For my first breakout session of the TRISC 2009 Conference, I decided to check out Rohyt Belani’s presentation on Spear Phishing. Rohyt is the CEO of Intrepidus Group and has spoken at a variety of conferences from BlackHat to OWASP to MISTI to Hack in the Box. I had heard from several other conference attendees […]
I’ve had a couple of discussions lately about customized Apache error pages that prompted me to do a little bit of research on it. What I’ve come up with is somewhat interesting so I thought I’d share it with everyone. First, it is not technically possible to tell Apache to serve up a different error […]
Recently I was elected the new Treasurer of the Capitol of Texas Chapter of the Information Systems Security Association. No, that’s not my way to seek your approval, but thanks for the kudos. The reason why I bring this up is that one of the first things I needed to do as the new Treasurer […]
I’ve been really surprised that for as long as I’ve been active with OWASP, I’ve never seen a proxy presentation. After all, they are hugely beneficial in doing web application penetration testing and they’re really not that difficult to use. Take TamperData for example. It’s just a firefox plugin, but it does header, cookie, get, […]
This presentation was on “Cryptography for Penetration Testers” and was by Chris Eng, the Senior Director of Security Research at VeraCode. The Premise How much do you really have to know about cryptography in order to detect and exploit crypto weaknesses in web apps. Goals Learn basic techniques for identifying and analyzing cryptographic data Learn […]
This presentation was by John Steven who is the Senior Director of Advanced Technology Consulting at Cigital, Inc. What is a threat? An agent who attacks you? An attack? An attack’s consequence? A risk? What is a threat model? Depiction of the system’s attack surface, threats who can attack the system, and assets threats may […]
This presentation was by Jian Hui Wang (girl) who is a security professional, but “a nobody in NYC”. Talking about Lotus Notes/Domino web application architecture and security features, web application common development mistakes and fixes, and test methodology. Lotus Notes/Domino History Lotus Notes is client and Domino is the server. Supports multiple protocols with one […]
I was originally planning on going upstairs for the SaaS Security presentation, but I had to come downstairs again to get my lunch and this topic seemed interesting, especially given the prevalence of cross site scripting in websites (see OWASP Top 10). The presentation was by Arshan Dabirsiaghi, the director of research at Aspect Security. […]
This presentation, entitled “Security in Agile Development: Breaking the Waterfall Mindset of the Security Industry” was by Dave Wichers, member of the OWASP board and cofounder and COO of Aspect Security. Manifesto for Agile Software Development Individuals and interactions over processes and tools. Working software over comprehensive documentation. Customer collaboration over contract negotiation. Responding to […]
This presentation was by Dinis Cruz, and OWASP board member and he works for Ounce Labs, a producer of a source code analysis tool, but he said he was not speaking on behalf of either. The presentation was entitled “Building a Tool for Security Consultants: A Story of a Customized Source Code Scanner”. Everything was […]
