This presentation was by Arshan Dabirsiaghi and was about the OWASP ESAPI Web Application Firewall (WAF) project. My notes are below: WAF Fallacies (at least in regards to OWASP ESAPI WAF) WAFs add attack surface WAFs can create culture problems WAFs can’t fix business logic vulnerabilities WAFs are way too expensive WAFs complicate networks Why […]
This presentation was by Michael Coates, the AppSensor Project Lead. Michael works as a Senior Application Security Engineer at Aspect Security. AppSensor is a real time defense system with the goal being to protect an application by detecting who is bad and getting rid of them before they do bad things. My notes from this […]
This presentation was by Lars Ewe, CTO of Cenzic on AJAX applications and trying to explore the different implications of running AJAX in your environment. My notes are below: Agenda What is AJAX? AJAX and Web App Security AJAX and Test Automation Vulnerability Examples: XSS, CSRF, & JavaScript Hijacking AJAX Best Security Practices Demo Q&A […]
This presentation on the OWASP Software Assurance Maturity Model (SAMM) was by Pravir Chandra, the project lead. I was actually really excited in seeing this topic on the schedule as SAMM is something that I’ve been toying with for my organization for a while. It’s actually a very simple and intuitive approach to how to […]
I’ve been really surprised that for as long as I’ve been active with OWASP, I’ve never seen a proxy presentation. After all, they are hugely beneficial in doing web application penetration testing and they’re really not that difficult to use. Take TamperData for example. It’s just a firefox plugin, but it does header, cookie, get, […]
This presentation was on “Cryptography for Penetration Testers” and was by Chris Eng, the Senior Director of Security Research at VeraCode. The Premise How much do you really have to know about cryptography in order to detect and exploit crypto weaknesses in web apps. Goals Learn basic techniques for identifying and analyzing cryptographic data Learn […]
This presentation was by John Steven who is the Senior Director of Advanced Technology Consulting at Cigital, Inc. What is a threat? An agent who attacks you? An attack? An attack’s consequence? A risk? What is a threat model? Depiction of the system’s attack surface, threats who can attack the system, and assets threats may […]
This presentation was by Jian Hui Wang (girl) who is a security professional, but “a nobody in NYC”. Talking about Lotus Notes/Domino web application architecture and security features, web application common development mistakes and fixes, and test methodology. Lotus Notes/Domino History Lotus Notes is client and Domino is the server. Supports multiple protocols with one […]
I was originally planning on going upstairs for the SaaS Security presentation, but I had to come downstairs again to get my lunch and this topic seemed interesting, especially given the prevalence of cross site scripting in websites (see OWASP Top 10). The presentation was by Arshan Dabirsiaghi, the director of research at Aspect Security. […]
This presentation, entitled “Security in Agile Development: Breaking the Waterfall Mindset of the Security Industry” was by Dave Wichers, member of the OWASP board and cofounder and COO of Aspect Security. Manifesto for Agile Software Development Individuals and interactions over processes and tools. Working software over comprehensive documentation. Customer collaboration over contract negotiation. Responding to […]
