avoid this issue any longer.
There are several ways it could be managed, some better than others.
... moreOWASP Membership Data Cleanup - please verify your membership
Friday, March 25, 2022
Over the last few months, many have received a great deal of communication about their impending email deactivation. For most of the accounts affected, this is actually what was supposed to have happened a long time ago, because as members expire, their accounts should be de-activated. The issue is that some members have multiple records or incorrect data. This automation is will processing expired memberships as an on going process. The process will eventually find all incorrect membership data. This process only deactivates the account, and so it’s very easy for us to get things back on the right track.
We need your help. Our call to action is every member should login to the OWASP Membership portal with your owasp.org email address, review, and as necessary update their membership data and contact preferences. Please update your membership record. If you can’t login, please log a support ticket.
... moreOWASP ModSecurity CRS Project Adds Third Leader
Wednesday, March 16, 2022
The OWASP ModSecurity Core Rule Set project is very happy to announce Felipe Zipitría as a new and third Co-Leader. Felipe joins Walter Hop and Christian Folini in his new role.
Felipe Zipitría holds a master of computer science from the University of the Republic in Montevideo, Uruguay. He worked as a system administrator for the faculty of engineering for several years and also lectures on security at the University.
His jobs include a position as security architect and consultant at Tilsor in Uruguay and then remote work as an infrastructure security team lead at Perceptyx, Inc. He currently works as a senior security engineer at US based Life360.
... moreOWASP's assistance to those affected by the Ukraine War, and an update on sanctions
Tuesday, March 15, 2022
OWASP’s mission is to improve the state of appsec throughout the world. The war in Ukraine has made us realize that OWASP hasn’t sufficiently defined how we can best assist countries affected by force majeure events, such as wars, riots, disasters, or extreme weather.
We encourage everyone to assist our Ukrainian members and donate to non-political aid organizations, such as the International Red Cross. We ask our community to assist in any way, including donating and volunteering to provide assistance asked by our Ukrainian leaders and members. Please tune into #owasp-community on Slack if you can help.
OWASP is mandated by US 501 (c)(3) non-profit regulations to be non-political. Despite many of us in our community rightly having strong personal feelings about the war, OWASP is not permitted to make political statements.
... moreOWASP Foundation and AppSec Phoenix Announce Member Benefit
Tuesday, February 15, 2022
The OWASP Foundation is extremely excited to announce the first NEW member benefit for 2022; we have partnered with AppSec Phoenix to make the Community Edition and scanners of their application security posture platform free for all OWASP Members!
See the joint Press Release for details or watch the YouTube Video Announcement
... moreEnd of year thank you! Corporate Membership or Donations, 20th Anniversary keynotes, Distinguished Lifetime Members, Waspy Awards, Multi-Factor Authentication, oh my!
Thursday, December 23, 2021
This year has been extremely challenging, and it looks like 2022 will be more of the same. But in the meantime, we have had some amazing successes, and I want to celebrate them. So here’s a very overdue and yet still timely end of year blog blow out!
Read on to learn about our end of year Donation and Corporate membership drive, 20th Anniversary keynotes, Distinguished Lifetime Members and WASPY Awards announcements, and lastly how we intend to implement multi-factor authentication by the end of Q1 2022.
... moreOWASP Core Ruleset Project announces Coraza SecLang engine
Wednesday, December 22, 2021
The OWASP ModSecurity Core Rule Set project has been waiting for an alternative WAF engine for quite some time. But the waiting is coming to an end now with the arrival of the new Coraza WAF, a fully compliant OSS WAF engine able to run CRS in production.
... moreProject Update Request - Log4J
Monday, December 13, 2021
A vulnerability was recently reported in log4j, CVE-2021-44228. This vulnerability is listed as a severity 10. All potentially affected OWASP projects should review their use of log4j and update code to mitigate the impact of the vulnerability. Further information can be found at the links provided.
NIST National Vulnerability Database
... morePurpleTeam TLS Tester Implementation
Wednesday, December 1, 2021
The PurpleTeam TLS Tester is now implemented. All core components were released as version 1.0.0-alpha.3
. To hear about the highlights and significant changes that were made as part of the release, see the following
Please register for a Events Town Hall option in your timezone
Wednesday, November 10, 2021
The OWASP Foundation Events Team will be holding three Town Halls across most timezones this coming November 30.
... moreOWASP Partners With we45 for AppSecEngineer Training Member Benefit
Tuesday, November 2, 2021
The OWASP Foundation is very pleased to announce that we45 has become our latest partner, providing a DevSecOps training membership benefit to OWASP members through AppSecEngineer.
I thank we45 for their generous support of OWASP, providing free DevSecOps and Security Automation Training to OWASP members through their Training Suite, AppSecEngineer. Today, DevSecOps is the predominant method of developing and operating secure systems, and it’s time for our industry to move away from ‘stage gates’ and being a blocker, to understanding how high-performance development teams build software. AppSecEngineer’s online training will help all OWASP members drastically improve their skills and knowledge in secure software development.
... moreAnnouncing Lauren Thomas as our new Events Coordinator
Tuesday, October 12, 2021
I am very pleased to announce that the OWASP Foundation has recruited Lauren Thomas as our new Events Coordinator. I’m sure those of you involved with Events will welcome Lauren’s appointment!
... moreOWASP Mobile Security Testing Guide Release
Thursday, July 29, 2021
Earlier this week we (Carlos Holguera and myself) created a new release of the OWASP Mobile Security Testing Guide!
For this release we adapted the document build pipeline from the OWASP Mobile AppSec Verification Standard (MASVS) and can now automatically create a release for the MSTG as PDF, docx and ePub which allows us to release more frequently. If you are interested in the magic behind it, you can find the Github Action of the release here
We want to thank:
- Jeroen Beckers for all the continuous support and his valuable input for the OWASP MSTG project in general,
- Jeroen Willemsen for all the support in the last year to get us on the right track for the build pipeline and
Announcing a new partnership with We Hack Purple, awesome OWASP member benefit immediately available
Wednesday, July 14, 2021
As part of the OWASP & We Hack Purple partnership, all OWASP members are now provided free access to the Application Security Foundations Level 1 course from WHP! This introductory AppSec course will answer all your burning questions and define all the technical terms right at the start. Then we will set goals for your AppSec program at work as an exercise. After this, we dive deep into every type of application security activity and tool on the market while sprinkling you with quizzes and exercises. As a final project, we make an AppSec program action plan for you to bring back to work with you. This on-demand course is FREE for all OWASP members!
To access the course, read on, sign up with your OWASP.org email address, and start learning.
... moreMembership Portal Launches
Monday, July 5, 2021
The new OWASP Membership Portal soft launched on July 1st. The membership portal displays information about your OWASP membership and also allows you to edit your personal details. In addition, the portal provides links to content that is of interest to members including certain membership benefits. You can access the portal using your OWASP Foundation email address by clicking on Membership Portal.
... moreOWASP Call for Trainers is Open for Global AppSec 2021 with Focus on Fresh Ideas
Friday, July 2, 2021
The OWASP Foundation launched its’ Call for Trainers (CfT) on July 1st for this year’s coming Global AppSec US 2021 Virtual conference.
OWASP Trainings are historically held in conjunction with Global AppSec events ahead of conference days. This year, due to the recovery of the COVID19 pandemic, the Foundation will host the event virtually once again and is exploring options for the Training Courses to be virtual with a possible hybrid offering.
... moreCVE-2021-35368 - CRS Request Body Bypass
Wednesday, June 30, 2021
The OWASP ModSecurity Core Rule Set (CRS) is affected by a request body bypass that abuses trailing pathname information. A backend vulnerability can thus be exploited despite being protected with the CRS Web Application Firewall rule set when an application server accepts additional path info as part of the request URI. All known CRS installations that offer the predefined CRS rule exclusion packages are affected. This applies to end-of-life CRS versions 3.1.0, 3.1.1 as well as the currently supported versions 3.2.0 and 3.3.0. Integrators and users are advised to upgrade.
For details and links to the new releases, please visit:
... more2021 AppSec Pacific Northwest Launches
Monday, June 21, 2021
OWASP Vancouver, Victoria, and Portland hosted the first AppSec Pacific Northwest on Saturday. This sold out virtual event featured keynotes from Kymberlee Price and Jim Manico. Content included builder, breaker, and defender talks and labs by established and emerging chapter members and a few of our global community of project leaders. Videos will be posted soon for those who missed the conference on the AppSecPNW YouTube channel. Next year will hopefully be in person so be sure to follow @pnwseccon on twitter or visit the conference website at pnwcon.com.
The Pacific Northwest chapters want to create an event to highlight our local membership’s talent, build community between our chapters, and engage the wider OWASP community to come explore our beautiful region. This year we had to do it virtually because of covid but we consider it to be a huge success. The organizers got to know each other quite well in the planning and execution of the event, our volunteers were rockstars the day of the conference making everything happen, true talent was displayed through our lineup of speakers, and there clearly was interest even in spite of zoom fatigue with over 1000 registrants.
... moreCycloneDX joins OWASP as a flagship project
Friday, June 11, 2021
The CycloneDX project, creators of the leading Software Bill of Materials (SBOM) format, announced they will be joining OWASP Foundation as a Flagship Project. This move will provide resources to the CycloneDX project while strengthening OWASP as the leading non-profit security organization providing tools, documentation, and standards.
... moreOWASP Membership Portal and Email Cleanup
Sunday, June 6, 2021
Updated 6/29/2021
Beginning in July, OWASP will be launching a new Membership Portal. The portal will display information about your OWASP membership and will also allow you to edit your personal details. In addition, the portal will provide links to content that is of interest to members including certain membership benefits. Be on the lookout for further information about the upcoming Membership Portal as we get nearer to launch.
Also beginning later in July, as a necessary step to a proper membership portal, the owasp.org email address inventory will be cleaned up and any email addresses that do not belong to the following groups of people will be deactivated within 15 days of removal from all of these groups:
- OWASP Members (having an active one year, two year, or lifetime membership)
- Project Leaders
- Chapter Leaders
- Event Leaders
- Committee Leaders
OWASP Foundation to help government, electronic voting, defence, and critical infrastructure ISVs and contractors to modernize, collaborate, and secure their software and secure their supply chain
Thursday, May 13, 2021
With the announcement today of the US Government’s Executive Order on “Improving the Nation’s Cybersecurity”, OWASP is working to establish vendor-neutral special interest groups to help organizations securely share information, rapidly adopt and adapt existing OWASP standards, projects, and tools such as the OWASP Application Security Verification Standard, the OWASP Mobile Testing Guide, OWASP Dependency Track to help secure the software supply chain, OWASP SAMM, and the OWASP Cheat Sheet Series. Adoption of OWASP standards and tooling can help government agencies, contractors and vendors rapidly comply with the EO today using OWASP’s trusted advice over the last 20 years, that already exists and is ready to go. There is more to be built, which is why we want to help industry, vendors, contractors, and agencies work together to improve the applicability of these standards to their particular use cases.
... moreEvents Committee - call for volunteers
Tuesday, May 11, 2021
Hi all, over the last decade or more, many of us have been organising OWASP events within our community.
One of the problems we have is that there is no standardised place with content on how to create a repeatable event, nor is there a central team of volunteers that the community can reach out to to seek advice when creating an event.
To solve this and help drive stronger events I propose we form an events committee. The purpose of this committee would be to offer knowledge and/or resources to empower volunteers to spread OWASP’s message through hosting events.
... moreNew OWASP Fundraising Store
Wednesday, April 28, 2021
In celebration of our 20th Anniversary, OWASP is pleased to announce our new merchandise store where you can purchase a range of t-shirts, hoodies, stickers, mugs, masks, and more. Each purchase you make helps fund the OWASP mission.
Go to the OWASP Fundraising Store
The OWASP Foundation store is strictly for fundraising purposes. There will be no reimbursements from OWASP for any purchases.
... moreOWASP Foundation Statement on Anti-Harassment
Tuesday, March 30, 2021
This week has been a stark reminder that having a policy against harassment and abuse is an empty promise if there is not a fully-functioning process behind it to ensure complaints are heard and fairly addressed, with egregious violators permanently removed from the community.
OWASP stands with victims of harassment and abuse and unequivocally condemns abuse in all of its forms. Our commitment to our community is to ensure our meetings, activities, and events are a safe space that is welcoming to all and providing a competent mechanism for victims to report incidents and receive a swift outcome.
... more2021 March OWASP Call to Battle Post Event Wrap-up
Tuesday, March 16, 2021
Veracode Secure Coding Challenge Summary
The Call To Battle Secure Coding challenge brought together developers and security engineers two weeks ago to show off their secure coding skills. Using Veracode’s Security Labs Enterprise, all of the contestants worked on patching real OWASP Top 10 vulnerabilities in containerized environments, using the languages of their choice. The more languages a competitor knows, the more points they can score. Out of the 18 fierce competitors, we had 9 who finished at the top of the leaderboard with 440 points, but it’s also not just about completing the labs and getting the points, it’s also about how fast you can solve each one.
... more20th Anniversary Event Call for Speakers
Monday, March 8, 2021
The OWASP Foundation is proud to announce our 20th Anniversary on September 24, 2021. For two decades, OWASP Foundation has served the application security and devsecops industries as a leader in open source information, industry leading projects, and a global community of peers.
With a year of celebration ahead, the Event team is excited to join this effort by announcing a special 20th Anniversary Virtual Event: Securing the Next 20 Years. The event will be held on September 24th and feature 24-hours of speakers from around the globe broadcasting across all timezones. The event will encompass a message of future forward thinking, influences from our history, and hot topics relevant today.
... moreHelp the OWASP SCVS Project
Friday, March 5, 2021
The OWASP Software Component Verification Standard project is conducting the 2021 State of the SBOM Survey. Community participation is essential in helping the project assess the current and future role that Software Bill of Materials play in the industry.
For those unfamiliar with the project, SCVS seeks to establish a framework for identifying activities, controls, and best practices, which can help in identifying and reducing risk in a software supply chain. Designed to be implemented incrementally, the Software Component Verification Standard has the following goals:
- Develop a common set of activities, controls, and best-practices that can reduce risk in a software supply chain
- Identify a baseline and path to mature software supply chain vigilance
OWASP 20th Anniversary kicks off!
Wednesday, March 3, 2021
September 24, 2021 marks OWASP’s 20th Anniversary! We are kicking off our 20th Anniversary celebrations with a 20% off two-year membership sale, starting right now and running for the next 20 days. 20% off a two-year membership or renewal is a great way to support us and get involved in our community! We have a lot more planned throughout the year!
Join or renew today: https://owasp.org/membership/
... moreFebruary COVID Restrictions Update
Friday, February 26, 2021
At the end of every month, I review the Temporary COVID Restrictions and look around the world to see what’s happening. I think we’re all looking forward to getting back to normal now that there’s a vaccine and it seems to be doing a tremendous job of reducing deaths and hospitalizations. In the meantime, we still need to be staying safe. To that end, I’ve simplified the restrictions a lot, and also made it clear when we can start to return to physical events.
... moreBrain Breaks Recap
Wednesday, February 24, 2021
The OWASP Foundation hosted the first-ever OWASP Brain Break entertainment event on Thursday February 18th, featuring comedian Jeff Shaw.
The new event series is just one in a line-up of a variety of virtual based events planned for OWASP Foundation’s 2021 calendar. With intentional planning around this event series, the foundation’s goal is to create a fun, mind-breaking escape for our community as we all continue to navigate the global pandemic.
... moreAnnouncing Brain Breaks, starting with comedian Jeff Shaw
Wednesday, February 3, 2021
The OWASP Foundation is excited to announce the launch of a new event series created with our community in mind. Our Brain Break event series is an entertainment-based event program we’ve created for 2021 and we’re excited to announce our first event on February 18th featuring comedian Jeff Shaw.
... moreOWASP 2021 Board of Directors
Tuesday, January 26, 2021
Today, the incoming OWASP Board of Directors voted Sherif Mansour as Chair, Vandana Verma as Vice Chair, Grant Ongers as Treasuer and Bil Corry as Secretary.
We’ve got a dream team of OWASP Board Members, voted in by our amazing Community. Honestly, today feels like Christmas to me. Read on to find out more.
... moreKelly Santalucia appointed as Director of Events and Corporate Support
Monday, January 18, 2021
It is my pleasure to announce Kelly Santalucia’s appointment as OWASP’s Director of Events and Corporate Support, effective January 1, 2021. In December 2020, our previous Events Director, Emily Berman, chose to move on to a new events opportunity, and I thank her for her efforts during her tenure.
... moreI am honored and excited to serve the OWASP Community as your Director of Events and Corporate Support. I have been a team member of the Foundation for over ten years. I began my journey here at OWASP as the NYC local chapter coordinator under Tom Brennan’s leadership. Shortly after, an opportunity became available, and I joined the OWASP global staff as the Foundations Membership and Business Liaison. As the years progressed, I moved into the Senior Manager of Sponsorship and Membership role, followed by the Director of Corporate Support and, most recently, the Director of Events and Corporate Support.
Dependency Track v4 Release
Friday, January 8, 2021
Over the last few years, the OWASP Dependency-Track project has led an industry shift towards framing open source risk as a subset of software supply chain risk. Dependency-Track was one of the first platforms to fully embrace Software Bill of Materials (SBOM) as a core tenant and design principal. The project is attributable to the creation of CycloneDX, an open source SBOM standard used by thousands of organizations, referenced by multiple RFCs and related supply chain initiatives.
Dependency-Track v3 has proven that SBOMs can be created, consumed, and analyzed at high-velocity in modern build pipelines. And its proven the value of full-stack transparency for IoT and embedded devices. Based on feedback from the community, from industry, and from government-led software transparency efforts, the project has made strategic enhancements to the software that sets the stage for future capabilities that are only achievable from the use of SBOMs.
... moreOWASP SecureFlag Open Platform Member Benefit
Thursday, December 24, 2020
As we close the year OWASP Foundation is proud to present a new member benefit in the form of online training provided by OWASP SecureFlag Open Platform. All active OWASP members around the globe now have access to all of the great exercises and training options that the OWASP SecureFlag Open Platform supports and many more besides!
... moreHappy Holidays, and let's hope for a better 2021
Wednesday, December 23, 2020
2020 has been a very challenging year for all, including OWASP. I know a lot of folks are hurting, lost loved ones, or been very sick themselves. Work from home for many has been a challenge, especially if you’re like me and have school-age kids at home who are struggling with online classes. I think everyone is suffering from Zoom fatigue. I want to highlight some of our struggles and successes in 2020 but look forward to a much better 2021.
Note: Our office is closed from Thursday, December 24th, and we reopen on January 4th, 2021.
... more2021 Call for Trainings Is Now Open!
Tuesday, December 22, 2020
Calling all AppSec Community Trainers, OWASP Foundation is planning a global line-up of Virtual Training throughout 2021. We invite you to submit your training proposals by January 8th.
... moreOWASP, our community, and vendors: a healthy and vendor neutral approach
Thursday, December 17, 2020
OWASP is vendor-neutral
OWASP is renowned for being vendor-neutral. It’s a key part of our four core values:
- Open: Everything at OWASP is radically transparent, from our finances to our code.
- Innovative: We encourage and support innovation and experiments for solutions to software security challenges.
- Global: Anyone around the world is encouraged to participate in the OWASP community.
- Integrity: Our community is respectful, supportive, truthful, and vendor-neutral
That doesn’t mean we are vendor hostile, no vendors allowed, no vendor germs, or anything like that. If you are interested in vendor neutrality, either as an OWASP community member or as a vendor, please read on.
... moreZAP 10th Birthday Release!!!
Thursday, December 17, 2020
Guest post from Simon Bennetts, better known as @psiion, and the entire Zap team. ^ ajv
A Quick Introduction to ZAP
In 2009 I was a Java developer and a pentest on one of my services found vulnerabilities that I’d never even heard of. I decided that I needed to learn more about web application security in order to become a better developer.
I quickly discovered OWASP and started going through the wealth of material available, but I knew that I learn best by doing things so I started downloading and playing around with open source security tools. At that time I was also looking for an open source project to contribute to, so this seemed the ideal opportunity to combine those two things. Unfortunately there were not any actively maintained open source web security tools back then, so I took the plunge, forked Paros Proxy (which had been taken closed source) and set out to create the community-led open source project that I wanted to join. Since then ZAP has gone from strength to strength and we now have a core team and hundreds of contributors.
... moreOWASP pytm - a Pythonic framework for Threat Modelling
Tuesday, December 15, 2020
We are back again with another Spotlight series project, and this time we have a very interesting project, pytm, which is around Threat Modeling.
... moreDecember Time of Giving
Tuesday, December 15, 2020
It’s hard to believe it’s already December! Along with the holiday spirit, December brings increased outreach from charities. For many nonprofits, this is when these organizations receive the bulk of their funding. Individuals are at their most generous and look for ways to help others while also ensuring they get all of their tax deductions*.
In truth, if everyone reading this message right now made a donation to the OWASP Foundation, we’d have the resources needed to greatly expand and improve our projects, chapters, materials, tools, documentation, etc. in 2021.
If the time is right, please take a moment to make a tax-deductible* gift to the OWASP Foundation today. Click the button below to give securely and with ease via credit card.
*As a public charity (IRS PC category), donations to OWASP are likely to be tax deductible to many US based individuals and organizations. Please review the IRS guidance to determine if you are eligible to claim a tax deduction on your next return: https://www.irs.gov/charities-non-profits/charitable-contributions
... moreWeb Security Testing Guide v4.2 Released
Thursday, December 3, 2020
The OWASP Web Security Testing Guide team is proud to announce version 4.2 of the Web Security Testing Guide (WSTG)! In keeping with a continuous delivery mindset, this new minor version adds content as well as improves the existing tests.
In recent years, the Web Security Testing Guide has sought to remain your foremost open source resource for web application testing. Our previous release marked a move from a cumbersome wiki platform to the highly collaborative world of GitHub. Since then, over 61 new contributors pushing over 600 commits have helped to make the WSTG better than ever.
Version 4.2 of the Web Security Testing Guide introduces new testing scenarios, updates existing chapters, and offers an improved reading experience with a clearer writing style and chapter layout. Readers will enjoy easier navigation and consistent testing instructions.
... moreChapter policy review needs your input
Wednesday, November 25, 2020
Members of the OWASP Foundation, we value your commitment and expertise. The Foundation is looking to you in shaping our future and helping us update our Corporate Policies, in this case, the Chapters Policy. This is a major ground up re-write of the chapters policy, in concert with the Chapters Committee.
... moreKeep your company in the eye of the user!
Tuesday, November 10, 2020
The OWASP Foundation is a not-for-profit organization providing open-source projects, tools, documentation, etc., to help security professionals succeed by improving to keep their company’s data secure! Our open-source materials are supported by the financial contributions of our Corporate Supporters, and they are fundamentally important to help us continue to fulfill our mission by providing these resources. As a Corporate Supporter, supporting the OWASP Foundation demonstrates the companies commitment to the community, the Foundation, and the entire AppSec sector.
OWASP strives to provide opportunities to companies with all budget types so everyone can participate. That being said, we are happy to announce that we now offer discounted Corporate Supporter rates for companies in developing regions and discounted rates for start-up companies! Qualify, and be one of the first ten companies to join the Foundation as a corporate supporter to receive a special incentive.
... moreAnnouncing Honorary Lifetime Membership Reform and Complimentary Membership for Active Leaders
Friday, November 6, 2020
At the October public Board meeting at the Global AppSec 2020 - Virtual, the Board voted on Honorary Membership and active Leader Complimentary Membership reform, and these reforms are now live.
For hardworking OWASP community leaders who have done amazing things for many years, you will finally have a chance of being recognized by the Foundation and your peers for being a true OWASP hero and upholder of our values and mission. For active leaders, you will be pleasantly surprised by a new option available to you.
What is the problem we’re trying to solve?
Typically, for non-profits and charities, the expectation is that community leaders are members. OWASP is almost unique in that we don’t require Membership to participate or make it mandatory for leaders.
Only 17% of OWASP leaders are members of any sort. The Board felt that many non-member leaders could not vote or become Board members, so they were effectively donating their time but could not influence the Foundation or our mission. At the September face-to-face meeting, the Board discussed various membership models and decided to offer active leaders Complimentary membership and reform Honorary Membership.
... moreVale, OWASP Connector
Thursday, November 5, 2020
This post announces the end of the OWASP Connector. Sadly, the days of email newsletters are done. Read on to find out what we are going to do instead, and we’ve started already.
... moreOWASP and US Government Sanctioned Countries
Friday, October 30, 2020
Recently, our lawyers have reviewed all of our bylaws and contracts. You’ll see the improvements coming through as we bring them online. However, the lawyers found that we had no provisions to prohibit participation or funding from US Government Sanctioned Countries. Once notified, we had to act, as ignorance is not an excuse. The Board has taken action to resolve this issue, and in the process, we have lost a chapter and refunded one member.
Please read on for more details, and more details about future content here.
... moreVoting in the OWASP Board elections is coming to an end!
Thursday, October 29, 2020
Hi OWASP members, at 11:59 pm US EDT on Friday October 30 is the last day to vote in the OWASP Board of Director’s election. If you have not yet voted, now is the time. Read on for how to find your ballot, and what happens next.
... moreMeet OWASP Project Leaders virtually at Black Hat USA 2020
Saturday, August 1, 2020
OWASP is an Associate Partner of Black Hat USA 2020 and will be present with its own virtual booth on 5th/6th August. Meet & talk to OWASP staff and volunteers, and take the chance to meet some of our dedicated project leaders.
... moreAnnouncement of 2020 Board Elections
Friday, July 31, 2020
The future of OWASP is driven by passionate individuals who sit on the Global Board of Directors. They represent you and are elected by you, our members. We have just published the Global Board of Directors elections timeline and procedures.
We ask all members to check that their membership is valid, and necessary communications settings are correct. I encourage anyone to stand for the Board if they are passionate about OWASP, and I encourage every single member to vote.
Lastly, I address the current eligibility issues, what’s changing, and how this year’s elections will not be affected by upcoming changes to our bylaws.
... moreShaping the Future of OWASP
Thursday, July 23, 2020
Unlike many other groups in the software and security sector, it is important to us that our organization is shaped by our community. This of course is evident in our volunteer led Chapters and Projects along with a member-elected Board of Directors and now down to our everyday business policies. In what is planned as an annual effort, the OWASP Foundation is looking for Members to help us update our Corporate Policies. We have identified and have developed 16 core policy domains for our operations.
... moreAndrew van der Stock named Executive Director
Monday, June 29, 2020
It is with great pleasure that the OWASP Foundation announces that as per today, Monday 29th June 2020 we will have a new, full time, Executive Director (ED), selected from within our own ranks. As per this date Andrew van der Stock will officially take on the role of the ED for the Foundation on a permanent basis.
Andrew is well known to many in the OWASP Community for both his hard work on a number of key OWASP Projects (including the OWASP Top Ten and the OWASP ASVS) as well as for his time on the Global Board of Directors, representing the OWASP Community from 2015 to 2018. He brings years of AppSec experience to the role as well as his breadth of experience managing organisational units. We are sure he will bring this to his new role in the Foundation and will be a great ED.
... moreVirtual Summer of Security 2020
Monday, June 8, 2020
Virtual AppSec Days April 2020 was a hit! Over 1,800 participated in the week-long event. Highlights included a free lightning conference, 11 training courses, and a 48 hour Capture the Flag competition.
The OWASP Foundation set out to bring the community together and provide alternative education in these uncertain times. We were able to do this economically for participants thanks to our generous sponsors, without whom, this event would not have been possible.
Thank you to Acunetix, DevSecOps Academy, Netsparker, and ZeroNorth! These sponsors not only helped keep the conference affordable but also gave away over $800 in prizes to participants.
... moreOWASP Chapters All Day
Thursday, June 4, 2020
Join 24 chapters around the globe for a 24 hour long back-to-back virtual chapter meetup. The entire event will be livestreamed on YouTube from 16 countries. The schedule of those talks is available here.
The OWASP Leaders List is a mailing list populated by either Chapter or Project Leaders or folks who previously held those positions. The mailing list is a busy place and ideas flow there regularly - because the folks on that list are good folks with great ideas.
Sometimes an idea hits the list that requires real work to happen and this initiative was one of those fortunately there were plenty of volunteers to step up and make it happen.
... moreVirtual AppSec Days April 2020
Tuesday, April 7, 2020
The OWASP Foundation is excited to announce the launch of Virtual AppSec Days. Taking place later this month, we have an entire week of virtual activities planned, to engage, educate, and entertain our community.
The event will begin on April 27 with a virtual mini-conference; a free 90-minute session consisting of three 20-minute lightning talks by AppSec industry leaders.
... moreOWASP Juice Shop v10.0.0 released
Tuesday, March 17, 2020
Releasing
Juice Shop v10.0.0
live from the beach of Cancun at the OWASP Projects Summit was a really
unique event. The summit allowed us to really concentrate on some larger
long-term ideas we had.
Global AppSec Dublin postponed to 2021
Thursday, March 12, 2020
Following recent developments within Ireland, throughout Europe, and worldwide relating to COVID-19, the OWASP Foundation has made the difficult, but considered decision, to postpone the Global AppSec Dublin set to take place June 15-19.
We take pride in offering a premier experience for our attendees and sponsors and we can no longer guarantee that event quality. Nor can we ethically put our community’s health and safety at risk. Therefore we have secured dates at the Convention Center Dublin to hold the Global AppSec Dublin on February 15-19, 2021.
... moreDublin Call for Papers and Trainers
Tuesday, February 18, 2020
Are you a thought leader in AppSec with a unique idea to share with the greater OWASP community? We are looking for new, innovative, compelling content for our Global AppSec in Dublin this June. Application Security leaders, software engineers, and researchers from all over the world gather at Global AppSec conferences to drive visibility and evolution in the safety and security of the world’s software, as well as to network, collaborate, and share the newest innovations in the field.
... moreOWASP SAMM v2.0 Released
Tuesday, February 11, 2020
The OWASP SAMM™ (Software Assurance Maturity Model) is a community-led open-sourced framework that allows teams and developers to assess, formulate, and implement strategies for better security which can be easily integrated into an existing organizational Software Development Life Cycle (SDLC).
... moreOur Website Migration Journey
Wednesday, January 15, 2020
For the better part of the last nine months, a small dedicated team has been working to complete a project that has been started, restarted, abandoned, restarted, and then again abandoned: migrating our 7,000 or so page website curated by over 3,000 content editors from MediaWiki to GitHub Pages. As I like to now say, “when you spend 15 years digging a deep hole, don’t expect to dig your way out in a week.” And in all honesty this is not the finish line, but the starting line for the OWASP Foundation in this new decade.
... moreGlobal AppSec Program Teams
Tuesday, December 3, 2019
Want to help plan our next Global AppSec event? OWASP is excited to announce the launch the Global AppSec Program Team. These teams will be responsible for selecting the program and training offerings for the Global AppSecs and will be comprised of volunteers from all around either Europe or North America. Be sure to apply to volunteer before the end of the year!
... moreWebsite Migration Update
Wednesday, November 20, 2019
As the foundation moves toward the migration of the OWASP web presence from the old wiki site to our new GitHub-hosted home, some of you may still have questions regarding what to move and how to move it. Essentially, if you have a chapter page or project page and you have not migrated it to the new website, that would be first. Steps on what to do and what is needed can be found at https://owasp.org/migration There are also some minor instructions on the
... moreZAP Releases v2.8 with HUD
Tuesday, July 2, 2019
PRESS RELEASE
OWASP ZAP Releases V2.8.0 With the Heads Up Display
Heads Up Display simplifies and improves vulnerability testing for developers
SAN FRANCISCO–(BUSINESS WIRE)–OWASP™ ZAP (Open Worldwide Application Security Project™ Zed Attack Proxy) has released a new version of its leading ZAP Project which now includes an innovative Heads Up Display (HUD) bringing security information and functionality right into the browser. Now software developers can interactively test the reliability and security of their applications in real time while controlling a wide variety of features designed to test the quality of their software.
... moreNew Website Uses GitHub
Wednesday, June 12, 2019
Blog post example content. Talk about using GitHub for the new website. More text to follow in a second here. Describe the functionality and the awesome CSS. New blog post example content. Talk about using GitHub for the new website. More text to the awesome CSS. blog post example content. Talk 12345 about using GitHub for the new website. More text to follow in a second here. Talk about using GitHub for the new website. More text to follow in a second here. and the awesome CS word log …
... more