This presentation is by Jacob West in the Security Research Group and Taylor McKinsley in Product Marketing from Fortify software. I’d like to note that Fortify is a developer of a source code analysis tool and so this presentation may have a bias towards source code analysis tools. 56% of organizations fail PCI section 6. […]
This presentation was by Jeff Williams, OWASP Chair, on the Enterprise Security API. Vulnerabilities and Security Controls Missing – 35% Broken – 30% Ignored – 20% Misused – 15% Goal is to enable developers. Need to give them hands-on training, a secure coding guideline, and an Enterprise Security API. The problem with Security Libraries: overpowerful, […]
This presentation on the w3af (Web Application Attack and Audit Framework) was by Andres Riancho (ariancho@cybsec.com) who is the project leader. w3af is an Open Source project (GPLv2). A script that evolved into a serious project. A vulnerability scanner. An exploitation tool. Found that the commercial tools were too pricey so developed a tool to […]
This presentation was by Yiannis Pavlosoglou who is the developer on the OWASP fuzzing project. Address the challenges of fuzzing, during applicaton layer penetration tests and security assessments. Designed for fuzzing web applications. Open-source and free. Written in Java. Scriptable. Fuzzer Workflow Select fuzzers Send requests Collect responses Compare results Building a fuzzer entails a […]
This talk was rumored to have been cancelled at a vulnerable vendors (Adobe) request, but Jeremiah Grossman and Robert Hansen decided to do parts of the talk anyway. Here’s my notes from the semi-restricted presentation. Jeremiah started off with a brief introduction on what clickjacking is. In a nutshell, it’s when you visit a malicious […]
Unfortunately, the conference provided lunch today, but did not provide us time to eat it so I had to eat while listening to this talk. It was by Trey Ford and Jeremiah Grossman from Whitehat Security and I’m pretty sure they’ve done it before. You may even be able to download a copy of the […]
This presentation is by Christian Heinrich, the project leader for the OWASP “Google Hacking” project. Presentation published on http://www.slideshare.net/cmlh Dual licensed under OWASP License and AU Creative Commons 2.5. OWASP Testing Guide v3 – Spiders/Robots/Crawlers 1. Automatically traverses hyperlinks 2. Recursively retrieves content referenced Behavior governed by the robots exclusion protocol. New method is <META […]
For the first session of the day, I decided to check out the Web Application Security Roadmap presentation by Joe White, President of Cyberlocksmith Corporation. Web application security is still very much in it’s infancy. Traditional “operations” teams do not understand web application security risk and are ill-equipped to defend against web application threats. Many […]
I’m currently at the OWASP AppSec 2008 Conference in New York City and am listening to the keynote presentation shared by the board of OWASP. Starting off is Jeff Williams, Chair of OWASP. He talked about OWASP’s mission, what we’re currently working on, and offered the following suggestions on how to take OWASP into the […]
Since Michael Howard moved from Redmond to Austin, I’ve had the privilege to see him present several times now. This is the guy who literally wrote the book on writing secure code and the secure development lifecycle. He is a fantastic speaker and I’d highly recommend checking him out if you every get the opportunity. […]
