Web Admin Blog

I’ve been really surprised that for as long as I’ve been active with OWASP, I’ve never seen a proxy presentation.  After all, they are hugely beneficial in doing web application penetration testing and they’re really not that difficult to use.  Take TamperData for example.  It’s just a firefox plugin, but it does header, cookie, get, [...]

Vignette, the Austin-based Web content management company,  has an annual show called Vignette Village.  A whole crew went from our company; Mark and I represented the Web Admins.
I got a lot out of Village though I wasn’t expecting to.  There was excitement in the air and clear commitment to continued development of their core Vignette [...]

InformationWeek did a big story on enterprise search, and used NI as their lead example!  Note all the system info in the article that I fed them. And we’re getting a lot of fun out of Graff’s quote about how it’s easy to sign off on more resources forus, we’re including that in every purchase [...]

It’s been in the news that Microsoft is pushing “rewards programs” for people to use Live Search and the Live Toolbar.  But did you know they’re trying to get your local IT department to do it for you?
Yep, the program’s called the “Search@Work Rewards Program”.  If your IT department puts IE, with Live Search as [...]

First Speaker: VP of Amazon Web Services - Adam Selipsky
Motivation for building AWS - Scaling Amazon.com through the 90’s was
really rough.  10 years of growth caused a lot of headaches.
What if you could outsource IT Infrastructure?  What would this look like?
Needs:
Storage
Compute abilities
Database
Transactions
Middleware
Core Services:
Reliability
Scalability - Lots of companies have spiky business periods
Performance - CoLo facility and [...]

This presentation was on “Cryptography for Penetration Testers” and was by Chris Eng, the Senior Director of Security Research at VeraCode.
The Premise
How much do you really have to know about cryptography in order to detect and exploit crypto weaknesses in web apps.
Goals

Learn basic techniques for identifying and analyzing cryptographic data
Learn black-box heauristics for recorgnizing weak [...]

This presentation was by John Steven who is the Senior Director of Advanced Technology Consulting at Cigital, Inc.
What is a threat?

An agent who attacks you?
An attack?
An attack’s consequence?
A risk?

What is a threat model?

Depiction of the system’s attack surface, threats who can attack the system, and assets threats may compromise.
Some leverage risk management practices.  Estimate probability [...]

This presentation was by Jian Hui Wang (girl) who is a security professional, but “a nobody in NYC”.  Talking about Lotus Notes/Domino web application architecture and security features, web application common development mistakes and fixes, and test methodology.
Lotus Notes/Domino History
Lotus Notes is client and Domino is the server.  Supports multiple protocols with one interface (HTTP, [...]

I was originally planning on going upstairs for the SaaS Security presentation, but I had to come downstairs again to get my lunch and this topic seemed interesting, especially given the prevalence of cross site scripting in websites (see OWASP Top 10).  The presentation was by Arshan Dabirsiaghi, the director of research at Aspect Security.  [...]

This presentation, entitled “Security in Agile Development: Breaking the Waterfall Mindset of the Security Industry” was by Dave Wichers, member of the OWASP board and cofounder and COO of Aspect Security.
Manifesto for Agile Software Development
Individuals and interactions over processes and tools.  Working software over comprehensive documentation.  Customer collaboration over contract negotiation.  Responding to change over [...]