Opinions & News
Weekly news and opinions from OWASP leadership, staff, and community members. Have an idea you’d like to see here? Submit to News today!
Thursday, November 10, 2022
We’re excited to announce the “Top 10 CI/CD Security Risks” framework is now officially an OWASP project, titled “OWASP Top 10 CI/CD Security Risks”!... more
Friday, October 28, 2022
OWASP SAMM (Software Assurance Maturity Model) is the OWASP framework to help your organization assess, formulate, and implement a strategy for software security that can be integrated into your existing Software Development Lifecycle (SDLC). OWASP SAMM is fit for most contexts, whether your organization is mainly developing, outsourcing, or acquiring software, or whether you are using a waterfall, an agile or devops method, the same model can be applied.... more
Thursday, October 20, 2022
From time to time, leaders will bring an opportunity to support a similar organization, such as promoting another organization’s event or seminar, staffing a booth or desk, or running a Capture the Flag event. Often the leader wants to promote the activity through OWASP’s platforms because, in all likelihood, it will interest OWASP members. We call these arrangements “co-marketing,” and there’s a process to getting them approved so that OWASP is not abused as a free marketing tool by others.
Here’s how to get your co-marketing approved quickly and efficiently by supplying the correct information early. Not all co-marketing will be approved, as most of the requests we receive are not OWASP-like or simply trying to abuse OWASP’s large audience or as free marketing.
Here’s how to get it done:... more
Monday, October 3, 2022
In order to distinguish projects more clearly over their lifecycle, OWASP has introduced a new Production maturity level. It offers a natural and final step for all projects of sufficient maturity and activity after Lab status, and allows to treat Flagship finally as the strategic bonus level it was always meant to be. Along with the new level, a clear guidance on progression requirements and the promotion process have been documented by the Project Committee.... more
Tuesday, September 20, 2022
Over the years, Google has continually leveraged OWASP internally as well as externally as part of their developer education around Android and Google Cloud security best practices. This includes presentations at various conferences such as Droidcon and online guidance for Google Cloud. Earlier this year, Google started going a little further by analyzing OWASP MASVS and ASVS to see if these two standards can be used more prescriptively within their developer community.... more
Tuesday, September 13, 2022
New recommendations drafted by members of OWASP, The Linux Foundation, Oracle, and others, aim to improve the accuracy of the NVD with a focus on modern, automated use cases. The group, informally named the “SBOM Forum”, is led by supply chain consultant and blogger, Tom Alrich. Their first paper titled A Proposal to Operationalize Component Identification for Vulnerability Management. recommends that MITRE and the NVD adopt Package URL for the identification of open source and commercial software along with multiple GS1 standards for hardware. In doing so, the accuracy of vulnerability management can be dramatically improved while increasing the efficiency and effectiveness of the teams doing it.... more
Thursday, August 25, 2022
The OWASP Foundation is currently in the process of updating the bylaws due to the existing bylaws not being valid. We have received a draft that we believe is ready to be approved, but we are still waiting upon the Board to hold an Executive Session on the status of fees and membership privileges.
Once we have clarity on the status of members’ fees and privileges, the process of ratification can begin.... more
Thursday, July 28, 2022
Sadly, COVID is here to stay. We must learn to live with it. At some point in the future, the risk from COVID will be a great deal less than it is now. So it’s time to turn the temporary COVID restrictions into permanent policy. We can always amend, replace, or repeal the policy at some point in the future. Read on for more information.... more
Tuesday, June 7, 2022
We will need to hold a member vote on the new bylaws, and for that reason, we are announcing Town Halls for June 28, with the vote likely to start on July 1, or at the latest in concert with the next Board Election starting August 15.
Thank you to everyone who participated in the Survey. I am pleased to announce that the following Members have won a ticket to a Global AppSec of their choosing:
- Marianne Busch
- Amit Dubey
- David Ochel
For more, please read on.... more
Sunday, May 15, 2022
On behalf of the OWASP ASVS leadership team, we are excited to publicise the objectives and roadmap for the upcoming version 5.0 of the flagship OWASP Application Security Project. We are hoping to be able to release a final version by the end of the year but there is a lot to do and we need your help!
Our first milestone is the end of May by when we would like to have as much feedback as possible on the current standard so as to start planning how the next version will look.
You may wish to read through the full objectives and roadmap document (or keep reading this post), review the current “bleeding edge” version of the ASVS document, and check out our guide to contributing which also includes guidance of the process to go through to provide feedback.... more
OWASP Members - submit your views to our bylaw survey for a chance to win an AppSec Virtual or AppSec Global pass
Tuesday, April 12, 2022
Recently, we received legal advice on the upcoming Leaders as Members bylaw and policy changes. Long story short, we may need eligible OWASP members to vote to approve a new or updated certificate of incorporation and bylaws. The required changes are so extensive, that we may need to replace our bylaws with much newer ones. Therefore, OWASP is consulting with OWASP Members on our bylaws’ membership classes and their rights, privileges, and powers.
Bylaws and membership rights is both incredibly important and yet incredibly boring unless you are a policy wonk. To encourage survey submissions, the OWASP Foundation is offering a prize for three random OWASP members who complete the survey: a pass to any OWASP Global AppSec conference held in 2022, including OWASP 2022 Global AppSec Europe Virtual Event, OWASP 2022 Global AppSec AsiaPac Virtual Event, and OWASP 2022 Global AppSec San Francisco. See conditions of entry below for the fine print.... more
Thursday, April 7, 2022
OWASP ® and Security Journey partner to provide OWASP ® members access to a customized training path focused on OWASP ® Top 10 lists.
Security Journey, the leader in culture-changing web application security training, announces a partnership with OWASP, a nonprofit foundation that works to improve web application software security. Security Journey has created a custom belt path for OWASP members covering a wide variety of the content OWASP releases. The Security Journey training platform, which uses a martial arts-themed belt program to deliver lessons, includes a unique Security Journey Belt Certification for OWASP® Core Concepts with lessons for multiple OWASP projects, such as the OWASP Mobile Top 10, OWASP API Security Top 10, OWASP Proactive Controls, and the OWASP Top 10 2017 and 2021.... more
Monday, March 28, 2022
I have scheduled three Leader Town Halls this coming Thursday to cover all major time zones to discuss the changes required by our new AMS platform, YourMembership. From an organizational governance perspective, members are the owners of the organization, and that’s why we require Board members to be paid members. Leading governance practices often require that non-members should not be able to make decisions or lead an organization.
“A formal membership organization is a nonprofit that grants its members specific rights to participate in its internal affairs. These rights are established in the articles of incorporation and defined in more detail in the bylaws. Usually in a formal membership organization, members elect the board and/or the officers; approve changes in the bylaws; and authorize major transactions such as mergers and dissolution of the organization. In short, members have a strong interest and voice in the future of the organization and not only in the tangible benefits that they may receive as members.”
OWASP is practically unique in currently not requiring leaders be members since its inception. All the AMS systems we evaluated, and the one we selected, have a deeply built in requirement that self-service group (chapter, project, committee, etc) management is reserved for members, so it is not possible for us to avoid this issue any longer.
There are several ways it could be managed, some better than others.... more
Friday, March 25, 2022
Over the last few months, many have received a great deal of communication about their impending email deactivation. For most of the accounts affected, this is actually what was supposed to have happened a long time ago, because as members expire, their accounts should be de-activated. The issue is that some members have multiple records or incorrect data. This automation is will processing expired memberships as an on going process. The process will eventually find all incorrect membership data. This process only deactivates the account, and so it’s very easy for us to get things back on the right track.
We need your help. Our call to action is every member should login to the OWASP Membership portal with your owasp.org email address, review, and as necessary update their membership data and contact preferences. Please update your membership record. If you can’t login, please log a support ticket.... more
Wednesday, March 16, 2022
The OWASP ModSecurity Core Rule Set project is very happy to announce Felipe Zipitría as a new and third Co-Leader. Felipe joins Walter Hop and Christian Folini in his new role.
Felipe Zipitría holds a master of computer science from the University of the Republic in Montevideo, Uruguay. He worked as a system administrator for the faculty of engineering for several years and also lectures on security at the University.
His jobs include a position as security architect and consultant at Tilsor in Uruguay and then remote work as an infrastructure security team lead at Perceptyx, Inc. He currently works as a senior security engineer at US based Life360.... more
Tuesday, March 15, 2022
OWASP’s mission is to improve the state of appsec throughout the world. The war in Ukraine has made us realize that OWASP hasn’t sufficiently defined how we can best assist countries affected by force majeure events, such as wars, riots, disasters, or extreme weather.
We encourage everyone to assist our Ukrainian members and donate to non-political aid organizations, such as the International Red Cross. We ask our community to assist in any way, including donating and volunteering to provide assistance asked by our Ukrainian leaders and members. Please tune into #owasp-community on Slack if you can help.
OWASP is mandated by US 501 (c)(3) non-profit regulations to be non-political. Despite many of us in our community rightly having strong personal feelings about the war, OWASP is not permitted to make political statements.... more
Tuesday, February 15, 2022
The OWASP Foundation is extremely excited to announce the first NEW member benefit for 2022; we have partnered with AppSec Phoenix to make the Community Edition and scanners of their application security posture platform free for all OWASP Members!... more
End of year thank you! Corporate Membership or Donations, 20th Anniversary keynotes, Distinguished Lifetime Members, Waspy Awards, Multi-Factor Authentication, oh my!
Thursday, December 23, 2021
This year has been extremely challenging, and it looks like 2022 will be more of the same. But in the meantime, we have had some amazing successes, and I want to celebrate them. So here’s a very overdue and yet still timely end of year blog blow out!
Read on to learn about our end of year Donation and Corporate membership drive, 20th Anniversary keynotes, Distinguished Lifetime Members and WASPY Awards announcements, and lastly how we intend to implement multi-factor authentication by the end of Q1 2022.... more
Wednesday, December 22, 2021
The OWASP ModSecurity Core Rule Set project has been waiting for an alternative WAF engine for quite some time. But the waiting is coming to an end now with the arrival of the new Coraza WAF, a fully compliant OSS WAF engine able to run CRS in production.... more
Monday, December 13, 2021
A vulnerability was recently reported in log4j, CVE-2021-44228. This vulnerability is listed as a severity 10. All potentially affected OWASP projects should review their use of log4j and update code to mitigate the impact of the vulnerability. Further information can be found at the links provided.... more
Wednesday, December 1, 2021
The PurpleTeam TLS Tester is now implemented. All core components were released as version
1.0.0-alpha.3. To hear about the highlights and significant changes that were made as part of the release, see the following
Wednesday, November 10, 2021
The OWASP Foundation Events Team will be holding three Town Halls across most timezones this coming November 30.... more
Tuesday, November 2, 2021
The OWASP Foundation is very pleased to announce that we45 has become our latest partner, providing a DevSecOps training membership benefit to OWASP members through AppSecEngineer.
I thank we45 for their generous support of OWASP, providing free DevSecOps and Security Automation Training to OWASP members through their Training Suite, AppSecEngineer. Today, DevSecOps is the predominant method of developing and operating secure systems, and it’s time for our industry to move away from ‘stage gates’ and being a blocker, to understanding how high-performance development teams build software. AppSecEngineer’s online training will help all OWASP members drastically improve their skills and knowledge in secure software development.... more
Tuesday, October 12, 2021
I am very pleased to announce that the OWASP Foundation has recruited Lauren Thomas as our new Events Coordinator. I’m sure those of you involved with Events will welcome Lauren’s appointment!... more
Thursday, July 29, 2021
Earlier this week we (Carlos Holguera and myself) created a new release of the OWASP Mobile Security Testing Guide!
For this release we adapted the document build pipeline from the OWASP Mobile AppSec Verification Standard (MASVS) and can now automatically create a release for the MSTG as PDF, docx and ePub which allows us to release more frequently. If you are interested in the magic behind it, you can find the Github Action of the release here
We want to thank:
- Jeroen Beckers for all the continuous support and his valuable input for the OWASP MSTG project in general,
- Jeroen Willemsen for all the support in the last year to get us on the right track for the build pipeline and
Announcing a new partnership with We Hack Purple, awesome OWASP member benefit immediately available
Wednesday, July 14, 2021
As part of the OWASP & We Hack Purple partnership, all OWASP members are now provided free access to the Application Security Foundations Level 1 course from WHP! This introductory AppSec course will answer all your burning questions and define all the technical terms right at the start. Then we will set goals for your AppSec program at work as an exercise. After this, we dive deep into every type of application security activity and tool on the market while sprinkling you with quizzes and exercises. As a final project, we make an AppSec program action plan for you to bring back to work with you. This on-demand course is FREE for all OWASP members!
To access the course, read on, sign up with your OWASP.org email address, and start learning.... more
Monday, July 5, 2021
The new OWASP Membership Portal soft launched on July 1st. The membership portal displays information about your OWASP membership and also allows you to edit your personal details. In addition, the portal provides links to content that is of interest to members including certain membership benefits. You can access the portal using your OWASP Foundation email address by clicking on Membership Portal.... more
Friday, July 2, 2021
The OWASP Foundation launched its’ Call for Trainers (CfT) on July 1st for this year’s coming Global AppSec US 2021 Virtual conference.
OWASP Trainings are historically held in conjunction with Global AppSec events ahead of conference days. This year, due to the recovery of the COVID19 pandemic, the Foundation will host the event virtually once again and is exploring options for the Training Courses to be virtual with a possible hybrid offering.... more
Wednesday, June 30, 2021
The OWASP ModSecurity Core Rule Set (CRS) is affected by a request body bypass that abuses trailing pathname information. A backend vulnerability can thus be exploited despite being protected with the CRS Web Application Firewall rule set when an application server accepts additional path info as part of the request URI. All known CRS installations that offer the predefined CRS rule exclusion packages are affected. This applies to end-of-life CRS versions 3.1.0, 3.1.1 as well as the currently supported versions 3.2.0 and 3.3.0. Integrators and users are advised to upgrade.
For details and links to the new releases, please visit:... more
Monday, June 21, 2021
OWASP Vancouver, Victoria, and Portland hosted the first AppSec Pacific Northwest on Saturday. This sold out virtual event featured keynotes from Kymberlee Price and Jim Manico. Content included builder, breaker, and defender talks and labs by established and emerging chapter members and a few of our global community of project leaders. Videos will be posted soon for those who missed the conference on the AppSecPNW YouTube channel. Next year will hopefully be in person so be sure to follow @pnwseccon on twitter or visit the conference website at pnwcon.com.
The Pacific Northwest chapters want to create an event to highlight our local membership’s talent, build community between our chapters, and engage the wider OWASP community to come explore our beautiful region. This year we had to do it virtually because of covid but we consider it to be a huge success. The organizers got to know each other quite well in the planning and execution of the event, our volunteers were rockstars the day of the conference making everything happen, true talent was displayed through our lineup of speakers, and there clearly was interest even in spite of zoom fatigue with over 1000 registrants.... more
Friday, June 11, 2021
The CycloneDX project, creators of the leading Software Bill of Materials (SBOM) format, announced they will be joining OWASP Foundation as a Flagship Project. This move will provide resources to the CycloneDX project while strengthening OWASP as the leading non-profit security organization providing tools, documentation, and standards.... more
Sunday, June 6, 2021
Beginning in July, OWASP will be launching a new Membership Portal. The portal will display information about your OWASP membership and will also allow you to edit your personal details. In addition, the portal will provide links to content that is of interest to members including certain membership benefits. Be on the lookout for further information about the upcoming Membership Portal as we get nearer to launch.
Also beginning later in July, as a necessary step to a proper membership portal, the owasp.org email address inventory will be cleaned up and any email addresses that do not belong to the following groups of people will be deactivated within 15 days of removal from all of these groups:
- OWASP Members (having an active one year, two year, or lifetime membership)
- Project Leaders
- Chapter Leaders
- Event Leaders
- Committee Leaders
OWASP Foundation to help government, electronic voting, defence, and critical infrastructure ISVs and contractors to modernize, collaborate, and secure their software and secure their supply chain
Thursday, May 13, 2021
With the announcement today of the US Government’s Executive Order on “Improving the Nation’s Cybersecurity”, OWASP is working to establish vendor-neutral special interest groups to help organizations securely share information, rapidly adopt and adapt existing OWASP standards, projects, and tools such as the OWASP Application Security Verification Standard, the OWASP Mobile Testing Guide, OWASP Dependency Track to help secure the software supply chain, OWASP SAMM, and the OWASP Cheat Sheet Series. Adoption of OWASP standards and tooling can help government agencies, contractors and vendors rapidly comply with the EO today using OWASP’s trusted advice over the last 20 years, that already exists and is ready to go. There is more to be built, which is why we want to help industry, vendors, contractors, and agencies work together to improve the applicability of these standards to their particular use cases.... more
Tuesday, May 11, 2021
Hi all, over the last decade or more, many of us have been organising OWASP events within our community.
One of the problems we have is that there is no standardised place with content on how to create a repeatable event, nor is there a central team of volunteers that the community can reach out to to seek advice when creating an event.
To solve this and help drive stronger events I propose we form an events committee. The purpose of this committee would be to offer knowledge and/or resources to empower volunteers to spread OWASP’s message through hosting events.... more
Wednesday, April 28, 2021
In celebration of our 20th Anniversary, OWASP is pleased to announce our new merchandise store where you can purchase a range of t-shirts, hoodies, stickers, mugs, masks, and more. Each purchase you make helps fund the OWASP mission.
The OWASP Foundation store is strictly for fundraising purposes. There will be no reimbursements from OWASP for any purchases.... more
Tuesday, March 30, 2021
This week has been a stark reminder that having a policy against harassment and abuse is an empty promise if there is not a fully-functioning process behind it to ensure complaints are heard and fairly addressed, with egregious violators permanently removed from the community.
OWASP stands with victims of harassment and abuse and unequivocally condemns abuse in all of its forms. Our commitment to our community is to ensure our meetings, activities, and events are a safe space that is welcoming to all and providing a competent mechanism for victims to report incidents and receive a swift outcome.... more
Tuesday, March 16, 2021
Veracode Secure Coding Challenge Summary
The Call To Battle Secure Coding challenge brought together developers and security engineers two weeks ago to show off their secure coding skills. Using Veracode’s Security Labs Enterprise, all of the contestants worked on patching real OWASP Top 10 vulnerabilities in containerized environments, using the languages of their choice. The more languages a competitor knows, the more points they can score. Out of the 18 fierce competitors, we had 9 who finished at the top of the leaderboard with 440 points, but it’s also not just about completing the labs and getting the points, it’s also about how fast you can solve each one.... more
Monday, March 8, 2021
The OWASP Foundation is proud to announce our 20th Anniversary on September 24, 2021. For two decades, OWASP Foundation has served the application security and devsecops industries as a leader in open source information, industry leading projects, and a global community of peers.
With a year of celebration ahead, the Event team is excited to join this effort by announcing a special 20th Anniversary Virtual Event: Securing the Next 20 Years. The event will be held on September 24th and feature 24-hours of speakers from around the globe broadcasting across all timezones. The event will encompass a message of future forward thinking, influences from our history, and hot topics relevant today.... more
Friday, March 5, 2021
The OWASP Software Component Verification Standard project is conducting the 2021 State of the SBOM Survey. Community participation is essential in helping the project assess the current and future role that Software Bill of Materials play in the industry.
For those unfamiliar with the project, SCVS seeks to establish a framework for identifying activities, controls, and best practices, which can help in identifying and reducing risk in a software supply chain. Designed to be implemented incrementally, the Software Component Verification Standard has the following goals:
- Develop a common set of activities, controls, and best-practices that can reduce risk in a software supply chain
- Identify a baseline and path to mature software supply chain vigilance
Wednesday, March 3, 2021
September 24, 2021 marks OWASP’s 20th Anniversary! We are kicking off our 20th Anniversary celebrations with a 20% off two-year membership sale, starting right now and running for the next 20 days. 20% off a two-year membership or renewal is a great way to support us and get involved in our community! We have a lot more planned throughout the year!
Join or renew today: https://owasp.org/membership/... more
Friday, February 26, 2021
At the end of every month, I review the Temporary COVID Restrictions and look around the world to see what’s happening. I think we’re all looking forward to getting back to normal now that there’s a vaccine and it seems to be doing a tremendous job of reducing deaths and hospitalizations. In the meantime, we still need to be staying safe. To that end, I’ve simplified the restrictions a lot, and also made it clear when we can start to return to physical events.... more
Wednesday, February 24, 2021
The OWASP Foundation hosted the first-ever OWASP Brain Break entertainment event on Thursday February 18th, featuring comedian Jeff Shaw.
The new event series is just one in a line-up of a variety of virtual based events planned for OWASP Foundation’s 2021 calendar. With intentional planning around this event series, the foundation’s goal is to create a fun, mind-breaking escape for our community as we all continue to navigate the global pandemic.... more
Wednesday, February 3, 2021
The OWASP Foundation is excited to announce the launch of a new event series created with our community in mind. Our Brain Break event series is an entertainment-based event program we’ve created for 2021 and we’re excited to announce our first event on February 18th featuring comedian Jeff Shaw.... more
Tuesday, January 26, 2021
Today, the incoming OWASP Board of Directors voted Sherif Mansour as Chair, Vandana Verma as Vice Chair, Grant Ongers as Treasuer and Bil Corry as Secretary.
We’ve got a dream team of OWASP Board Members, voted in by our amazing Community. Honestly, today feels like Christmas to me. Read on to find out more.... more
Monday, January 18, 2021
It is my pleasure to announce Kelly Santalucia’s appointment as OWASP’s Director of Events and Corporate Support, effective January 1, 2021. In December 2020, our previous Events Director, Emily Berman, chose to move on to a new events opportunity, and I thank her for her efforts during her tenure.
I am honored and excited to serve the OWASP Community as your Director of Events and Corporate Support. I have been a team member of the Foundation for over ten years. I began my journey here at OWASP as the NYC local chapter coordinator under Tom Brennan’s leadership. Shortly after, an opportunity became available, and I joined the OWASP global staff as the Foundations Membership and Business Liaison. As the years progressed, I moved into the Senior Manager of Sponsorship and Membership role, followed by the Director of Corporate Support and, most recently, the Director of Events and Corporate Support.
Friday, January 8, 2021
Over the last few years, the OWASP Dependency-Track project has led an industry shift towards framing open source risk as a subset of software supply chain risk. Dependency-Track was one of the first platforms to fully embrace Software Bill of Materials (SBOM) as a core tenant and design principal. The project is attributable to the creation of CycloneDX, an open source SBOM standard used by thousands of organizations, referenced by multiple RFCs and related supply chain initiatives.
Dependency-Track v3 has proven that SBOMs can be created, consumed, and analyzed at high-velocity in modern build pipelines. And its proven the value of full-stack transparency for IoT and embedded devices. Based on feedback from the community, from industry, and from government-led software transparency efforts, the project has made strategic enhancements to the software that sets the stage for future capabilities that are only achievable from the use of SBOMs.... more
Thursday, December 24, 2020
As we close the year OWASP Foundation is proud to present a new member benefit in the form of online training provided by OWASP SecureFlag Open Platform. All active OWASP members around the globe now have access to all of the great exercises and training options that the OWASP SecureFlag Open Platform supports and many more besides!... more
Wednesday, December 23, 2020
2020 has been a very challenging year for all, including OWASP. I know a lot of folks are hurting, lost loved ones, or been very sick themselves. Work from home for many has been a challenge, especially if you’re like me and have school-age kids at home who are struggling with online classes. I think everyone is suffering from Zoom fatigue. I want to highlight some of our struggles and successes in 2020 but look forward to a much better 2021.
Note: Our office is closed from Thursday, December 24th, and we reopen on January 4th, 2021.... more
Tuesday, December 22, 2020
Calling all AppSec Community Trainers, OWASP Foundation is planning a global line-up of Virtual Training throughout 2021. We invite you to submit your training proposals by January 8th.... more
Thursday, December 17, 2020
OWASP is vendor-neutral
OWASP is renowned for being vendor-neutral. It’s a key part of our four core values:
- Open: Everything at OWASP is radically transparent, from our finances to our code.
- Innovative: We encourage and support innovation and experiments for solutions to software security challenges.
- Global: Anyone around the world is encouraged to participate in the OWASP community.
- Integrity: Our community is respectful, supportive, truthful, and vendor-neutral
That doesn’t mean we are vendor hostile, no vendors allowed, no vendor germs, or anything like that. If you are interested in vendor neutrality, either as an OWASP community member or as a vendor, please read on.... more
Thursday, December 17, 2020
A Quick Introduction to ZAP
In 2009 I was a Java developer and a pentest on one of my services found vulnerabilities that I’d never even heard of. I decided that I needed to learn more about web application security in order to become a better developer.
I quickly discovered OWASP and started going through the wealth of material available, but I knew that I learn best by doing things so I started downloading and playing around with open source security tools. At that time I was also looking for an open source project to contribute to, so this seemed the ideal opportunity to combine those two things. Unfortunately there were not any actively maintained open source web security tools back then, so I took the plunge, forked Paros Proxy (which had been taken closed source) and set out to create the community-led open source project that I wanted to join. Since then ZAP has gone from strength to strength and we now have a core team and hundreds of contributors.... more
Tuesday, December 15, 2020
We are back again with another Spotlight series project, and this time we have a very interesting project, pytm, which is around Threat Modeling.... more
Tuesday, December 15, 2020
It’s hard to believe it’s already December! Along with the holiday spirit, December brings increased outreach from charities. For many nonprofits, this is when these organizations receive the bulk of their funding. Individuals are at their most generous and look for ways to help others while also ensuring they get all of their tax deductions*.
In truth, if everyone reading this message right now made a donation to the OWASP Foundation, we’d have the resources needed to greatly expand and improve our projects, chapters, materials, tools, documentation, etc. in 2021.
If the time is right, please take a moment to make a tax-deductible* gift to the OWASP Foundation today. Click the button below to give securely and with ease via credit card.
*As a public charity (IRS PC category), donations to OWASP are likely to be tax deductible to many US based individuals and organizations. Please review the IRS guidance to determine if you are eligible to claim a tax deduction on your next return: https://www.irs.gov/charities-non-profits/charitable-contributions... more
Thursday, December 3, 2020
The OWASP Web Security Testing Guide team is proud to announce version 4.2 of the Web Security Testing Guide (WSTG)! In keeping with a continuous delivery mindset, this new minor version adds content as well as improves the existing tests.
In recent years, the Web Security Testing Guide has sought to remain your foremost open source resource for web application testing. Our previous release marked a move from a cumbersome wiki platform to the highly collaborative world of GitHub. Since then, over 61 new contributors pushing over 600 commits have helped to make the WSTG better than ever.
Version 4.2 of the Web Security Testing Guide introduces new testing scenarios, updates existing chapters, and offers an improved reading experience with a clearer writing style and chapter layout. Readers will enjoy easier navigation and consistent testing instructions.... more
Wednesday, November 25, 2020
Members of the OWASP Foundation, we value your commitment and expertise. The Foundation is looking to you in shaping our future and helping us update our Corporate Policies, in this case, the Chapters Policy. This is a major ground up re-write of the chapters policy, in concert with the Chapters Committee.... more
Tuesday, November 10, 2020
The OWASP Foundation is a not-for-profit organization providing open-source projects, tools, documentation, etc., to help security professionals succeed by improving to keep their company’s data secure! Our open-source materials are supported by the financial contributions of our Corporate Members, and they are fundamentally important to help us continue to fulfill our mission by providing these resources. As a corporate member, supporting the OWASP Foundation demonstrates the companies commitment to the community, the Foundation, and the entire AppSec sector.
OWASP strives to provide opportunities to companies with all budget types so everyone can participate. That being said, we are happy to announce that we now offer discounted corporate membership for companies in developing regions and discounted rates for start-up companies! Qualify, and be one of the first ten companies to join the Foundation as a corporate member to receive a special incentive.... more
Friday, November 6, 2020
At the October public Board meeting at the Global AppSec 2020 - Virtual, the Board voted on Honorary Membership and active Leader Complimentary Membership reform, and these reforms are now live.
For hardworking OWASP community leaders who have done amazing things for many years, you will finally have a chance of being recognized by the Foundation and your peers for being a true OWASP hero and upholder of our values and mission. For active leaders, you will be pleasantly surprised by a new option available to you.
What is the problem we’re trying to solve?
Typically, for non-profits and charities, the expectation is that community leaders are members. OWASP is almost unique in that we don’t require Membership to participate or make it mandatory for leaders.
Only 17% of OWASP leaders are members of any sort. The Board felt that many non-member leaders could not vote or become Board members, so they were effectively donating their time but could not influence the Foundation or our mission. At the September face-to-face meeting, the Board discussed various membership models and decided to offer active leaders Complimentary membership and reform Honorary Membership.... more
Thursday, November 5, 2020
This post announces the end of the OWASP Connector. Sadly, the days of email newsletters are done. Read on to find out what we are going to do instead, and we’ve started already.... more
Friday, October 30, 2020
Recently, our lawyers have reviewed all of our bylaws and contracts. You’ll see the improvements coming through as we bring them online. However, the lawyers found that we had no provisions to prohibit participation or funding from US Government Sanctioned Countries. Once notified, we had to act, as ignorance is not an excuse. The Board has taken action to resolve this issue, and in the process, we have lost a chapter and refunded one member.
Please read on for more details, and more details about future content here.... more
Thursday, October 29, 2020
Hi OWASP members, at 11:59 pm US EDT on Friday October 30 is the last day to vote in the OWASP Board of Director’s election. If you have not yet voted, now is the time. Read on for how to find your ballot, and what happens next.... more
Saturday, August 1, 2020
OWASP is an Associate Partner of Black Hat USA 2020 and will be present with its own virtual booth on 5th/6th August. Meet & talk to OWASP staff and volunteers, and take the chance to meet some of our dedicated project leaders.... more
Friday, July 31, 2020
The future of OWASP is driven by passionate individuals who sit on the Global Board of Directors. They represent you and are elected by you, our members. We have just published the Global Board of Directors elections timeline and procedures.
We ask all members to check that their membership is valid, and necessary communications settings are correct. I encourage anyone to stand for the Board if they are passionate about OWASP, and I encourage every single member to vote.
Lastly, I address the current eligibility issues, what’s changing, and how this year’s elections will not be affected by upcoming changes to our bylaws.... more
Thursday, July 23, 2020
Unlike many other groups in the software and security sector, it is important to us that our organization is shaped by our community. This of course is evident in our volunteer led Chapters and Projects along with a member-elected Board of Directors and now down to our everyday business policies. In what is planned as an annual effort, the OWASP Foundation is looking for Members to help us update our Corporate Policies. We have identified and have developed 16 core policy domains for our operations.... more
Monday, June 29, 2020
It is with great pleasure that the OWASP Foundation announces that as per today, Monday 29th June 2020 we will have a new, full time, Executive Director (ED), selected from within our own ranks. As per this date Andrew van der Stock will officially take on the role of the ED for the Foundation on a permanent basis.
Andrew is well known to many in the OWASP Community for both his hard work on a number of key OWASP Projects (including the OWASP Top Ten and the OWASP ASVS) as well as for his time on the Global Board of Directors, representing the OWASP Community from 2015 to 2018. He brings years of AppSec experience to the role as well as his breadth of experience managing organisational units. We are sure he will bring this to his new role in the Foundation and will be a great ED.... more
Monday, June 8, 2020
Virtual AppSec Days April 2020 was a hit! Over 1,800 participated in the week-long event. Highlights included a free lightning conference, 11 training courses, and a 48 hour Capture the Flag competition.
The OWASP Foundation set out to bring the community together and provide alternative education in these uncertain times. We were able to do this economically for participants thanks to our generous sponsors, without whom, this event would not have been possible.
Thank you to Acunetix, DevSecOps Academy, Netsparker, and ZeroNorth! These sponsors not only helped keep the conference affordable but also gave away over $800 in prizes to participants.... more
Thursday, June 4, 2020
Join 24 chapters around the globe for a 24 hour long back-to-back virtual chapter meetup. The entire event will be livestreamed on YouTube from 16 countries. The schedule of those talks is available here.
The OWASP Leaders List is a mailing list populated by either Chapter or Project Leaders or folks who previously held those positions. The mailing list is a busy place and ideas flow there regularly - because the folks on that list are good folks with great ideas.
Sometimes an idea hits the list that requires real work to happen and this initiative was one of those fortunately there were plenty of volunteers to step up and make it happen.... more
Tuesday, April 7, 2020
The OWASP Foundation is excited to announce the launch of Virtual AppSec Days. Taking place later this month, we have an entire week of virtual activities planned, to engage, educate, and entertain our community.
The event will begin on April 27 with a virtual mini-conference; a free 90-minute session consisting of three 20-minute lightning talks by AppSec industry leaders.... more
Tuesday, March 17, 2020
live from the beach of Cancun at the OWASP Projects Summit was a really
unique event. The summit allowed us to really concentrate on some larger
long-term ideas we had.
Thursday, March 12, 2020
Following recent developments within Ireland, throughout Europe, and worldwide relating to COVID-19, the OWASP Foundation has made the difficult, but considered decision, to postpone the Global AppSec Dublin set to take place June 15-19.
We take pride in offering a premier experience for our attendees and sponsors and we can no longer guarantee that event quality. Nor can we ethically put our community’s health and safety at risk. Therefore we have secured dates at the Convention Center Dublin to hold the Global AppSec Dublin on February 15-19, 2021.... more
Tuesday, February 18, 2020
Are you a thought leader in AppSec with a unique idea to share with the greater OWASP community? We are looking for new, innovative, compelling content for our Global AppSec in Dublin this June. Application Security leaders, software engineers, and researchers from all over the world gather at Global AppSec conferences to drive visibility and evolution in the safety and security of the world’s software, as well as to network, collaborate, and share the newest innovations in the field.... more
Tuesday, February 11, 2020
The OWASP SAMM™ (Software Assurance Maturity Model) is a community-led open-sourced framework that allows teams and developers to assess, formulate, and implement strategies for better security which can be easily integrated into an existing organizational Software Development Life Cycle (SDLC).... more
Wednesday, January 15, 2020
For the better part of the last nine months, a small dedicated team has been working to complete a project that has been started, restarted, abandoned, restarted, and then again abandoned: migrating our 7,000 or so page website curated by over 3,000 content editors from MediaWiki to GitHub Pages. As I like to now say, “when you spend 15 years digging a deep hole, don’t expect to dig your way out in a week.” And in all honesty this is not the finish line, but the starting line for the OWASP Foundation in this new decade.... more
Tuesday, December 3, 2019
Want to help plan our next Global AppSec event? OWASP is excited to announce the launch the Global AppSec Program Team. These teams will be responsible for selecting the program and training offerings for the Global AppSecs and will be comprised of volunteers from all around either Europe or North America. Be sure to apply to volunteer before the end of the year!... more
Wednesday, November 20, 2019
As the foundation moves toward the migration of the OWASP web presence from the old wiki site to our new GitHub-hosted home, some of you may still have questions regarding what to move and how to move it. Essentially, if you have a chapter page or project page and you have not migrated it to the new website, that would be first. Steps on what to do and what is needed can be found at https://owasp.org/migration There are also some minor instructions on the... more
Tuesday, July 2, 2019
OWASP ZAP Releases V2.8.0 With the Heads Up Display
Heads Up Display simplifies and improves vulnerability testing for developers
SAN FRANCISCO–(BUSINESS WIRE)–OWASP™ ZAP (Open Web Application Security Project™ Zed Attack Proxy) has released a new version of its leading ZAP Project which now includes an innovative Heads Up Display (HUD) bringing security information and functionality right into the browser. Now software developers can interactively test the reliability and security of their applications in real time while controlling a wide variety of features designed to test the quality of their software.... more
Wednesday, June 12, 2019
Blog post example content. Talk about using GitHub for the new website. More text to follow in a second here. Describe the functionality and the awesome CSS. New blog post example content. Talk about using GitHub for the new website. More text to the awesome CSS. blog post example content. Talk 12345 about using GitHub for the new website. More text to follow in a second here. Talk about using GitHub for the new website. More text to follow in a second here. and the awesome CS word log …... more