Opinions & News
Weekly news and opinions from OWASP leadership, staff, and community members. Have an idea you’d like to see here? Submit to News today!
OWASP Foundation to help government, electronic voting, defence, and critical infrastructure ISVs and contractors to modernize, collaborate, and secure their software and secure their supply chain
Thursday, May 13, 2021
With the announcement today of the US Government’s Executive Order on “Improving the Nation’s Cybersecurity”, OWASP is working to establish vendor-neutral special interest groups to help organizations securely share information, rapidly adopt and adapt existing OWASP standards, projects, and tools such as the OWASP Application Security Verification Standard, the OWASP Mobile Testing Guide, OWASP Dependency Track to help secure the software supply chain, OWASP SAMM, and the OWASP Cheat Sheet Series. Adoption of OWASP standards and tooling can help government agencies, contractors and vendors rapidly comply with the EO today using OWASP’s trusted advice over the last 20 years, that already exists and is ready to go. There is more to be built, which is why we want to help industry, vendors, contractors, and agencies work together to improve the applicability of these standards to their particular use cases.... more
Tuesday, May 11, 2021
Hi all, over the last decade or more, many of us have been organising OWASP events within our community.
One of the problems we have is that there is no standardised place with content on how to create a repeatable event, nor is there a central team of volunteers that the community can reach out to to seek advice when creating an event.
To solve this and help drive stronger events I propose we form an events committee. The purpose of this committee would be to offer knowledge and/or resources to empower volunteers to spread OWASP’s message through hosting events.... more
Wednesday, April 28, 2021
In celebration of our 20th Anniversary, OWASP is pleased to announce our new merchandise store where you can purchase a range of t-shirts, hoodies, stickers, mugs, masks, and more. Each purchase you make helps fund the OWASP mission.
The OWASP Foundation store is strictly for fundraising purposes. There will be no reimbursements from OWASP for any purchases.... more
Tuesday, March 30, 2021
This week has been a stark reminder that having a policy against harassment and abuse is an empty promise if there is not a fully-functioning process behind it to ensure complaints are heard and fairly addressed, with egregious violators permanently removed from the community.
OWASP stands with victims of harassment and abuse and unequivocally condemns abuse in all of its forms. Our commitment to our community is to ensure our meetings, activities, and events are a safe space that is welcoming to all and providing a competent mechanism for victims to report incidents and receive a swift outcome.... more
Tuesday, March 16, 2021
Veracode Secure Coding Challenge Summary
The Call To Battle Secure Coding challenge brought together developers and security engineers two weeks ago to show off their secure coding skills. Using Veracode’s Security Labs Enterprise, all of the contestants worked on patching real OWASP Top 10 vulnerabilities in containerized environments, using the languages of their choice. The more languages a competitor knows, the more points they can score. Out of the 18 fierce competitors, we had 9 who finished at the top of the leaderboard with 440 points, but it’s also not just about completing the labs and getting the points, it’s also about how fast you can solve each one.... more
Monday, March 8, 2021
The OWASP Foundation is proud to announce our 20th Anniversary on September 24, 2021. For two decades, OWASP Foundation has served the application security and devsecops industries as a leader in open source information, industry leading projects, and a global community of peers.
With a year of celebration ahead, the Event team is excited to join this effort by announcing a special 20th Anniversary Virtual Event: Securing the Next 20 Years. The event will be held on September 24th and feature 24-hours of speakers from around the globe broadcasting across all timezones. The event will encompass a message of future forward thinking, influences from our history, and hot topics relevant today.... more
Friday, March 5, 2021
The OWASP Software Component Verification Standard project is conducting the 2021 State of the SBOM Survey. Community participation is essential in helping the project assess the current and future role that Software Bill of Materials play in the industry.
For those unfamiliar with the project, SCVS seeks to establish a framework for identifying activities, controls, and best practices, which can help in identifying and reducing risk in a software supply chain. Designed to be implemented incrementally, the Software Component Verification Standard has the following goals:
- Develop a common set of activities, controls, and best-practices that can reduce risk in a software supply chain
- Identify a baseline and path to mature software supply chain vigilance
Wednesday, March 3, 2021
September 24, 2021 marks OWASP’s 20th Anniversary! We are kicking off our 20th Anniversary celebrations with a 20% off two-year membership sale, starting right now and running for the next 20 days. 20% off a two-year membership or renewal is a great way to support us and get involved in our community! We have a lot more planned throughout the year!
Join or renew today: https://owasp.org/membership/... more
Friday, February 26, 2021
At the end of every month, I review the Temporary COVID Restrictions and look around the world to see what’s happening. I think we’re all looking forward to getting back to normal now that there’s a vaccine and it seems to be doing a tremendous job of reducing deaths and hospitalizations. In the meantime, we still need to be staying safe. To that end, I’ve simplified the restrictions a lot, and also made it clear when we can start to return to physical events.... more
Wednesday, February 24, 2021
The OWASP Foundation hosted the first-ever OWASP Brain Break entertainment event on Thursday February 18th, featuring comedian Jeff Shaw.
The new event series is just one in a line-up of a variety of virtual based events planned for OWASP Foundation’s 2021 calendar. With intentional planning around this event series, the foundation’s goal is to create a fun, mind-breaking escape for our community as we all continue to navigate the global pandemic.... more
Wednesday, February 3, 2021
The OWASP Foundation is excited to announce the launch of a new event series created with our community in mind. Our Brain Break event series is an entertainment-based event program we’ve created for 2021 and we’re excited to announce our first event on February 18th featuring comedian Jeff Shaw.... more
Tuesday, January 26, 2021
Today, the incoming OWASP Board of Directors voted Sherif Mansour as Chair, Vandana Verma as Vice Chair, Grant Ongers as Treasuer and Bil Corry as Secretary.
We’ve got a dream team of OWASP Board Members, voted in by our amazing Community. Honestly, today feels like Christmas to me. Read on to find out more.... more
Monday, January 18, 2021
It is my pleasure to announce Kelly Santalucia’s appointment as OWASP’s Director of Events and Corporate Support, effective January 1, 2021. In December 2020, our previous Events Director, Emily Berman, chose to move on to a new events opportunity, and I thank her for her efforts during her tenure.
I am honored and excited to serve the OWASP Community as your Director of Events and Corporate Support. I have been a team member of the Foundation for over ten years. I began my journey here at OWASP as the NYC local chapter coordinator under Tom Brennan’s leadership. Shortly after, an opportunity became available, and I joined the OWASP global staff as the Foundations Membership and Business Liaison. As the years progressed, I moved into the Senior Manager of Sponsorship and Membership role, followed by the Director of Corporate Support and, most recently, the Director of Events and Corporate Support.
Friday, January 8, 2021
Over the last few years, the OWASP Dependency-Track project has led an industry shift towards framing open source risk as a subset of software supply chain risk. Dependency-Track was one of the first platforms to fully embrace Software Bill of Materials (SBOM) as a core tenant and design principal. The project is attributable to the creation of CycloneDX, an open source SBOM standard used by thousands of organizations, referenced by multiple RFCs and related supply chain initiatives.
Dependency-Track v3 has proven that SBOMs can be created, consumed, and analyzed at high-velocity in modern build pipelines. And its proven the value of full-stack transparency for IoT and embedded devices. Based on feedback from the community, from industry, and from government-led software transparency efforts, the project has made strategic enhancements to the software that sets the stage for future capabilities that are only achievable from the use of SBOMs.... more
Thursday, December 24, 2020
As we close the year OWASP Foundation is proud to present a new member benefit in the form of online training provided by OWASP SecureFlag Open Platform. All active OWASP members around the globe now have access to all of the great exercises and training options that the OWASP SecureFlag Open Platform supports and many more besides!... more
Wednesday, December 23, 2020
2020 has been a very challenging year for all, including OWASP. I know a lot of folks are hurting, lost loved ones, or been very sick themselves. Work from home for many has been a challenge, especially if you’re like me and have school-age kids at home who are struggling with online classes. I think everyone is suffering from Zoom fatigue. I want to highlight some of our struggles and successes in 2020 but look forward to a much better 2021.
Note: Our office is closed from Thursday, December 24th, and we reopen on January 4th, 2021.... more
Tuesday, December 22, 2020
Calling all AppSec Community Trainers, OWASP Foundation is planning a global line-up of Virtual Training throughout 2021. We invite you to submit your training proposals by January 8th.... more
Thursday, December 17, 2020
OWASP is vendor-neutral
OWASP is renowned for being vendor-neutral. It’s a key part of our four core values:
- Open: Everything at OWASP is radically transparent, from our finances to our code.
- Innovative: We encourage and support innovation and experiments for solutions to software security challenges.
- Global: Anyone around the world is encouraged to participate in the OWASP community.
- Integrity: Our community is respectful, supportive, truthful, and vendor-neutral
That doesn’t mean we are vendor hostile, no vendors allowed, no vendor germs, or anything like that. If you are interested in vendor neutrality, either as an OWASP community member or as a vendor, please read on.... more
Thursday, December 17, 2020
A Quick Introduction to ZAP
In 2009 I was a Java developer and a pentest on one of my services found vulnerabilities that I’d never even heard of. I decided that I needed to learn more about web application security in order to become a better developer.
I quickly discovered OWASP and started going through the wealth of material available, but I knew that I learn best by doing things so I started downloading and playing around with open source security tools. At that time I was also looking for an open source project to contribute to, so this seemed the ideal opportunity to combine those two things. Unfortunately there were not any actively maintained open source web security tools back then, so I took the plunge, forked Paros Proxy (which had been taken closed source) and set out to create the community-led open source project that I wanted to join. Since then ZAP has gone from strength to strength and we now have a core team and hundreds of contributors.... more
Tuesday, December 15, 2020
We are back again with another Spotlight series project, and this time we have a very interesting project, pytm, which is around Threat Modeling.... more
Tuesday, December 15, 2020
It’s hard to believe it’s already December! Along with the holiday spirit, December brings increased outreach from charities. For many nonprofits, this is when these organizations receive the bulk of their funding. Individuals are at their most generous and look for ways to help others while also ensuring they get all of their tax deductions*.
In truth, if everyone reading this message right now made a donation to the OWASP Foundation, we’d have the resources needed to greatly expand and improve our projects, chapters, materials, tools, documentation, etc. in 2021.
If the time is right, please take a moment to make a tax-deductible* gift to the OWASP Foundation today. Click the button below to give securely and with ease via credit card.
*As a public charity (IRS PC category), donations to OWASP are likely to be tax deductible to many US based individuals and organizations. Please review the IRS guidance to determine if you are eligible to claim a tax deduction on your next return: https://www.irs.gov/charities-non-profits/charitable-contributions... more
Thursday, December 3, 2020
The OWASP Web Security Testing Guide team is proud to announce version 4.2 of the Web Security Testing Guide (WSTG)! In keeping with a continuous delivery mindset, this new minor version adds content as well as improves the existing tests.
In recent years, the Web Security Testing Guide has sought to remain your foremost open source resource for web application testing. Our previous release marked a move from a cumbersome wiki platform to the highly collaborative world of GitHub. Since then, over 61 new contributors pushing over 600 commits have helped to make the WSTG better than ever.
Version 4.2 of the Web Security Testing Guide introduces new testing scenarios, updates existing chapters, and offers an improved reading experience with a clearer writing style and chapter layout. Readers will enjoy easier navigation and consistent testing instructions.... more
Wednesday, November 25, 2020
Members of the OWASP Foundation, we value your commitment and expertise. The Foundation is looking to you in shaping our future and helping us update our Corporate Policies, in this case, the Chapters Policy. This is a major ground up re-write of the chapters policy, in concert with the Chapters Committee.... more
Tuesday, November 10, 2020
The OWASP Foundation is a not-for-profit organization providing open-source projects, tools, documentation, etc., to help security professionals succeed by improving to keep their company’s data secure! Our open-source materials are supported by the financial contributions of our Corporate Members, and they are fundamentally important to help us continue to fulfill our mission by providing these resources. As a corporate member, supporting the OWASP Foundation demonstrates the companies commitment to the community, the Foundation, and the entire AppSec sector.
OWASP strives to provide opportunities to companies with all budget types so everyone can participate. That being said, we are happy to announce that we now offer discounted corporate membership for companies in developing regions and discounted rates for start-up companies! Qualify, and be one of the first ten companies to join the Foundation as a corporate member to receive a special incentive.... more
Friday, November 6, 2020
At the October public Board meeting at the Global AppSec 2020 - Virtual, the Board voted on Honorary Membership and active Leader Complimentary Membership reform, and these reforms are now live.
For hardworking OWASP community leaders who have done amazing things for many years, you will finally have a chance of being recognized by the Foundation and your peers for being a true OWASP hero and upholder of our values and mission. For active leaders, you will be pleasantly surprised by a new option available to you.
What is the problem we’re trying to solve?
Typically, for non-profits and charities, the expectation is that community leaders are members. OWASP is almost unique in that we don’t require Membership to participate or make it mandatory for leaders.
Only 17% of OWASP leaders are members of any sort. The Board felt that many non-member leaders could not vote or become Board members, so they were effectively donating their time but could not influence the Foundation or our mission. At the September face-to-face meeting, the Board discussed various membership models and decided to offer active leaders Complimentary membership and reform Honorary Membership.... more
Thursday, November 5, 2020
This post announces the end of the OWASP Connector. Sadly, the days of email newsletters are done. Read on to find out what we are going to do instead, and we’ve started already.... more
Friday, October 30, 2020
Recently, our lawyers have reviewed all of our bylaws and contracts. You’ll see the improvements coming through as we bring them online. However, the lawyers found that we had no provisions to prohibit participation or funding from US Government Sanctioned Countries. Once notified, we had to act, as ignorance is not an excuse. The Board has taken action to resolve this issue, and in the process, we have lost a chapter and refunded one member.
Please read on for more details, and more details about future content here.... more
Thursday, October 29, 2020
Hi OWASP members, at 11:59 pm US EDT on Friday October 30 is the last day to vote in the OWASP Board of Director’s election. If you have not yet voted, now is the time. Read on for how to find your ballot, and what happens next.... more
Saturday, August 1, 2020
OWASP is an Associate Partner of Black Hat USA 2020 and will be present with its own virtual booth on 5th/6th August. Meet & talk to OWASP staff and volunteers, and take the chance to meet some of our dedicated project leaders.... more
Friday, July 31, 2020
The future of OWASP is driven by passionate individuals who sit on the Global Board of Directors. They represent you and are elected by you, our members. We have just published the Global Board of Directors elections timeline and procedures.
We ask all members to check that their membership is valid, and necessary communications settings are correct. I encourage anyone to stand for the Board if they are passionate about OWASP, and I encourage every single member to vote.
Lastly, I address the current eligibility issues, what’s changing, and how this year’s elections will not be affected by upcoming changes to our bylaws.... more
Thursday, July 23, 2020
Unlike many other groups in the software and security sector, it is important to us that our organization is shaped by our community. This of course is evident in our volunteer led Chapters and Projects along with a member-elected Board of Directors and now down to our everyday business policies. In what is planned as an annual effort, the OWASP Foundation is looking for Members to help us update our Corporate Policies. We have identified and have developed 16 core policy domains for our operations.... more
Monday, June 29, 2020
It is with great pleasure that the OWASP Foundation announces that as per today, Monday 29th June 2020 we will have a new, full time, Executive Director (ED), selected from within our own ranks. As per this date Andrew van der Stock will officially take on the role of the ED for the Foundation on a permanent basis.
Andrew is well known to many in the OWASP Community for both his hard work on a number of key OWASP Projects (including the OWASP Top Ten and the OWASP ASVS) as well as for his time on the Global Board of Directors, representing the OWASP Community from 2015 to 2018. He brings years of AppSec experience to the role as well as his breadth of experience managing organisational units. We are sure he will bring this to his new role in the Foundation and will be a great ED.... more
Monday, June 8, 2020
Virtual AppSec Days April 2020 was a hit! Over 1,800 participated in the week-long event. Highlights included a free lightning conference, 11 training courses, and a 48 hour Capture the Flag competition.
The OWASP Foundation set out to bring the community together and provide alternative education in these uncertain times. We were able to do this economically for participants thanks to our generous sponsors, without whom, this event would not have been possible.
Thank you to Acunetix, DevSecOps Academy, Netsparker, and ZeroNorth! These sponsors not only helped keep the conference affordable but also gave away over $800 in prizes to participants.... more
Thursday, June 4, 2020
Join 24 chapters around the globe for a 24 hour long back-to-back virtual chapter meetup. The entire event will be livestreamed on YouTube from 16 countries. The schedule of those talks is available here.
The OWASP Leaders List is a mailing list populated by either Chapter or Project Leaders or folks who previously held those positions. The mailing list is a busy place and ideas flow there regularly - because the folks on that list are good folks with great ideas.
Sometimes an idea hits the list that requires real work to happen and this initiative was one of those fortunately there were plenty of volunteers to step up and make it happen.... more
Tuesday, April 7, 2020
The OWASP Foundation is excited to announce the launch of Virtual AppSec Days. Taking place later this month, we have an entire week of virtual activities planned, to engage, educate, and entertain our community.
The event will begin on April 27 with a virtual mini-conference; a free 90-minute session consisting of three 20-minute lightning talks by AppSec industry leaders.... more
Tuesday, March 17, 2020
live from the beach of Cancun at the OWASP Projects Summit was a really
unique event. The summit allowed us to really concentrate on some larger
long-term ideas we had.
Thursday, March 12, 2020
Following recent developments within Ireland, throughout Europe, and worldwide relating to COVID-19, the OWASP Foundation has made the difficult, but considered decision, to postpone the Global AppSec Dublin set to take place June 15-19.
We take pride in offering a premier experience for our attendees and sponsors and we can no longer guarantee that event quality. Nor can we ethically put our community’s health and safety at risk. Therefore we have secured dates at the Convention Center Dublin to hold the Global AppSec Dublin on February 15-19, 2021.... more
Tuesday, February 18, 2020
Are you a thought leader in AppSec with a unique idea to share with the greater OWASP community? We are looking for new, innovative, compelling content for our Global AppSec in Dublin this June. Application Security leaders, software engineers, and researchers from all over the world gather at Global AppSec conferences to drive visibility and evolution in the safety and security of the world’s software, as well as to network, collaborate, and share the newest innovations in the field.... more
Tuesday, February 11, 2020
The OWASP SAMM™ (Software Assurance Maturity Model) is a community-led open-sourced framework that allows teams and developers to assess, formulate, and implement strategies for better security which can be easily integrated into an existing organizational Software Development Life Cycle (SDLC).... more
Wednesday, January 15, 2020
For the better part of the last nine months, a small dedicated team has been working to complete a project that has been started, restarted, abandoned, restarted, and then again abandoned: migrating our 7,000 or so page website curated by over 3,000 content editors from MediaWiki to GitHub Pages. As I like to now say, “when you spend 15 years digging a deep hole, don’t expect to dig your way out in a week.” And in all honesty this is not the finish line, but the starting line for the OWASP Foundation in this new decade.... more
Tuesday, December 3, 2019
Want to help plan our next Global AppSec event? OWASP is excited to announce the launch the Global AppSec Program Team. These teams will be responsible for selecting the program and training offerings for the Global AppSecs and will be comprised of volunteers from all around either Europe or North America. Be sure to apply to volunteer before the end of the year!... more
Wednesday, November 20, 2019
As the foundation moves toward the migration of the OWASP web presence from the old wiki site to our new GitHub-hosted home, some of you may still have questions regarding what to move and how to move it. Essentially, if you have a chapter page or project page and you have not migrated it to the new website, that would be first. Steps on what to do and what is needed can be found at https://owasp.org/migration There are also some minor instructions on the... more
Tuesday, July 2, 2019
OWASP ZAP Releases V2.8.0 With the Heads Up Display
Heads Up Display simplifies and improves vulnerability testing for developers
SAN FRANCISCO–(BUSINESS WIRE)–OWASP™ ZAP (Open Web Application Security Project™ Zed Attack Proxy) has released a new version of its leading ZAP Project which now includes an innovative Heads Up Display (HUD) bringing security information and functionality right into the browser. Now software developers can interactively test the reliability and security of their applications in real time while controlling a wide variety of features designed to test the quality of their software.... more
Wednesday, June 12, 2019
Blog post example content. Talk about using GitHub for the new website. More text to follow in a second here. Describe the functionality and the awesome CSS. New blog post example content. Talk about using GitHub for the new website. More text to the awesome CSS. blog post example content. Talk 12345 about using GitHub for the new website. More text to follow in a second here. Talk about using GitHub for the new website. More text to follow in a second here. and the awesome CS word log …... more