This presentation was by Chris Nickerson, founder of Lares Consulting, and the goal was to talk about the use of layered attacks. General types of threats includes social engineering/human (corporate/personal manipulation, bogus e-mails, physical intrusion, media dropping, phone calls, conversation, role playing), electronic (application and business logic attacks, software vulnerability exploitation, …), physical (break-in, theft, […]
This presentation was by Alexander Meisel and is from a paper that was put together by the Germany OWASP chapter. He began by introducing the problem being online businesses having HTTP as their “weak spot”. Then talked about the definition of the term “Web Application Firewall”. It’s not a network firewall and not only hardware. […]
This presentation was by Hans Zaunere, Managing Member, and it is entitled “PHundamental Security – Ecosystem Review, Coding Secure with PHP, and Best Practices”. Take a look at http://www.nyphp.org/phundamentals/ for the ongoing guide and best practices. Guru Stefan Esser recently presented an excellent talk at Zendcon. Security fundamentals are common across the board. Different environments […]
This presentation is by Jacob West in the Security Research Group and Taylor McKinsley in Product Marketing from Fortify software. I’d like to note that Fortify is a developer of a source code analysis tool and so this presentation may have a bias towards source code analysis tools. 56% of organizations fail PCI section 6. […]
This presentation was by Jeff Williams, OWASP Chair, on the Enterprise Security API. Vulnerabilities and Security Controls Missing – 35% Broken – 30% Ignored – 20% Misused – 15% Goal is to enable developers. Need to give them hands-on training, a secure coding guideline, and an Enterprise Security API. The problem with Security Libraries: overpowerful, […]
This presentation on the w3af (Web Application Attack and Audit Framework) was by Andres Riancho (ariancho@cybsec.com) who is the project leader. w3af is an Open Source project (GPLv2). A script that evolved into a serious project. A vulnerability scanner. An exploitation tool. Found that the commercial tools were too pricey so developed a tool to […]
This presentation was by Yiannis Pavlosoglou who is the developer on the OWASP fuzzing project. Address the challenges of fuzzing, during applicaton layer penetration tests and security assessments. Designed for fuzzing web applications. Open-source and free. Written in Java. Scriptable. Fuzzer Workflow Select fuzzers Send requests Collect responses Compare results Building a fuzzer entails a […]
This talk was rumored to have been cancelled at a vulnerable vendors (Adobe) request, but Jeremiah Grossman and Robert Hansen decided to do parts of the talk anyway. Here’s my notes from the semi-restricted presentation. Jeremiah started off with a brief introduction on what clickjacking is. In a nutshell, it’s when you visit a malicious […]
Unfortunately, the conference provided lunch today, but did not provide us time to eat it so I had to eat while listening to this talk. It was by Trey Ford and Jeremiah Grossman from Whitehat Security and I’m pretty sure they’ve done it before. You may even be able to download a copy of the […]
This presentation is by Christian Heinrich, the project leader for the OWASP “Google Hacking” project. Presentation published on http://www.slideshare.net/cmlh Dual licensed under OWASP License and AU Creative Commons 2.5. OWASP Testing Guide v3 – Spiders/Robots/Crawlers 1. Automatically traverses hyperlinks 2. Recursively retrieves content referenced Behavior governed by the robots exclusion protocol. New method is <META […]
