![\"Our](\"/assets/images/posts/asvsmeetup/OWASP_ASVS_Linkedin_Banner-01.jpg\")
\nA new OWASP project - Common Lifecycle Enumeration - aims to standardize encodings of product lifecycle events, such as end-of-life, end-of-support and others. The specification will become an ECMA International standard when ready. Read more about this exciting new OWASP project!
\n\n\n\nDigital products, both hardware and software have a lifecycle that mirrors human life - they are born, grow and develop, and eventually come to an end, just like ourselves. However, there are many more changes in a product’s lifecycle that need to be captured, both for commercial products and open source software. The end-of-life state will affect many users of a product in various ways and needs to be communicated in a way that supports a high degree of automation.
\n\nWhen building a product today, we combine components from a range of upstream vendors and open source projects - a motherboard, operating system, sensors, software libraries and tools. The bill-of-materials (BOM) is a necessary tool to manage both hardware and software during the lifetime of the product. The BOM, when combined with lifecycle events, provides a foundation for automating and proactively managing each product’s lifecycle.
\n\nNew regulations, like the recently adopted EU Cyber Resilience Act, enforces a lifecycle management process where manufacturers are obliged to maintain security through the product’s entire lifecycle, from purchasing to decommissioning. This means manufacturers must ensure that the product and all components are secure, kept up-to-date, and free of exploitable vulnerabilities.
\n\nThe OWASP CycloneDX bill-of-materials standard can cover many aspects of a product, both software and hardware. But one thing that’s been missing is just the lifecycle events, like end-of-support, end-of-life and end-of-sales. For Open Source projects there are similar events covering “LTS release support”, “security fixes only”, “stable” and other variants.
\n\nA manufacturer needs to be assured that components from upstream vendors and projects are supported, otherwise the manufacturer assumes full responsibility.
\n\nA customer, through their IT organization, also wants to be able to plan their inventory and capture this information from all vendors. Products without any support need to be phased out in a controlled and planned way with as few surprises as possible.
\n\nThis exchange of information across the supply chain needs to be both enumerated in a standard format and automatically exchanged. Rest assured that OWASP is working on all fronts here.
\n\nThe OWASP Common Lifecycle Enumeration (CLE) project is actively working on a standard for capturing these events. This will be part of the effort to standardize OWASP standards in ECMA TC54. The summer of 2024 CycloneDX became an ECMA standard and more is on the way. A new working group, ECMA TC54 TG3, was formed in October 2024 to lead the standardization alongside working groups for the Package URL (PURL) and the Transparency Exchange API.
\n\nThe CLE syntax will be adopted by the OWASP Transparency Exchange API (TEA) working group (also known as “Project Koala”) that creates a standardized set of APIs for publishing and consuming software and hardware transparency artifacts like SBOM, HBOM, VEX/CSAF vulnerability information, IN-Toto attestations, SCITT statements and much more. With TEA the interaction between customers and vendors will be highly automated. A standard API leads not only to efficient workflows, but also keeps costs for integration under control. Many vendors of platforms have shown interest in integration TEA into their systems, including OWASP Dependency Track, a leading open source platform for software transparency, license compliance and vulnerability management.
\n\nIf you’re interested, all are welcome to join the work in the OWASP common lifecycle enumeration project!
\n\nhttps://owasp.org/www-project-common-lifecycle-enumeration/
\n\nWelcome to the annual More than a Password Day! To celebrate this year’s event, OWASP is enabling multi-factor authentication across the OWASP Foundation’s infrastructure. This is a significant step forward in securing our systems and data. At the start of this year’s event, we had only 21% of all OWASP accounts enrolled in MFA. We’re aiming to increase this to 100% by the end of the year.
\n\n\n\nIf you haven’t yet enabled multi-factor authentication, just sign in today and follow the prompts. If you already have MFA enabled, you’re all set!
\n\nWe recommend you run a security check on your account to ensure your account is secure.
\n\n\n\nSimpler to use and far more secure than passwords, passkeys use cryptographic to prove that you are you. Once enrolled in Google MFA, you can enroll in passkeys.
\n\nEmail is the most common form of resetting your password. Add extra security to deter access to your accounts:
\n\nPassword managers allow you to have unique, strong passwords for each site, and can help you identify weak or reused passwords.
\n\nAdditional security measures can help prevent phishing and other attacks, if used in addition to your password.
\n\nPassword managers often come with a built-in authenticator app, which can be used to secure your accounts.
\n\nYour passwords should be changed immediately if:
\n\nUsing random unique passwords with a password manager means you only need to change breached passwords. Many password managers can help you identify which passwords need changing.
\n", "date_published": "2024-11-12T07:00:00+00:00", "date_modified": "", "image": "", "banner_image": "", "authors": ["Andrew van der Stock"], "categories": ["blog"], "tags": [] } , { "id": "http://owasp.org/blog/2024/10/30/owaspfoundation-org-emails.html", "url": "http://owasp.org/blog/2024/10/30/owaspfoundation-org-emails.html", "language": "en", "title": "A workaround for OWASP Foundation emails being blocked by Microsoft Office 365", "content_html": "Over the last several months, OWASP, particularly the owasp.com domain, has been blocked from sending messages to tenants of the Microsoft Office 365 platform or those using Microsoft Defender for Office 365, where messages end up blacklisted in quarantine or never received. Organizations that have failed to receive our emails includes legal firms, our HR firm, our accountants, our European affiliate’s accountants and VAT specialists, and many others, including potential sponsors, donors, and members.
\n\nThis is an untenable situation, and extremely disappointing that we have been unable to resolve this issue with Microsoft. So we have to use a workaround domain, owaspfoundation.org to send emails to Microsoft 365 tenants. This is not ideal, but we have no other choice. We will never use owaspfoundation.org for any other purpose other than to get around this spam filter insanity. We will never send any marketing or other unsolicited emails from this domain, it will not be linked to our MailChimp or our accounting system. Only select staff have access to this domain, and we will only use it when all else fails.
\n\n\n\nWe updated and thoroughly tested our SPF and DKIM records for both owasp.com and owasp.org many months ago, and they pass with flying colors. We have tested and improved our MX records thoroughly with the Pro version of mxtoolbox.com and other DNS tools. We have tested email delivery to our friends at various firms. We have reported and have been working with Microsoft to resolve the problem, but to no avail. It is understandable that Microsoft has a very strict anti-spam policy, but it is partially underscored by an AI categorizer, which somehow learned that OWASP Foundation emails are spam, and for whatever reason, Microsoft has been unable or unwilling to untrain their spam filter.
\n\nOnce we are certain that your organization is not receiving our emails, or they are always being quarantined, we will be using a new domain, owaspfoundation.org, which is hosted on the Microsoft 365 platform to communicate with you. This is not normal, and we need your help to fix the problem.
\n\nIf you’re receiving email from owaspfoundation.org, please work with your IT department to whitelist owasp.com emails, as we are not able to do so on your behalf.
\n\nMicrosoft users need to whitelist our email domains (owasp.org and owasp.com), and click “This is not junk” on our emails that end up in quarantine or in your spam folder. This will help to improve our reputation with Microsoft, and ensure that our emails are delivered to your inbox. This is unfortunately a manual process.
\n\nIf your organization uses Microsoft Office 365 or Microsoft Exchange Online, there is potentially a separate step you need to do to release the message from quarantine, and then for your administrator to add our email domains to the allow list.
\n\nOnce requested, please ask your admins to release the email, and add owasp.org and owasp.com to allow sender list so that they don’t need to do this for every email.
\n\nOnce Microsoft has resolved their spam filter training issue, the OWASP Foundation will revert solely to using owasp.com as our primary email domain.
\n\nWe apologize for any inconvenience this may cause, but we have no other choice. We have tried everything else, and we are still unable to send emails to Microsoft 365 tenants. If anyone knows anyone senior enough at Microsoft who can help us resolve this issue, please contact me directly.
\n", "date_published": "2024-10-30T07:00:00+00:00", "date_modified": "", "image": "", "banner_image": "", "authors": ["Andrew van der Stock"], "categories": ["blog"], "tags": [] } , { "id": "http://owasp.org/blog/2024/10/02/Securing-React-Native-Mobile-Apps-with-OWASP-MAS.html", "url": "http://owasp.org/blog/2024/10/02/Securing-React-Native-Mobile-Apps-with-OWASP-MAS.html", "language": "en", "title": "Securing React Native Mobile Apps with OWASP MAS", "content_html": "React Native is a popular cross-platform mobile development framework that allows developers to build native-looking apps for iOS and Android using a single codebase. Like any other software, React Native apps are also vulnerable to a variety of security threats.
\n\n\n\nTo secure a React Native app you should analyse all its parts and how they communicate. This requires an understanding of each block: React Native, iOS, and Android platforms and Bridge between them.
\n\nThe React Native app uses JavaScript that is run on the JS engine. Understanding native JS engines and Hermes engine from Facebook is also necessary as they have different threat vectors. Using native JS engines makes extracting minified JS code from application bundles easy, while Hermes had several reported vulnerabilities in the past.
\n\nIt is also important to follow general mobile application security best practices, such as those described in OWASP guides. While there are no React Native-specific guides, OWASP provides guidance on how to improve the security of native apps, protecting them from common threats and vulnerabilities:
\n\nOWASP React Native guides can be used to assess platform-specific security controls, while OWASP JavaScript guides can be used to cover most of the remaining assessment areas:
\n\n\n\nThe common area for assessment in each cross-platform app is the way methods are bridged between native and non-native parts (like, how JavaScript and native code are communicating). For example, bridged methods may lack obfuscation making platform-specific security controls more visible for reverse engineers. The resilience sections of OWASP MASTG can serve as a guide to protect against reverse engineering and tampering because they describe concepts that can be applied to cross-platform apps.
\n\nJavaScript brings to React Native one of its most painful stepping stones: Managing a large number of dependencies and dealing with vulnerabilities in them. Integrating dependency checkers like OWASP Dependency-Check or GitHub Dependabot into the CI/CD process becomes a must-have for React Native apps.
\n\nMany React Native libraries are ported from the JavaScript ecosystem, but they may not be suitable for mobile apps, especially for security-sensitive functionality.
\n\nA secure React Native library is:
\n\nResearch React Native libraries and their dependencies before using them for security-sensitive functionality.
\n\nFind your way to a secure React Native app, by following the steps that we singled out to simplify this journey:
\n\nSecuring React Native mobile apps requires a holistic approach, applied to all aspects of the development process, from choosing secure libraries to implementing security controls.
\n", "date_published": "2024-10-02T07:00:00+00:00", "date_modified": "", "image": "", "banner_image": "", "authors": ["Julia Mezher"], "categories": ["blog"], "tags": [] } , { "id": "http://owasp.org/blog/2024/08/01/owasp-email-problems.html", "url": "http://owasp.org/blog/2024/08/01/owasp-email-problems.html", "language": "en", "title": "OWASP Email Problems (and solutions)", "content_html": "Recently, Google, Microsoft, and Yahoo and other major email providers have been implementing stricter email authentication controls. This is a good thing, as it helps to reduce the amount of spam and phishing emails that we all receive. However, it can also cause problems for legitimate email senders, such as OWASP. In the last month or so, we have experienced great difficulty in sending emails to Microsoft email addresses (Office 365, Exchange Online, Outlook, Hotmail, Live, etc). This has been a major problem for us, as many of our members and volunteers use Microsoft email addresses. We have been working hard to resolve this issue. In this post, we document a solution that every Microsoft user needs to do to reliably receive our email.
\n\nWe have created staff accounts on owaspfoundation.org. Our staff will only let you know how to un-quarantine our emails, with a link to this blog post, and to ask that you reply to the original email once restored to your Inbox.
\n\n\n\nOWASP has had the various controls (SPF, DKIM, DMARC) in place for several years. They were not as tight as they were required to be under the new February 2024 email guidelines promulgated by all major email providers. We have now tightened those controls to be in line with the requirements.
\n\nHowever, Microsoft users need to whitelist our email domains, and click “This is not junk” on our emails. This will help to improve our reputation with Microsoft, and ensure that our emails are delivered to your inbox. This is unfortunately a manual process, and one you may not realize that you need to do.
\n\nIf your organization uses Microsoft Office 365 or Microsoft Exchange Online, there is potentially a separate step you need to do to release the message from quarantine, and then for your administrator to add our email domains to the allow list.
\n\n\n\nOnce requested, please ask your admins to release the email, and add owasp.org and owasp.com to allow sender list so that they don’t need to do this for every email.
\n\nI’m excited to announce that OWASP’s restated Articles and Certificate of Incorporation and new Bylaws have been approved by the Delaware Secretary of State. These documents are the foundation of our governance and provide the framework for how the Foundation operates. The new bylaws are the result of a comprehensive review and update process that began in 2021. The changes are designed to modernize and streamline the governance of the Foundation, and to ensure that we are operating in the best interests of our members and the broader community.
\n\n\n\nOWASP has had a very potted bylaws history. Our original 2004 Articles and Certificate of Incorporation did not grant the Board of Directors the power to amend or replace the bylaws. It also didn’t have any membership classes, and didn’t really allow for a change to the qualifications of Directors, such as being elected. This meant that members from the establishment of a membership program to now were not legally OWASP members, despite being treated as such. This also meant that the replacement 2011 bylaws were never legally valid. The 2011 bylaws were amended extensively by various Boards in good faith that they had the power to do so, but these amendments which were also never legally valid. The 2011 bylaws are now replaced by the 2024 bylaws, which are legally valid. The current Directors and Board composition and qualifications, Members, and the Foundation are all now legally valid.
\n\nFrom around 2006 to 2012, OWASP was not officially an active business according to Delaware. This was news to me, and there doesn’t seem to be a lot of information around this, but it came to light when working on getting a Certificate of Good Standing. Luckily, Delaware did agree to revive OWASP in 2012, and now we’re back in good standing. The things you learn!
\n\nIn short, we had a huge legal mess, and it took a long time to clean it all up. The process involved documenting all the changes to Boards since 2004, and ensuring that all the changes were legally valid by getting a restated Certificate of Incorporation and completely new bylaws that are compliant with the Delaware General Corporation Laws. This was a huge effort, and I want to thank this and all previous Boards for getting this done. I also want to thank our legal advisors at Gesmer who helped us navigate the process and ensure that we are now in compliance with the law.
\n\nThe new bylaws are effectively a standard Delaware non-profit, member non-stock corporation’s bylaws, which should require minimal amendments, because all the policy settings must now go to policies.
\n\nThe new bylaws include a number of important changes, including:
\n\nThe next steps are to update our policies and procedures to align with the new bylaws. This will take some time, but we are committed to ensuring that the Foundation is operating in a transparent and accountable manner. In particular, we need to work out how best to ensure that Director qualifications are consistent with our past practice, and to ensure that everyone who has a vote in the Foundation is a member in good standing.
\n\nWe can finally move forward with long overdue policy reviews, probably starting with the expenses and travel policies, as well as revising the Chapters and Projects policy.
\n", "date_published": "2024-07-09T07:00:00+00:00", "date_modified": "", "image": "", "banner_image": "", "authors": ["Andrew van der Stock"], "categories": ["blog"], "tags": [] } , { "id": "http://owasp.org/blog/2024/07/03/asvs-community-meetup.html", "url": "http://owasp.org/blog/2024/07/03/asvs-community-meetup.html", "language": "en", "title": "Update on the ASVS Community Meetup", "content_html": "\n
The OWASP Application Security Verification Standard (ASVS) Project held it’s first ever, in-person, community meetup during last week’s Global AppSec Lisbon conference. This was an exciting opportunity for anyone interested in the project to come and meet some of the leaders, discover how to get involved and learn about our upcoming plans. We are super grateful to our friends at Jit for their supporting in running the event.
\n\nThis post is a quick summary of the meetup including key information on how you can get involved!
\n\n\nIf you don’t want to read all the blurb and just want to get involved, you can either:
\n\nAs you can see from our agenda, we had several talks planned as well as some informal discussion time as well.
\n\nJim Manico kicked off the morning with a freestyle overview about the ASVS, giving some background and context on the project to anyone who might not be familar with it. This was followed by Daniel Cuthbert dialing in from the UK to give us an update on his outreach efforts with various public sector organisations and government departments to get them to incorporate ASVS in their guidance and regulation.
\n\nTo finish off the first set of talks, I gave an overview of the guiding principles for version 5.0, talked through our goal to release 5.0 by the end of this year, and provided some more information on how you can get more involved (more on this below).
\n\n![\"Jim](\"/assets/images/posts/asvsmeetup/asvsjimtalk.jpg\")
\n
\nJim delivers the first talk\n
\n
\nAfter a break for informal discussions and then lunch, we came back to hear a fascinating talk from Irene Michlin and Aleksas Spiridenkovas about how they used Retrieval-Augmented Generation to get better responses from a Chatbot when asking it which ASVS requirements would be useful for a new software requirement or feature
![\"Alex](\"/assets/images/posts/asvsmeetup/asvsirenetalk.jpg\")
\n
\nAlex and Irene deliver their talk\n
\n
Talks about applying the ASVS are always popular and this was no exception!
\n\nWe were able to have a number of discussions with current or potential users of ASVS in between the talks and over lunch. These discussions continued after the meetup as well, over both days of the conference and gave us some great feedback and ideas for taking the project forwards.
\n\nOne of the key aims of the meetup was to get more people involved in the project. The more people who give their input, the better the quality of the guidance in the standard. Plus, if more people get involved in running the project itself, it makes it easier for the project leaders to push things forward.
\n\nTo that end, I had printed out a couple of posters to stick around the meetup to let people know how they could get involved. (You can see them dotted around the room in the pictures above).
\n\nIf you want to get involved you can take a look at them here:
\n\nAfter the meetup, I also stuck the posters up in some other locations around the conference as well. Thanks to Starr for the idea and also for helping us get set up and also to Sam for publicising that on Twitter which got us enquiries from people who weren’t at the conference!
\n\n\n\n\n#OWASP #ASVS: What a great idea by the @owasp_asvs project to ask for #opensource contributions using a "Wanted" poster at the OWASP Global AppSec Lisbon Conference which had almost 1000 attendees!
— Sam Stepanyan (@securestep9) June 30, 2024
Reminder that all OWASP projects are open-source & accepting your contributions: pic.twitter.com/MfFXykhDm8
We also took the opportunity to showcase our new logo and branding templates with roll-up posters and stickers, as well as special shiny stickers and keyrings for people who have actively contributed to ASVS. We have plenty of contributor stickers left to give out as well so earn yours today 😀).
\n\n![\"Our](\"/assets/images/posts/asvsmeetup/asvsstickers.jpg\")
\n
\nOur new merchandise!\n
\n
We are super excited by the success and popularity of this event and the interest in the ASVS. We are currently thinking about organising a virtual version to bring this type of meetup to a wider audience.
\n\nIf you want to know more, stay in touch via our social media channels and website:
\n\nOWASP members will gain extra benefits on the SecureFlag platform with access to ThreatCanvas to automate expert-level threat models.
\n\n\n\nSecureFlag recently announced an initiative that offers existing and future OWASP members access to their AI-powered threat modeling automation tool, ThreatCanvas, a modeling solution for developers and security professionals alike to generate threat models in seconds.
\n\nThis new initiative builds on the successful four-year collaboration providing OWASP members access to a reserved instance of the SecureFlag Secure Coding Training platform.
\n\nThreatCanvas can quickly generate a threat model from a textual description, an Infrastructure-as-Code template, and soon, existing diagrams. The scope is anything from an individual feature to an entire application or systems. ThreatCanvas identifies potential threats and suggests the relevant security controls to address any issues.
\n\nThreatCanvas integrates seamlessly with SecureFlag’s training platform, providing hands-on labs tailored to identified threats and expanding upon the existing OWASP member access to the SecureFlag Platform.
\n\n“Threat modeling should be part of the Software Development Life Cycle (SDLC), but it’s hard to scale because it’s a manual process and requires specialized security knowledge.
\n\n“SecureFlag’s ThreatCanvas changes this, making threat modeling a scalable activity that developers can perform without adding overhead to their busy schedules and without relying on the security team. With ThreatCanvas, we can empower developers to create secure software from the start and reduce security rework later in the development pipeline,” said Andrea Scaduto, Co-Founder & Director at SecureFlag.
\n\nOWASP members gain access to ThreatCanvas, leveraging most of the features available in ThreatCanvas Pro. It’s possible to generate unlimited threat models, refine them, save (one model at the time) in their library, browse revisions, export any created models via JSON or generated PDF reports and much more.\nOWASP members will also continue to benefit from access to SecureFlag’s hands-on security training labs. These labs virtualize real developer environments, covering a wide range of technologies and scenarios.
\n\n“Threat modeling is the heart and soul of application security. SecureFlag’s new ThreatCanvas feature will be a welcome addition to the already great SecureFlag member benefit,” says Andrew van der Stock, Executive Director of the OWASP Foundation, and co-leader of the OWASP Top 10. “I look forward to seeing how our members use ThreatCanvas to model their applications.”
\n\nThreatCanvas provides developers with access to expert-level threat modeling automation to create software that is secure from the start.\nTo learn more about ThreatCanvas or to register on the SecureFlag Platform if you are an OWASP member, visit the SecureFlag website.
\n\nSecureFlag is a London-based company helping organizations worldwide run Secure Coding Training programs. Offering thousands of hands-on labs, SecureFlag supports Developers, DevOps, Cloud, and QA engineers in practicing secure coding techniques across 50+ technologies. \nWith ThreatCanvas, SecureFlag also provides tools for automating the threat modeling process.
\n\nThe Open Worldwide Application Security Project (OWASP) is a nonprofit foundation that works to improve software security. Our programming includes:
\n\nWe are an open community dedicated to enabling organizations to conceive, develop, acquire, operate, and maintain applications that can be trusted. Our projects, tools, documents, forums, and chapters are free and open to anyone interested in improving application security
\n", "date_published": "2024-05-30T05:07:00+00:00", "date_modified": "", "image": "", "banner_image": "", "authors": ["Andrew van der Stock"], "categories": ["blog"], "tags": [] } , { "id": "http://owasp.org/blog/2024/04/22/starr-brown-hired-as-director-projects.html", "url": "http://owasp.org/blog/2024/04/22/starr-brown-hired-as-director-projects.html", "language": "en", "title": "The OWASP Foundation appoints Starr Brown as Director of Projects", "content_html": "Colorado Springs, CO, April 22, 2024 – OWASP is thrilled to announce the addition of Starr Brown to the OWASP Foundation team. As the newly appointed Director of Projects, Starr brings a wealth of expertise and a fresh perspective to our community.
\n\n\n\nStarr Brown joins us with an impressive track record in our industry, being the Executive Director of XR Village, a Principal Consultant of a penetration testing firm who ran CTFs and education programs, an ex-CIO and ex-COO with deep project management, contracts, grants, IT innovation, and risk management experience.
\n\nStarr, an OWASP Member, comes to us with solid grants and project management experience, which is precisely what the OWASP community needs to take projects to the next level and grow.
\n\nStarr’s appointment reflects our commitment to excellence and strategic development. As we continue to expand our Projects portfolio in a strategic fashion, Starr’s leadership will play a pivotal role in shaping our future endeavors.
\n\n“I am very excited for our Projects Community that we have found such a strong candidate for Director of Projects as Starr. She will be communicating with all our project leaders, particularly our Flagship and Production level projects, within the first 90 days and coming up with a proactive and strategic Projects plan.” Says Andrew van der Stock, Executive Director of the OWASP Foundation.
\n\nOur vision - “No more insecure software.”
\n\nThe Open Worldwide Application Security Project (OWASP) is a nonprofit foundation that works to improve software security. Our programming includes:
\n\nWe are an open community dedicated to enabling organizations to conceive, develop, acquire, operate, and maintain applications that can be trusted. Our projects, tools, documents, forums, and chapters are free and open to anyone interested in improving application security. The OWASP Foundation launched on December 1st, 2001, becoming incorporated as a United States non-profit charity on April 21, 2004.
\n\nCorporations, foundations, developers, and volunteers have supported the OWASP Foundation and its work for two decades. Donate, become a Member, or a Corporate Supporter today.
\n\nFor further inquiries or to schedule an interview with Starr Brown, please contact:
\n\nAndrew van der Stock
\n\nExecutive Director, andrew.vanderstock@owasp.com, +1 510 697 9315
\n\nStay tuned for more exciting updates. Follow OWASP on LinkedIn, Mastodon, and X
\n", "date_published": "2024-04-22T05:07:00+00:00", "date_modified": "", "image": "", "banner_image": "", "authors": ["Andrew van der Stock"], "categories": ["blog"], "tags": [] } , { "id": "http://owasp.org/blog/2024/04/21/owasp-foundation-20th-anniversary.html", "url": "http://owasp.org/blog/2024/04/21/owasp-foundation-20th-anniversary.html", "language": "en", "title": "The OWASP Foundation Celebrates 20th Anniversary", "content_html": "Colorado Springs, April 21, 2024 – Although the OWASP community is 23 years old, today the OWASP Foundation proudly commemorates its 20th year in operation, marking two decades of unwavering commitment to securing the digital landscape. As a global leader in open-source information, industry-leading projects, and a thriving community of peers, OWASP has left an indelible mark on application security and DevSecOps.
\n\n\n\nOWASP operated solely as an informal open community of like-minded individuals from September 2001 until April 21, 2004, when Jeff Williams and Dave Wichers formed the OWASP Foundation, Inc. in Delaware. Non-profit status by the IRS followed shortly after.
\n\nThe OWASP Foundation is the literal foundation for all that has come since – being the home of the most impactful application security projects, such as the OWASP Top 10, Cheat Sheets, Application Security Verification Standard, and more, hosting massive events and training on multiple continents every year, established hundreds of chapters globally, having nearly eight thousand members worldwide, more than a hundred thousand regular participants, thousands of local and regional events, as well as hosting one of the largest Slack communities on the planet.
\n\n“We all blindly trust software with the most important things in our lives – our finances, healthcare, government, elections, utilities, and even our social life,” said Jeff Williams, creator of the OWASP Top Ten and first global chair of OWASP. “For 20 years, the diverse and talented OWASP community has worked to ensure that this software is secure. However, despite 20 years of amazing people, projects, meetings, and conferences, we are still in the stone age. The software world has rocketed ahead with new languages, architectures, processes, tools, and technologies. The challenge of securing software increases exponentially with software criticality, connectivity, and complexity – and OWASP stands as a beacon of hope in an unrelenting storm of vulnerabilities and attacks. (Jeff Williams)
\n\n“Working with and helping grow OWASP has been one of the most rewarding things I’ve done during my professional career, and I continue to support it to this day. I’m amazed to see what was ‘a few people on a mailing list’ in 2002 has evolved into, and I’m honored to have helped it grow into what it is today. Jeff and I created all three of the OWASP Flagship projects mentioned above, and I’m amazed at how other OWASP members have taken up all three of those projects, and continue to evolve and maintain them as some of the most visible and popular OWASP projects to this day.” (Dave Wichers)
\n\n“When I joined the OWASP community in late 2001. I had no idea back then that my involvement with OWASP would continue for most of my adult working life nor that I would get the opportunity to lead the Foundation,” says Andrew van der Stock, Executive Director of the OWASP Foundation. “I remember the early OWASP hotbed with big, hairy, audacious goals and amazing ideas. Forming the Foundation in 2004 allowed OWASP to grow tremendously over the last 20 years and advance our mission in ways our founders could only imagine. It’s been a wild ride. I hope OWASP will continue to grow, challenge outdated security practices, and lead the world into a more secure and private future.”
\n\nDonate or become a member or corporate supporter of OWASP today!
\n\nOur vision - “No more insecure software.”
\n\nThe Open Worldwide Application Security Project (OWASP) is a nonprofit foundation that works to improve software security. Our programming includes:
\n\nWe are an open community dedicated to enabling organizations to conceive, develop, acquire, operate, and maintain applications that can be trusted. Our projects, tools, documents, forums, and chapters are free and open to anyone interested in improving application security. The OWASP Foundation launched on December 1st, 2001, becoming incorporated as a United States non-profit charity on April 21, 2004.
\n\nCorporations, foundations, developers, and volunteers have supported the OWASP Foundation and its work for two decades. Donate, become a Member, or a Corporate Supporter today.
\n\nFor further inquiries or to schedule an interview with Andrew van der Stock, please contact:
\n\nAndrew van der Stock
\n\nExecutive Director, andrew.vanderstock@owasp.com, +1 510 697 9315
\n\nStay tuned for more exciting updates. Follow OWASP on LinkedIn, Mastodon, and X
\n", "date_published": "2024-04-21T05:07:00+00:00", "date_modified": "", "image": "", "banner_image": "", "authors": ["Andrew van der Stock"], "categories": ["blog"], "tags": [] } , { "id": "http://owasp.org/blog/2024/04/18/codebashing-member-benefit.html", "url": "http://owasp.org/blog/2024/04/18/codebashing-member-benefit.html", "language": "en", "title": "Checkmarx and OWASP Launch First-ever Global Codebashing Learning Initiative", "content_html": "OWASP chapters and members gain Codebashing access to boost adoption of application security and compliance standards while building trust between security and development teams. Read on to learn more about the Codebashing AppSec Training Initiative.
\n\n\n\nPARAMUS, NJ – April 18, 2024 – Checkmarx, the leader in cloud-native application security, today announced the Codebashing AppSec Training Initiative in partnership with the Open Worldwide Application Security Project, (OWASP). The program will provide OWASP chapters and their members around the world with access to the Codebashing AppSec solution to ease the adoption of application security (AppSec) and compliance standards and build trust between security and development teams.
\n\nOWASP is an online community that produces freely available articles, methodologies, documentation, tools, and technologies in the fields of IoT, system software and application security.
\n\nWith over seven million minutes of AppSec training each year and a lesson completion rate of over 95%, Codebashing equips developers with the tools and knowledge to improve their secure coding skills. Delivered as a software-as-a-service (SaaS) solution, Codebashing offers a compelling way for security teams to better engage developers for AppSec adoption and standards compliance. Learning key AppSec concepts within their familiar workspaces and applying those concepts from the first line of code across all applications improves productivity and lowers risk while making the AppSec process more enjoyable.
\n\nCodebashing seamlessly merges with a developer’s daily tasks, offering learning modules within their IDEs via Checkmarx One plugins. Its innovative ‘Learning Path’ approach promotes continuous skill enhancement and is finely tuned to a developer’s specific role, be it back-end, front-end or DevOps.
\n\nCheckmarx’ renowned security researchers have curated over 85 lessons to shape the “Security Champion Program,” a visually engaging path guiding developers towards mastery. On completion, participants earn an exclusive Security Champion certificate endorsed by Checkmarx.
\n\nIn the new joint program with OWASP, Checkmarx has made Codebashing available to all OWASP members for a duration of one year beginning DATE. Once they’ve completed the program, participants will receive the Checkmarx AppSec Pro Certification for OWASP Members.
\n\n“Checkmarx appreciates the hard work and commitment of the OWASP Foundation and its global network of chapters and members in bringing Application Security to the forefront in an increasingly challenging threat landscape,” remarked Sandeep Johri, CEO at Checkmarx. “Our Checkmarx research team – and the entire company – are long-time supporters and contributors to the OWASP Foundation, both globally and locally. This new initiative will further strengthen Checkmarx One leadership to build trust between security and developers while equipping and training a new generation of software developers on emerging software supply chain threats.”
\n\n“The OWASP mission is to make the best resources available to help raise the security standards of applications now being developed and deployed – the same applications running businesses, governments, and mission-critical processes around the world,” said Andrew van der Stock, Executive Director of OWASP. “We’re pleased to work with Checkmarx to make Codebashing available to our members, which will help ease the process of application security and build better relationships between security and development teams.”
\n\n“The best way to ensure secure development by design is through training and awareness. AppSec training should be a part of any comprehensive security program,” said Ori Bendet, VP of Product Management at Checkmarx. “We’re truly pleased to work with OWASP to give their members this opportunity to strengthen their AppSec defenses in an engaging way.”
\n\nThe Checkmarx research team has long contributed to the software development and security communities by educating and raising awareness through its publications, presentations at leading conferences, and AppSec Village events. Checkmarx VP of Security Research Erez Yalon founded and has led the API Security project at OWASP since 2019.
\n\nCodebashing further extends that commitment to helping the software development community learn more and do better in everything related to application security. The training solution helps developers at all levels better understand concepts and terminology in AppSec, and from theory to practice, experience and solve real-time secure code challenges. Offering courses and mini-lessons in all leading coding languages, Codebashing covers all leading security vulnerabilities in an engaging and interactive way.
\n\nTo learn more about Codebashing or if you’re an OWASP member in utilizing this member benefit, please visit the website.
\n\nCheckmarx is trusted by enterprises worldwide to secure their application development from code to cloud. Our consolidated platform and services balance the dynamic needs of enterprises by improving security and reducing TCO, while simultaneously building trust between AppSec, developers, and CISOs. At Checkmarx, we believe it’s not just about finding risk, but remediating it across the entire application footprint and software supply chain with one seamless process for all relevant stakeholders. We are honored to serve more than 1,800 customers, including 60 percent of all Fortune 100 companies.
\n\nFollow Checkmarx on LinkedIn, YouTube, and Twitter.
\n\nOur vision - “No more insecure software”
\n\nThe Open Worldwide Application Security Project (OWASP) is a nonprofit foundation that works to improve software security. Our programming includes:
\n\nWe are an open community dedicated to enabling organizations to conceive, develop, acquire, operate, and maintain applications that can be trusted. Our projects, tools, documents, forums, and chapters are free and open to anyone interested in improving application security. The OWASP Foundation launched on December 1st, 2001, becoming incorporated as a United States non-profit charity on April 21, 2004.
\n\nCorporations, foundations, developers, and volunteers have supported the OWASP Foundation and its work for two decades. Donate, become a Member, or a Corporate Supporter today.
\n\nFollow OWASP on LinkedIn, Mastodon, and X.
\n", "date_published": "2024-04-18T05:07:00+00:00", "date_modified": "", "image": "", "banner_image": "", "authors": ["Andrew van der Stock"], "categories": ["blog"], "tags": [] } , { "id": "http://owasp.org/blog/2024/04/09/CycloneDX-v1.6-Released.html", "url": "http://owasp.org/blog/2024/04/09/CycloneDX-v1.6-Released.html", "language": "en", "title": "CycloneDX v1.6 Released, Advances Software Supply Chain Security with Cryptographic Bill of Materials and Attestations", "content_html": "The OWASP Foundation today announced the availability of CycloneDX v1.6. This significant release strengthens software supply chain security with the introduction of two innovative capabilities: Cryptographic Bill of Materials (CBOM), developed by IBM Research, and CycloneDX Attestations (CDXA).
\n\n\n\nCycloneDX v1.6 builds upon the existing strengths of the CycloneDX standard, which provides a machine-readable format for capturing the components that comprise software (SBOM), hardware (HBOM), services (SaaSBOM), and AI/ML models (AI/ML-BOM). CycloneDX builds upon a legacy of innovation, empowering organizations to reduce risk and enhance software and system transparency.
\n\nAs quantum computer performance improves, at some point in the future they are expected to break many currently used cryptographic algorithms, such as RSA. To address the issue, companies and organisations can migrate their cryptographic assets to new post-quantum cryptographic algorithms that have been selected by NIST for standardization.
\n\nThe Cryptographic Bill of Materials (CBOM), developed by researchers and software engineers at IBM, serves as a structured framework for inventorying cryptographic assets. This approach is detailed in OMB M-23-02 and is particularly focused on preparing for the transition to post-quantum cryptography (PQC). This preparation is underlined by the issuance of National Security Memorandum 10 from the White House. CycloneDX v1.6 simplifies the discovery, management, and reporting of cryptographic assets, laying the groundwork for migration to quantum-safe systems and applications. It facilitates the identification of weak cryptographic algorithms, promotes cryptographic agility, and ensures compliance with evolving cryptographic policies and advisories like CNSA 2.0, aligning with recommendations from NIST.
\n\nOWASP and the CycloneDX community would like to thank IBM Research for developing CBOM.
\n\n“The introduction of our CBOM in CycloneDX 1.6 is a significant milestone for managing the cryptography supply chain,” said Michael Osborne, CTO of IBM Quantum Safe. “CBOM is the first open standard to describe an organizations’ cryptographic assets inventory, and their dependencies, giving organizations deeper visibility into the cryptography they use, enabling them to assess their quantum readiness, and to consider actionable steps towards becoming quantum safe.”
\n\nCycloneDX Attestations are a modern capability for security compliance. They enable organizations to communicate standards, claims, and evidence in support of requirements, along with attestations to the veracity and completeness of those claims.
\n\n“Modern software is tremendously complex, and ensuring compliance with the dizzying array of standards is overwhelming,” said Jeff Williams, CTO of Contrast Security and the first Global Chair of OWASP. “CycloneDX Attestations (CDXA) makes “compliance as code” possible with machine-readable security standards and compliance documentation, instead of endless PDFs, spreadsheets, and paper evidence. With CDXA, you can automate production of compliance evidence, streamline communication between all compliance stakeholders, facilitate discussions about substantive security issues, handle exceptions, and manage signatures. We’re hoping CDXA marks the beginning of a new era where compliance and security are not entirely different things.”
\n\nNumerous other improvements are included in CycloneDX v1.6 including environmental considerations which enhance CycloneDX’s existing support for AI/ML model cards. The incorporation of environmental data in CycloneDX v1.6 transforms AI development, offering transparency into energy usage and CO2 emissions across all stages, from training to inference. This integration enables informed decision-making, fostering sustainable technological practices. CycloneDX seamlessly integrates environmental considerations into AI development, promoting harmony between innovation and ecological preservation.
\n\n“Manifest relies on open SBOM formats not only for our internal security, but to help customers of our SBOM-powered security platform around the world.” said Daniel Bardenstein, CTO and co-founder at Manifest Cyber. “CycloneDX 1.6 is a significant step forward for the global security community, unlocking both critical attestation workflows as well as evolved transparency for machine learning. The enterprises we support have been eagerly awaiting this release, and we look forward to continued innovation and partnership from the OWASP CycloneDX community well into the future.”
\n\nThis release underscores the commitment of the CycloneDX community to fostering a collaborative and innovative environment. The OWASP Foundation along with Ecma International have created an inclusive, community-driven ecosystem for security standards development. This collaboration empowers individuals to contribute their expertise and insights, ensuring that standards like CycloneDX reflect the collective wisdom of the global cybersecurity community. This effort is led by Ecma Technical Committee 54 (TC54).
\n\n“Well-defined, standards-based, and interoperable SBOM formats are a key building block for Bloomberg’s secure use of open source software. Bloomberg is very happy to see CycloneDX v1.6 on track to become an Ecma International standard sometime in 2024, with ISO standardization happening shortly thereafter,” said web standards author Daniel Ehrenberg, a software engineer with Bloomberg’s JavaScript Infrastructure & Tooling team and Vice President of Ecma International. “Through deep technical review and community outreach, Ecma is working to ensure that the definition of this format is transparent, interoperable, and technically rigorous. We welcome everyone interested to join and participate in this process. Ecma and OWASP are natural collaborators due to our shared focus on engineer-led pragmatism, equality among members, and openness.”
\n\nTo accompany the launch of CycloneDX v1.6, the community is pleased to announce the immediate availability of three new guides to help organizations make the most out of CycloneDX.
\n\nThese comprehensive guides, available at https://cyclonedx.org/guides/, provide in-depth information about the new features in CycloneDX v1.6 and best practices for their implementation.
\n\nTo learn more about OWASP CycloneDX, access the standard, and leverage the over 220 tools that support CycloneDX, visit https://cyclonedx.org/.
\n\nThe OWASP Foundation is a nonprofit organization that works to improve the security of software. Through community-led\nopen source software projects, over 260 local chapters worldwide, tens of thousands of members, and leading educational\nand training conferences, the OWASP Foundation is the source for developers and technologists to secure the web. For\nnearly two decades corporations, foundations, developers, and volunteers have supported the OWASP Foundation and its\nwork. To learn more or to become a member, visit https://owasp.org.
\n", "date_published": "2024-04-09T07:09:00+00:00", "date_modified": "", "image": "", "banner_image": "", "authors": ["Steve Springett"], "categories": ["blog"], "tags": [] } , { "id": "http://owasp.org/blog/2024/03/29/OWASP-data-breach-notification.html", "url": "http://owasp.org/blog/2024/03/29/OWASP-data-breach-notification.html", "language": "en", "title": "OWASP Data Leak Notification", "content_html": "In late February 2024, after receiving a few support requests, the OWASP Foundation became aware of a misconfiguration of OWASP’s old Wiki web server, leading to a data leak involving decade+-old member resumes.
\n\n\n\nWe recognize the significance of this leak, especially considering the OWASP Foundation’s emphasis on cybersecurity. We apologize to those affected by the leak and are committed to ensuring that this does not happen again. We are reviewing our data retention policies and will be implementing additional security measures to prevent future leakes.
\n\n\n\n", "date_published": "2024-03-29T05:07:00+00:00", "date_modified": "", "image": "", "banner_image": "", "authors": ["Andrew van der Stock"], "categories": ["blog"], "tags": [] } , { "id": "http://owasp.org/blog/2024/03/19/traefik_owasp.html", "url": "http://owasp.org/blog/2024/03/19/traefik_owasp.html", "language": "en", "title": "Traefik Labs Joins OWASP and Integrates Coraza and Core Rule Set Projects", "content_html": "Revision (19 April 2024): The incident should have been labeled a “leak” rather than a “breach”. The information was exposed to the public internet due to a misconfiguration, not because of an attack. We do not know if the exposed information was accessed, or by whom. The press release has been revised to clarify this.
\n
Addresses crucial role of Web Application Firewall (WAF) in modern API infrastructure and integrates two leading OWASP projects into Traefik OSS stack
\n\nKubeCon, PARIS, March 19, 2024 – Traefik Labs, creator of the world’s most popular cloud-native application proxy, today announced a significant addition to their portfolio that addresses the escalating cyber threats to modern API infrastructure.
\n\n“We are at a pivotal moment in the evolution of digital infrastructure, where the integration of robust security measures within our API gateways is not just an option, but a necessity,” said Sudeep Goswami, CEO of Traefik Labs. “By weaving the Coraza WAF and the OWASP Core Rule Set directly into Traefik Proxy v3, we are not merely responding to the current cybersecurity landscape but are proactively setting a new benchmark for API security. This step reaffirms our dedication to providing the most secure, cutting-edge solutions to our users, ensuring they remain not just compliant, but ahead of the curve in the face of emerging cyber threats.”
\n\n\n\nBy scrutinizing incoming traffic to block malicious requests before they can exploit any vulnerabilities, WAFs have been instrumental in safeguarding web applications and APIs, particularly excelling in thwarting older, yet persistently dangerous attack methods such as injection and security misconfigurations.
\n\nRecognizing the complementary strengths of API gateways and WAFs, Traefik Labs has taken a pioneering step towards fortifying API security with an innovative integration. The company has introduced the capability to incorporate a WAF directly at the API Gateway layer.
\n\nIntegrating a WAF at the API Gateway layer enhances runtime protection and establishes a comprehensive security posture that is resilient against a wide array of cyber threats. Available to users of Traefik Proxy v3 open source, this innovation integrates two OWASP projects: Coraza WAF and the Core Rule Set.
\n\n“The integration of Coraza into Traefik Proxy represents a significant leap forward in our mission to democratize high-level security for web applications and APIs,” stated José Carlos Chávez, co-leader of the Coraza project. “This collaboration with Traefik Labs showcases the power of open source innovation, merging our expertise in WAF technologies with their leadership in cloud-native application proxy solutions. Together, we’re not just enhancing security; we’re redefining what developers can expect from their infrastructure in terms of protection, performance, and ease of use.”
\n\nThis initial release lays the foundation for future enhancements and signifies Traefik Labs’ commitment to aligning with the evolving PCI DSS v4.0 standards. With WAF transitioning from a best-practice to a PCI DSS compliance requirement by March 2025, Traefik Labs is not only ahead of the curve but is also setting a new standard in API security, ensuring that organizations are well-equipped to face the cyber challenges of today and tomorrow.
\n\nFor more information, visit the Traefik Labs Blog.
\n\nAbout Traefik Labs\nTraefik Labs helps organizations adopt and scale cloud-native architectures by providing a modern, intuitive, and open platform that reimagines application connectivity and API management, paving the way for seamless operations and enhanced productivity. Traefik’s flagship open source project, Traefik Proxy, is used by the world’s largest enterprises and is one of Docker Hub’s top 10 projects, with over 3 billion downloads. Founded in 2016, Traefik Labs is backed by investors including Balderton Capital, Elaia, 360 Capital Partner, and Kima Ventures. For more information, visit traefik.io and follow @traefik on Twitter.
\n", "date_published": "2024-03-19T05:02:00+00:00", "date_modified": "", "image": "", "banner_image": "", "authors": ["Traefik Labs"], "categories": ["blog"], "tags": [] } , { "id": "http://owasp.org/blog/2024/03/07/OWASP-CycloneDX-is-ready-to-support-your-CRA-compliance-journey.html", "url": "http://owasp.org/blog/2024/03/07/OWASP-CycloneDX-is-ready-to-support-your-CRA-compliance-journey.html", "language": "en", "title": "OWASP CycloneDX is ready to support your CRA compliance journey!", "content_html": "Software development aimed at selling products in the European Union will soon change forever. Regardless of whether the product is an IoT device, a child’s toy with embedded software, a server-side application, or a mobile app - the software will have to be marked with the CE symbol, which will include cybersecurity aspects on the product. At the heart of the new regulation, the EU Cyber Resilience Act, is the software bill of materials (SBOM). OWASP CycloneDX stands well prepared with specifications of bill-of-materials and an arsenal of tools that will help manufacturers in their compliance process.
\n\n\n\nThe EU Cyber Resilience Act (CRA) aims to add cybersecurity requirements during the lifetime of a product. Manufacturers\nselling products on the EU market must deliver free security upgrades during the product’s lifetime. They will also have\nreporting requirements to the authorities if there are known attempts to use a vulnerability in the product for an attack.\nIn order to manage vulnerabilities in the product’s dependencies - commercial and open source tools and libraries used to\nbuild the product - the CRA requires manufacturers to create a software bill of materials (SBOM). The idea is for the \nmanufacturers to use this to regularly check for vulnerabilities and upgrade dependencies to stay secure. In addition, \nthe source code produced by the manufacturer has to be secure by default and secure by design. OWASP has a number of \nresources to aid in secure design, including the OWASP Application Security Verification Standard\n(ASVS), the OWASP Software Assurance Maturity Model (SAMM), and reference material for \nthreat modeling and other positive security behaviors.
\n\nA manufacturer will have to support not only the latest software version but also all versions used by customers. The \nsecurity updates have to be available for up to ten years. In addition, the products will in most cases have to support \nautomatic security updates, unless there are strong arguments against it. The customer may want to disable automatic \nupdates but still needs information about existing updates.
\n\nThis means that the manufacturer not only has to process the latest SBOM for their product, they will have to process \nthe SBOM for all existing and supported releases. There are many solutions for this on the market, both commercial and \nopen source. OWASP has a set of free tools that can support this process and is used by large manufacturers of software \nwith thousands of products. The CycloneDX Tool Center has an abundance of open \nsource and proprietary tools that support the CycloneDX standard. And OWASP Dependency-Track\nis the reference platform that consumes and analyzes SBOMs for security, operational, and license risk.
\n\nThere is no requirement in the CRA itself to make the SBOM available for customers. It’s primarily a tool for the \nmanufacturer to use and for the certification bodies to check compliance with.
\n\nThe Cyber Resilience Act aims to make sure a customer can evaluate the product from a cybersecurity view before making \na purchase. In order to do so, all vulnerability fixes have to be published publicly. The manufacturer also needs to set\nup a coordinated vulnerability response process to interact with researchers, customers and partners that find issues in\nthe software.
\n\nCycloneDX has strong support for Vulnerability Exploitability eXchange (VEX) \nthat will be used to communicate a vendor’s assessment of vulnerabilities in the software - indicating whether a certain\nvulnerability exposes a user to risk or not. It also indicates whether the software needs to be updated to fix the issue.
\n\nThe CycloneDX specification and tooling assist in the relationship between manufacturers and customers and are a crucial\npart of the software supply chain. The CRA will hold a manufacturer responsible for all aspects of a product, which \nmeans that all components have to go through due diligence and constant monitoring for upgrades, vulnerabilities, and \nknown exploits. As components are sourced from both commercial vendors and open source projects - the automatic exchange\nof the software transparency attestations will be needed. CycloneDX is currently working on standardizing this exchange \nand will soon bring the first versions of an API to the Ecma TC54 working group.
\n\nCycloneDX is the leading SBOM format with years of experience. The standard work within the OWASP community is now \naugmented with the Ecma International standardization in Technical Committee 54 (TC54). \nWhile keeping the community change control, the Ecma standardization will lead to a high-quality standard that fits into \nthe CRA certification process.
\n\nCycloneDX covers not only the Software Bill Of Materials but also strong support for several types of bill-of-materials \nranging from hardware to software-as-a-service and cryptography; CycloneDX supports the secure-by-design requirement \nin the CRA.
\n\nAre you ready to dive deeper into CycloneDX? Begin your journey by visiting cyclonedx.org and \nwith the Authoritative Guide to SBOM!
\n", "date_published": "2024-03-07T07:09:00+00:00", "date_modified": "", "image": "", "banner_image": "", "authors": ["Olle E. Johansson"], "categories": ["blog"], "tags": [] } , { "id": "http://owasp.org/blog/2024/03/01/iot-security-testing-guide.html", "url": "http://owasp.org/blog/2024/03/01/iot-security-testing-guide.html", "language": "en", "title": "Introducing the OWASP IoT Security Testing Guide (ISTG)", "content_html": "The multitude of networked devices contributing the Internet of Things (IoT) poses new risks for manufacturers, operators, and end users of solutions. Every IoT device represents potential threats to user data and supporting infrastructure when a single manipulated device has potential to endanger an ecosystem. Due to the interconnection of an array of technologies, standards and protocols, a considerable amount of effort is necessary to build and maintain a homogeneous level of IoT security.
\n\nTo reduce the risk of successful attacks, manufacturers and operators must periodically assess the security level of their IoT solutions. An instrument for this purpose is penetration testing such as goal based security assessments tailored toward target systems. We are excited to announce that the OWASP IoT Security Testing Guide project published its first release on March 1, 2024. This guide aims to provide comprehensive insights into testing the security of IoT devices and systems.
\n\n\n\n(read more about our motivation, challenges and goals)
\n\nThe OWASP IoT Security Testing Guide is intended for penetration testers and security analysts in the IoT, hardware, and embedded fields. Penetration testers and bug bounty researchers can use the concepts introduced in the IoT Security Testing Framework to plan their tests, define the test scope, test conditions and test approach. While performing the test, the test cases in the Test Case Catalog and the respective Checklists can be used:
\n\nHowever, others might benefit from the concepts and test cases introduced in this guide as well:
\n\nManufacturers of IoT devices (e.g., architects, engineers, developers and managers) can use the contents of this guide to get an understanding of potential issues and vulnerabilities that might affect their products. By increasing the awareness and understanding early on in the design and development process, it is possible to improve product security in the long term while keeping the respective costs as low as possible.
\nSecurity consultants and security managers can use this guide and its contents as a common foundation for working with their teams and clients as well as communicating with any of the stakeholders mentioned above. Especially the terminology and structure defined in this guide should help to facilitate collaboration across different teams and organizations.
\nOperators of IoT devices (e.g., users) can use this guide in a similar fashion as manufacturers. However, the operators who run IoT devices usually have no or very little influence on the design and development process. Hence, their focus is more directed towards understanding how a device might be vulnerable in a particular operational environment and how this environment could be affected in case that the device is compromised or insecure.
\n(read more about the intended audience)
\n\nThe following (simplistic) examples shall demonstrate how the ISTG can be used to plan and execute penetration tests of different IoT devices. Feel free to have a look at the full documentation of the IoT Security Testing Framework and the Test Case Catalog.
\n\nCCTV cameras are commonly used to monitor and surveil public places as well as private properties. The operators of such cameras rely on their flawless functionality for various reasons, incl. safety and security. Any failure may result in serious consequences, which is why manufacturers and operators of such cameras should, ideally, have a high interest in securing their products.
\n\nFor various reasons (e.g., budget, time, responsibilities, development and testing model etc.), it does not always make sense to perform full-fledged, all-encompassing tests of complete devices. Sometimes it is better to focus on individual parts and interfaces based on a certain threat model. The ISTG provides tools, namely the device model and attacker model, that can be used to describe different kinds of IoT devices and threats (attackers) in a straightforward fashion.
\n\nSo, let’s assume that the manufacturer of a CCTV camera brand wants to conduct a penetration test of their product. Before starting with the penetration test, manufacturer and penetration tester analyze typical characteristics of CCTV cameras:
\n\nBased on these characteristics, a potential attacker could be described as follows:
\n\nSince components and test cases within the ISTG are associated with the access levels described in the attacker model, it is now easily possible to narrow down the applicable test scope given the defined threat scenario:
\n\nSmart home devices are part of many modern households. From the smart lightbulb over the smart fridge to the smart garage opener, they are part of many aspects of our lives. As more and more people rely on smart devices, they have become attractive targets for attackers. Many of those devices process private data of some sort or are even responsible for controlling access to private property.
\n\nAnalog to scenario 1, let’s assume that the manufacturer of a smart home device wants to have their product tested. The device may have the following characteristics:
\n\nUsing the aforementioned attacker model, potential attackers can be described as follows:
\n\nWith these access levels, it may be possible to attack all device components. Hence, the applicable test scope in this threat scenario would include:
\n\nThis guide is not a monolithic, all-encompassing instruction manual for IoT device penetration testing. Instead, it should be seen as a dynamic and growing collection of test cases for various technologies related to IoT devices.
\n\nIn its current state, this guide comprises test cases on a very high and generic level. This is intentional since the base version of this guide should be applicable to as many different IoT devices as possible (comparability). However, the long-term goal is that this guide will be expanded over time by adding modules with more detailed test cases for specific technologies (expandability). Thereby, the guide will evolve and become more and more detailed over time.
\n\nBy contributing to this project, you’ll have the opportunity to shape and enhance the understanding of IoT security testing practices.
\n\nTo contribute, please head over to our GitHub repository. Here you can review the project’s documentation, code and share your valuable feedback following the projects contribution guidelines. Your expertise and insights will play a crucial role in improving the guide’s quality and relevance. Whether you are an experienced IoT security tester or someone passionate about ensuring the security of connected devices, your contributions are highly welcome. Join us in this collaborative effort to strenghten IoT security testing practices and make a positive impat on the industry! Thank you for your support and dedication to IoT security. Together, we can make a difference.
\n", "date_published": "2024-03-01T07:00:00+00:00", "date_modified": "", "image": "", "banner_image": "", "authors": ["Luca Pascal Rotsch"], "categories": ["blog"], "tags": [] } , { "id": "http://owasp.org/blog/2024/02/12/OWASP-appoints-Jason-C-McDonald.html", "url": "http://owasp.org/blog/2024/02/12/OWASP-appoints-Jason-C-McDonald.html", "language": "en", "title": "OWASP appoints Jason C. McDonald as Director of Community Development", "content_html": "Colorado Springs, February 12th 2024 /PRNewsWire/ - The OWASP Foundation, Inc. is excited to announce the appointment of Jason C. McDonald to the position of Director of Community Development. Jason’s responsibilities will include fundraising, grant writing for projects, and community liaison with our tens of thousands of community participants, developers, and external development organizations. He starts on February 12th, 2024.
\n\n\n\n“Jason’s appointment could not come at a better time for OWASP. I’m excited to have a Director of Community Development with a highly technical and development community background to work with our community, to improve the state of funding for projects and outreach to developers and development organizations.” says Andrew van der Stock, Executive Director of the OWASP Foundation.
\n\nThe Director of Community Development will:
\n\n“I am thrilled that we were able to get Jason to come aboard! We have been sorely needing someone talented like this to invest in growing and strengthening our global community, including improving our communications and raising additional funds to further reach our mission. This is a big step for us, demonstrating the Board’s commitment to our members, our leaders, and our projects, as well as doubling down on our efforts to empower as many developers as possible. ”, says Avi Douglen, Chair of the OWASP Foundation Board of Directors.
\n\n![\"Jason](\"/assets/images/people/staff_jason.png\")
Jason C. McDonald’s passion for communication permeates everything he does. As a speaker, a mentor, and the author of “Dead Simple Python”, as well as various fiction novels, he lives to encourage and empower others to reach their full potential. He draws from over a decade of experience as a software engineer and manager to bring calm to chaos. Outside of work, he can often be found clattering away on his typewriter in one of his favorite local coffee shops. Otherwise, he’s probably out gardening, walking his dogs, and just enjoying being at home in Minnesota.
\n", "date_published": "2024-02-12T05:07:00+00:00", "date_modified": "", "image": "", "banner_image": "", "authors": ["Andrew van der Stock"], "categories": ["blog"], "tags": [] } , { "id": "http://owasp.org/blog/2024/02/08/OWASP-joins-NIST-AISIC-launch-announcment_post.html", "url": "http://owasp.org/blog/2024/02/08/OWASP-joins-NIST-AISIC-launch-announcment_post.html", "language": "en", "title": "OWASP joins the US AI Safety Institute Consortium (AISIC) at its launch to support collaborative efforts to safeguard AI.", "content_html": "The rapid evolution of artificial intelligence (AI) technologies presents unprecedented opportunities and challenges. As AI tools and applications reshape our society, ensuring their safety and trustworthiness becomes critical.
\n\nIn response, the U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) is launching the U.S. AI Safety Institute Consortium (AISIC). This initiative represents a significant step towards creating safe and reliable AI by bringing together a diverse group of participants, including Fortune 500 companies, academic teams, non-profit organizations, and government agencies.
\n\n\n\nThe OWASP Foundation, renowned for its contributions to application security, is taking a pivotal step by joining the AISIC with a joint membership of two of its most impactful AI projects: The OWASP AI Exchange and the OWASP Top 10 for Large Language Model (LLM) Applications.
\n\nBoth projects are central to OWASP’s mission to safeguard AI and have already been at the forefront of identifying and mitigating security risks in AI systems and actively seeking standards alignment. The joint membership allows us to combine the strengths of the two projects and offer unique contributions to the consortium.
\n\nThe OWASP AI Exchange has already been influential with its submissions for the EU AI Act. The project serves as a unifying reference model, bridging predictive AI and generative AI with mappings to various standards, including OWASP projects. It aims to consolidate global AI security discourse through expert submissions and standard alignment. As a result, it is becoming the canonical compass for understanding and navigating AI threats, vulnerabilities, and controls. With its recent 0.8 release, the project continuous to build around its popular Threats and Controls navigator, Risks and Threats Matrix with material on AI Programs and expands its standards mapping with discussions on the role of the ISO/IEC 5338 standard for AI engineering best practices, comparing it to 42001. This initiative is instrumental in driving consensus and collaboration across AI security initiatives, aligning with the EU AI Act, CEN/CELENEC, ISO/IEC 27090, CSA and other standards organizations.
\n\nThe immensely popular OWASP Top 10 for LLM Apps, on the other hand, aims for depth in assessing the emerging field of generative AI, offering practical and actionable advice. With over 800 members, Its v1.x enjoyed widespread adoption across industry sectors and organizations. Only last month, it was the Number One security recommendation of the UK’s comprehensive Government Generative AI Framework.
\n\nThe project is at the cutting edge of assessing the impacts of generative AI technologies, including the effects on security itself, debating traditional assumptions around security and safety that have become outdated in the era of generative AI, thus introducing the first OWASP AI Safety item, LLM09 overreliance. Similarly, it has expanded its audience from developers and security practitioners to CISOs and other security decision-makers with its LLM Security Governance Checklist.
\n\nFollowing the widespread adoption of 1. x, the project is embarking on its 2.0 major update to adopt a data-driven approach and reflect lessons from adoption while researching rapid advancements such as multimodal AI, open source, open weight LLMs, and supply-chain verification, while continuing to debate the intersection of security with safety and ethics.
\n\nTogether, these two OWASP projects provide a comprehensive AI security and safety framework and mapping standards while offering practical guidance on new AI developments. The two projects share membership and have proactively and regularly engaged with other standards organizations (CSA, NIST, MITRE), national security agencies, and AI Security vendors to ensure alignment and foster collaboration.
\n\nOur collaboration with the AISIC amplifies this mission, leveraging OWASP’s global network of experts to support AISIC’s R&D endeavors with deep expertise. This partnership ensures that the work of the AISIC reaches a broad audience, including builders, defenders, CISOs, and technology leaders, making its findings accessible and actionable.
\n\nOWASP is excited to join AISIC, a powerful initiative to facilitate the collaboration of those on the frontlines of AI safety, focusing on R&D that underpins future standards and policies supporting secure, safe, and trustworthy AI systems.
\n\nNIST’s contributions to the Adversarial AI taxonomies and mitigations and its AI RMF (Risk Management Framework) are a solid foundation and one OWASP has been discussing closely with NIST and the Trustworthy AI community.
\n\nAs OWASP is joining forces with the AISIC, we are positioned to influence the future of AI safety and security significantly. The comprehensive approach of combining the OWASP AI Exchange’s canonical reference model with the OWASP Top 10 for LLM Apps’ focus on generative AI, ensures that we can navigate the complexities of AI security with nuanced, forward-thinking strategies. This collaboration is a testament to OWASP’s commitment to fostering open standards for AI security, setting a new benchmark for safe and trustworthy AI development.
\n\nOWASP’s participation in the AISIC is a critical step forward in the journey towards secure and ethical AI. By combining expertise in AI security with the consortium’s broad collaborative network, we are paving the way for innovations that are secure, responsible, and aligned with societal values.
\n\nTogether, we are creating a safer digital future, ensuring that AI technologies benefit society while mitigating risks.
\n", "date_published": "2024-02-08T07:09:00+00:00", "date_modified": "", "image": "", "banner_image": "", "authors": ["John Sotiropoulos"], "categories": ["blog"], "tags": [] } , { "id": "http://owasp.org/blog/2024/01/09/ModSecurity.html", "url": "http://owasp.org/blog/2024/01/09/ModSecurity.html", "language": "en", "title": "Trustwave Transfers ModSecurity Custodianship to OWASP", "content_html": "After serving as its steward for over a decade, Trustwave has agreed to transfer the reins of the renowned open-source web application firewall (WAF) engine, ModSecurity, to the Open Worldwide Application Security Project (OWASP). This landmark move promises to inject fresh energy and perspectives into the project, ensuring its continued evolution as a vital line of defense for countless websites worldwide.
\n\nThe transition, commencing on January 25th, 2024, isn’t just about changing hands. OWASP, the leading open community dedicated to application security, is already responsible for the Core Rule Set, the dominant WAF rule set on the market. By formally assuming custodianship of the entire project, OWASP can now steer ModSecurity’s development with a holistic view, fostering even tighter integration between the core rule set and the underlying framework.\n\nTrustwave, while stepping down from its custodial role, expresses immense gratitude for its time with ModSecurity. Since 2010, Trustwave has championed ModSecurity’s growth and adoption, contributing significantly to its current relevance, its robustness, and its greatly expanded feature set. With evolving business objectives, Trustwave recognizes the value of entrusting ModSecurity’s future to a community-driven, open-source environment like OWASP.
\n\nThis transition brings about several exciting possibilities:
\n\nEnhanced Collaboration: OWASP’s vast network of security experts and volunteers can now directly contribute to ModSecurity’s core development, fostering faster innovation and wider community engagement. Coordination with Coraza will guarantee that both engines implement the same rules language.
\nStreamlined Rule Development: Integrating the Core Rule Set and framework under one roof simplifies the rule creation and testing process, leading to more timely and effective defenses against emerging threats.
\nContinued Openness and Adoption: OWASP’s dedication to open-source principles guarantees that ModSecurity remains free to use and modify, ensuring its accessibility for organizations of all sizes.
\nThe future of ModSecurity is brighter than ever. Under OWASP’s stewardship, this powerful WAF is poised to further solidify its position as a cornerstone of web application security, protecting countless websites against the ever-evolving threat landscape. We, as an industry, can all stand to benefit from this open-source collaboration, empowering developers, and security professionals alike to build and maintain safer applications in the years to come. OWASP calls all interested parties to join hands and help with the future development of ModSecurity.
\n\nThis landmark news marks a significant chapter in the ongoing saga of web security. Let’s celebrate this transition as a win for the open-source community and a testament to the collaborative spirit that drives innovation in the face of ever-increasing cyber threats. The future of web security is open, and with ModSecurity in OWASP’s hands, it’s looking undeniably bright.
\n", "date_published": "2024-01-09T05:12:05+00:00", "date_modified": "", "image": "", "banner_image": "", "authors": ["Harold Blankenship"], "categories": ["blog"], "tags": [] } , { "id": "http://owasp.org/blog/2023/12/06/CycloneDX-attestations.html", "url": "http://owasp.org/blog/2023/12/06/CycloneDX-attestations.html", "language": "en", "title": "CycloneDX v1.6 Introduces Support for Attestations of Compliance with Any Standard, Improving Compliance and Scalability for Consumers and Vendors of Third Party Software", "content_html": "Requiring Proof of Compliance: In the Real World, Scale Escalates Quickly.
\n\nAlmost every organization must wrestle with security compliance for their software. There are standards, policies, and guidelines from every conceivable source: government agencies, industry groups, open-source foundations, international organizations, and other standards bodies.
\n\n\nThe entire process is paper-based. Standards are typically PDF documents and require custom written evidence, all of which defies automation and requires extensive manual effort. The CycloneDX Attestation Project is tackling this challenge by creating “compliance as code.” We intend to dramatically increase organizations’ ability to automate the compliance process by providing machine-readable formats for:
\n\nExchanging, validating, and signing attestations of compliance may seem simple in the context of a single relationship between vendor and consumer:
\n\n![\"\"](\"/assets/images/posts/cdx-attestations/image2.png\")
However, when scaled up to account for multiple third-party dependencies in an organization’s ecosystem, the need for standardization in managing and maintaining attestations of compliance becomes apparent for both software vendors and consumers.
\n\n![\"\"](\"/assets/images/posts/cdx-attestations/image1.png\")
Considering that software vendors likely have multiple products, each with multiple customers – and considering that software consumers likely rely on multiple third-party products to maintain critical operations in their organization – the impact of creating and consuming attestations of compliance across B2B transactions escalates quickly.
\n\n![\"\"](\"/assets/images/posts/cdx-attestations/image5.png\")
If each consumer set their own requirements for receiving attestations and evidence of compliance, or each vendor set their own standards for providing proof of attestation, significant inefficiency is added to the process of exchanging attestations. Consumers may take additional time to verify and adjust to unfamiliar attestation and evidence formats, while vendors may need to adjust their attestations and evidence to meet consumers’ requirements.
\n\nCommitting to producing and consuming attestations of compliance introduces three key pain points:
\n\nWith so many details and requirements in each individual standard, how might consumers be alerted when third party software falls out of compliance via one of the vendor’s external dependencies? Furthermore, if a vendor does fall out of compliance due to a vulnerable transitive dependency, how might they demonstrate that they are back in compliance and therefore regain the trust of their customer?
\n\nGiven that many consumers rely on multiple third-party software solutions for critical operations, it requires keen oversight to ensure that every one of those vendors remain in compliance to the level of transitive dependencies.
\n\nImagine a situation in which a consumer requires all vendors to comply with the same standard as a requirement for purchasing their product. Without a common attestation format, a company purchasing third-party or enterprise software solutions may have to read through as many different versions of attestations and evidence as they have vendors.
\n\nHow might consumers of third-party software keep from being overwhelmed by reading and evaluating proof of attestations for each individual product they utilize, and continue doing this each time one of those vendors makes a change that might introduce a vulnerability? Is there a consistent way for consumers to know, at a glance, what standards the software is compliant with and to what degree, and even better, obtain this information in a way that is consistent across all the software they consume so that they do not need to adapt to different attestation and evidence formats for every software package they validate?
\n\nThis is a particularly acute need for standards that heavily focus on policies and procedures, as attestation would either require manual entry of evidence or extensive integrations to automate.
\n\nGenerating proof for the attestation of a single product may be a straightforward documentation task before go-to-market. Generating proof for attestations across an entire product portfolio, with updates on every release that may affect compliance, is an exponentially more complex task that requires standardization and process to prevent it from becoming cost-preventive or blocking the release and sale of products.
\n\nStandardization of attestation formats and clearly readable links between the product requirements, the product’s degree of compliance, and the vendor’s proof of compliance can help to quickly resolve concerns about a product’s compliance with a necessary standard. Without standardization, if a buyer requires more proof of compliance or does not accept a vendor’s standard proof of attestation, additional effort would be required for the vendor to understand the gap in documentation, go back to engineers to document the required technical information, and coordinate with stakeholders to craft a new proof of attestation for the buyer.
\n\nLockheed Martin, a member of the CycloneDX Industry Working Group, faced this risk due to the sheer size of their product portfolio. With thousands of products being manufactured for use by government agencies, all of whom would require attestation of each product’s compliance with NIST’s Secure Software Development Framework, they needed a way to optimize the generation and management of attestation documents. Lockheed Martin has partnered with the CycloneDX community on attestation support to forge a path forward for organizations with similar needs:
\n\n\n\n\n“Lockheed Martin has collaborated with other members of the OWASP community to develop CycloneDX 1.6 attestation and standards support to meet requirements outlined in President Biden’s Executive Order on improving the nation’s cybersecurity (EO 14028). Our work on CycloneDX enables us to deliver software bill of materials using open standards for interoperability with our public sector partners and customers. Lockheed Martin’s collaboration on CycloneDX 1.6 provides a path to automating policy to implementing NIST’s Secure Software Development Framework as part of the Office of Management and Budget Memorandum M-22-18.”
\n\n-Ian Dunbar-Hall
\n\nLockheed Martin Software Factory Chief Engineer
\n
The CycloneDX Attestations Working Group is excited to announce support for attestations of compliance with any standard, which will be released with CycloneDX version 1.6. This was made possible due to the partnership between CycloneDX contributors and members of the CycloneDX Industry Working Group.
\n\nAt launch, the CycloneDX v1.6 standard will have pre-filled compliance requirements for several standards, including OWASP SCVS, ASVS, and MASVS, as well as the NIST Secure Software Development Framework for the convenience of vendors who work with the federal government. However, users can also enter and link to the requirements for other standards, even those for policies and procedures internal to their company. CycloneDX Attestations ties together the standard, the compliance status, and the related evidence in a way that is simple enough to be understood at a glance, while also flexible enough to be adapted for any standard:
\n\n![\"\"](\"/assets/images/posts/cdx-attestations/image4.png\")
This supports all user personas in B2B transactions:
\nDefault support for NIST, SCVS, and ASVS/MASVS standards can also be chained together to create a strong starting point for a vendor that is just starting to experiment with attestations of compliance. The Attestation of Compliance section can provide evidence that the product complies with individual sections of the NIST requirements (with support for multiple sources of evidence for a single requirement), while proof of SCVS, ASVS, and MASVS compliance speak to the quality of all other attestations; showing that the company is oriented toward security and documenting proof in a thorough fashion.
\n\nAll of these combined factors benefit both consumers and vendors of B2B software. Consumers can make informed decisions when evaluating multiple options for software vendors, being able to more easily determine which is the most verifiable secure. Vendors can proactively identify gaps in their compliance or evidence of compliance, giving them an opportunity to remediate this rather than be caught unaware during sales negotiations or onboarding of a new customer.
\n\nWhen both vendors and consumers utilize the same standard for submitting proofs of attestation – especially a standard which is familiar, easy to generate, and easy to consume – the ecosystem of exchanging third-party software solutions becomes far more manageable, whether for B2B transactions or open-source projects.
\n\nHere is an example workflow for a CycloneDX user filling out an attestation of compliance:
\n\n![\"\"](\"/assets/images/posts/cdx-attestations/image3.png\")
At present, the Attestations section of the CycloneDX standard is machine-writable and machine-readable, but tools are still needed to automate the population and consumption of attestations in existing software products.
\n\nThese are some of the more prevalent user needs which could potentially be met by tools created by the community:
\nWhile many fields in a CycloneDX SBOM can be automatically generated as part of the build process, many NIST and ISO standards involve non-technical requirements for policies and procedures. (Example: A standard may require proof that employees undergo yearly cybersecurity training.)
\n\nThe proof for non-technical requirements may be present in a number of different tools with the capability for API integration, but there is a definite need for tools which are capable of integrating with these endpoints and populating the SBOM with attestation evidence.
\n\nFilling out a nested JSON object by hand may also be more difficult for non-technical stakeholders if this is not a format they do not work with regularly. As a result, there is also a need for attestation tools which provide a user interface for individuals to fill out standard requirements, attest to their degree of compliance, and attach evidence for each standard’s requirements.
\n\nAttestation data is contained in nested JSON or XML objects within a CycloneDX Software Bill of Materials (SBOM), conferring a significant advantage: CycloneDX Attestations are machine-readable. In other words, it becomes possible to build tools that instantly parse through lengthy attestations and bodies of evidence for dozens if not hundreds of products; surfacing an easy-to-read synopsis to the end user.
\n\nIf built, these tools would exponentially reduce the time for security professionals or project managers to validate attestations, making the exchange of attestation statements a fast, easy part of B2B transactions.
\n\nThe OWASP CycloneDX community is always looking for new members who are interested in getting involved and supporting new and innovative uses for SBOM. Anyone who would like to provide feedback, contribute ideas, or create tools is welcome to join the CycloneDX Attestations Working Group.
\n\nFor more information on CycloneDX milestones, go to https://cyclonedx.org/news/.
\n\nCycloneDX has a rich community of contributors, supporters, and adopters helping each other to drive innovation and change. It is quick and easy to join, and all new participants are welcome.
\n", "date_published": "2023-12-06T07:09:00+00:00", "date_modified": "", "image": "", "banner_image": "", "authors": ["Kayla Heard-Rising"], "categories": ["blog"], "tags": [] } ] }