This presentation was by Dinis Cruz, and OWASP board member and he works for Ounce Labs, a producer of a source code analysis tool, but he said he was not speaking on behalf of either. The presentation was entitled “Building a Tool for Security Consultants: A Story of a Customized Source Code Scanner”. Everything was […]
This presentation was by Chris Nickerson, founder of Lares Consulting, and the goal was to talk about the use of layered attacks. General types of threats includes social engineering/human (corporate/personal manipulation, bogus e-mails, physical intrusion, media dropping, phone calls, conversation, role playing), electronic (application and business logic attacks, software vulnerability exploitation, …), physical (break-in, theft, […]
This presentation was by Alexander Meisel and is from a paper that was put together by the Germany OWASP chapter. He began by introducing the problem being online businesses having HTTP as their “weak spot”. Then talked about the definition of the term “Web Application Firewall”. It’s not a network firewall and not only hardware. […]
This presentation was by Hans Zaunere, Managing Member, and it is entitled “PHundamental Security – Ecosystem Review, Coding Secure with PHP, and Best Practices”. Take a look at http://www.nyphp.org/phundamentals/ for the ongoing guide and best practices. Guru Stefan Esser recently presented an excellent talk at Zendcon. Security fundamentals are common across the board. Different environments […]
This presentation was by Jeff Williams, OWASP Chair, on the Enterprise Security API. Vulnerabilities and Security Controls Missing – 35% Broken – 30% Ignored – 20% Misused – 15% Goal is to enable developers. Need to give them hands-on training, a secure coding guideline, and an Enterprise Security API. The problem with Security Libraries: overpowerful, […]
This talk was rumored to have been cancelled at a vulnerable vendors (Adobe) request, but Jeremiah Grossman and Robert Hansen decided to do parts of the talk anyway. Here’s my notes from the semi-restricted presentation. Jeremiah started off with a brief introduction on what clickjacking is. In a nutshell, it’s when you visit a malicious […]
Unfortunately, the conference provided lunch today, but did not provide us time to eat it so I had to eat while listening to this talk. It was by Trey Ford and Jeremiah Grossman from Whitehat Security and I’m pretty sure they’ve done it before. You may even be able to download a copy of the […]
Have you ever had a problem that you used a search engine to try to find the solution? Did that search bring you results from a site that then forced you to register in order to see the content? This happened to me all of the time before I found two simple ways to display […]
I’ve been focusing a lot of my time lately on our PCI initiatives. One sub-topic that I’ve spent a particularly large amount of time on has been Requirement 11.2 which says that you need to have internal and external network vulnerability scans performed by a scan vendor qualified by PCI. We already employ one such […]
If you are responsible for developing or maintaining a website and haven’t checked out Ratproxy yet, you’re missing out. Before I start spouting off about just how cool and useful this tool is, I suppose I should first tell you what a proxy is. In a nutshell, a proxy is an application that runs local […]
