This presentation was by Keith Turpin from The Boeing Company. About three years ago, all of Boeing’s assessments were coming from outsourced service providers. They realized that they were unable to have control over the people and process and had difficulties integrating the controls into the SDLC and decided to bring these functions in house. […]
This presentation was by Robert “RSnake” Hansen and was designed to be a fun conversation to have over drinks with security people. I feel privileged to have been one of those security people who he talked about this with beforehand. A very interesting topic about the non-obvious threats that may or may not exist. […]
This presentation was by Dave WIchers, COO of Aspect Security and an OWASP Board Member. My notes are below: What’s Changed? It’s about Risks, not just vulnerabilities New title is: “The Top 10 Most Critical Web Application Security Risks” OWASP Top 10 Risk Rating Methodology Based on the OWASP Risk Rating Methodology, used to prioritize […]
This presentation was by Chris Wysopal, the CTO of Veracode. My notes are below: “To measure is to know.” – James Clerk Maxwell “Measurement motivates.” – John Kenneth Galbraith Metrics do Matter Metrics quantify the otherwise unquantifiable Metrics can show trends and trends matter more than measurements do Metrics can show if we are doing […]
This presentation was by Rohit Sethi, the Project Leader for the Secure Pattern Analysis Project at OWASP and he works at Security Compass, a security analysis and training company. My notes from the session are below: Before anyone starts building complex systems, they need to design. We create threat models on completed designs. What about […]
This presentation was by John Steven, the NoVA Chapter Lead and Senior Director of Advanced Technology Consulting at Cigital, Inc. He notes that this is not that MS thing, it is not going to help you find XSS, and is not going to help you with Risk Management. My notes are below: Don’t use threat […]
General Goals Going Forward Showcase great OWASP projects Provide the best, freely distributable application security tools/documents Ensure that the tools provided are easy to use as possible Continue to document how to use the tools and how the modules were created Align the tools with the OWASP Testing Guide v3 to provide maximum coverage Awesome […]
This presentation was by Arshan Dabirsiaghi and was about the OWASP ESAPI Web Application Firewall (WAF) project. My notes are below: WAF Fallacies (at least in regards to OWASP ESAPI WAF) WAFs add attack surface WAFs can create culture problems WAFs can’t fix business logic vulnerabilities WAFs are way too expensive WAFs complicate networks Why […]
This presentation was by Michael Coates, the AppSensor Project Lead. Michael works as a Senior Application Security Engineer at Aspect Security. AppSensor is a real time defense system with the goal being to protect an application by detecting who is bad and getting rid of them before they do bad things. My notes from this […]
This presentation was by Lars Ewe, CTO of Cenzic on AJAX applications and trying to explore the different implications of running AJAX in your environment. My notes are below: Agenda What is AJAX? AJAX and Web App Security AJAX and Test Automation Vulnerability Examples: XSS, CSRF, & JavaScript Hijacking AJAX Best Security Practices Demo Q&A […]
