OWASP
Navigation

About OWASP
   Our Mission
   Org Chart
   Foundation By-Laws
   Licenses
   FAQ
   Get Involved
   Contact Us

Projects
   Security Requirements
   Testing Framework
   XML Data Exchange Format
   Attack Components
   Project Schedule

News & Announcements
   News Archive

Resources
   Framework Tools
   Presentations
   Tutorials
   Links
   Books

Quick Links
   January's Guest White-Paper

Mirror site in: Russian

 

 
Home : News
OWASP Co-chair Gives Presentation to SME.org - 12/09/01
On Friday December 7th, OWASP Co-Chair, Dennis Groves, gave a comprehensive web application security presentation to the Phoenix chapter of the Society of Manufacturing Engineers. The presentation was well received by attending chapter members and judging from the overwhelming Q&A; session, Groves believes it was a "success". For many of the members who previously thought they owned "secure" web applications, this was an eye opening event.

Review presentation and comments here.

OWASP WebSleuth Alpha 1.2 Now Available - 12/09/01
WebSleuth "Alpha" release 1.2 is the early release of a proof of concept tool we have been developing for the upcoming Testing Framework project which will start next year. This tool is basically an interactive web browser that allows you to manually browse a web application, intercept traffic and modify it in real-time, looking under the hood and changing data that gets sent to and from the web application.

This initial proof of concept release is written in Visual Basic and will only run on Win32 platforms. We are in early talks with some sponsors about creating a true open source cross platform release in the future.

This third "Alpha" release offers nine new features, including a scriptable plug-in interface and extensive help file. The test inputs function for instance offers the ability to test form inputs for variants of the cross site scripting attacks.

Download from the Framework Tools page.
New Technical Committee - 11/27/01
The Technical Committee is made up of renowned application security experts who ensure that the work and ideas produced by the project are technically sound. These people have a wealth of experience and knowledge and will be guiding much of the direction of the work in various areas. As well as participating on the mailing list the technical committee has a monthly conference call to discuss progress. They are the OWASP technical think tank!
  • Elias Levy
    • - probably best known as the long-time moderator of Bugtraq at securityfocus.com and author of "Smashing the Stack for Fun and Profit"
  • Chris Wysopal
    • - formerly with the L0pht and heads up the @Stake Application Security Center of Excellence.
  • John Viega
    • - wrote 'the' book on "Building Secure Software" and is author of RATS (Rough Auditing Tool for Security) as well as hundreds of articles and several other books. John is the CTO of Secure Software.
  • Greg Hoglund
    • - well known for his work on buffer overflows and his Black Hat presentations, as well a respected developer of security and fault injection software at ClicktoSecure.


WebSleuth - 11/27/01
WebSleuth is an early release of a concept tool which will become part of the Testing Framework Toolkit. We hope to have a complete suite of open source tools including source code analyzers which support the Testing Framework and help people secure their web applications. Released under the OWASP open source license, WebSleuth allows you to manually browse a web application, intercepting traffic and being able to modify it in the fly in real-time, exploring security. This allows you to change cookies, generate raw HTTP requests, parse HTML and client-side JavaScripts, as well as automatically parsing comments and forms for known issues. The next release due this week will incorporate the ability to test for cross-site scripting in all web forms.

It works over HTTP and SSL without having to use a proxy. The application is not cross platform and only runs on Win32 as it make extensive use of the Internet Explorer object. The lead developer David Zimmer is always looking for feedback and ways to improve the tool.

Download from our Framework Tools section.

Official Launch - 11/27/01

We are extremely pleased to finally officially launch OWASP, the "Open Web Application Security Project". For those that have been following the site and mailing list for the last 8 weeks you'll be a part of the 250,000 web hits, and this will be nothing new; but given our new technical committee it made sense to re-launch the efforts with some basic work already done.

In short the project aims to help everyone build more secure web applications and web services. We will be covering a wide range of related work over the coming years and have initially defined two areas to concentrate on.

Attack Components - The Application Security Attack Components project was started as an attempt to create common language and definitions for which much of the other work planned at OWASP can later benefit. When describing security issues in web applications or when attempting to model security it is very easy to describe the same issue in many different ways, seemingly creating new problems. When analyzing problems described on Bugtraq it is evident that most problems are variants of common issues, but applied to different applications or systems using different parameters or targets. The aim is definitely not to build the biggest list of problems or describe attacks like Nimda or Code Red; but to document the underlying primary attack components that are used in attacks so people can learn to avoid developing them and others can learn to test for them.

We have a good initial start although focused on mainly external attack black-box type issues. The current list can be found here.With our new team we hope to flesh out this list to include internal "with knowledge" attacks as well as cryptographic issues and any other classes we need to include. The work is scheduled to take place in December of this year.


Testing Framework - As with any emerging technology like web application security where there is a lack of documented knowledge and experience, it is hard to know how to be sure that security has been implemented correctly; protecting the application, the data and the user. As in the early days of network security some people would have you believe application security is a black art. If you ask a security vendor to conduct an application security review today, it could consist of anything from a consultant pressing "scan now" on an automated tool designed to find holes in operating systems, to a full blown line by line code review. What is the correct way to test security of web applications and web services? The Web Application Security Testing Framework is setting out to produce an industry standard blueprint for how to methodically test the security of all web applications and web services. The work is likely to include modelling security attacks (maybe in XML) and is likely to use "Attack Trees" to define paths of attack. The framework will be open to all and will be extensible to be able to be used in all web applications scenarios. It will discuss the difference between white-box testing and black box testing, describe tool and techniques as well as describe how to conduct tests, analyze results, fix problems and report findings. The framework will help everyone build more secure web applications and web services. One ultimate goal that has been put forward is to also produce a web service where all users can download sets of known or experimental attacks (and possibly build them online) for import into reference tools either developed by the project or commercial tools. The specifications would be published and made freely available. The web service effectively would de-couple the current situation where commercial tools have both knowledge and techniques, thus making the security knowledge available to everyone and the tools stand on the merit of the tools themselves. This idea will depend on funding, probably from the government.


OWASP - Open Web Application Security Project
In The Media
Security Wire Digest's Shawna McAlearney reports the launch of OWASP on the cutting edge.

Portugal's largest web portal, SAPO, offers a nice review of us on their tech news page.

TheServerSide.com reports the opening of OWASP and contains a discussion thread.

SQLSecurity.com links to our SQL ASAC in their FAQ.

PHPDeveloper.org announces the opening of the OWASP site.

CamWorld covers the official opening of our web site.

LWN.net features OWASP in their security news.

OWASP

 

Home - Get Involved - Projects - Schedule - Tools - Tutorials - Contact


Copyright © 2002 The Open Web Application Security Project