Web Admin Blog

Real Web Admins. Real World Experience.

Entries for the ‘OWASP AppSec NYC 2008’ Category

Cryptography for Penetration Testers – OWASP AppSec NYC 2008

This presentation was on “Cryptography for Penetration Testers” and was by Chris Eng, the Senior Director of Security Research at VeraCode. The Premise How much do you really have to know about cryptography in order to detect and exploit crypto weaknesses in web apps. Goals Learn basic techniques for identifying and analyzing cryptographic data Learn […]

Practical Advanced Threat Modeling – OWASP AppSec NYC 2008

This presentation was by John Steven who is the Senior Director of Advanced Technology Consulting at Cigital, Inc. What is a threat? An agent who attacks you? An attack? An attack’s consequence? A risk? What is a threat model? Depiction of the system’s attack surface, threats who can attack the system, and assets threats may […]

Lotus Notes/Domino Web Application Security – OWASP AppSec NYC 2008

This presentation was by Jian Hui Wang (girl) who is a security professional, but “a nobody in NYC”.  Talking about Lotus Notes/Domino web application architecture and security features, web application common development mistakes and fixes, and test methodology. Lotus Notes/Domino History Lotus Notes is client and Domino is the server.  Supports multiple protocols with one […]

Buildng and Stopping Next Generation XSS Worms – OWASP AppSec NYC 2008

I was originally planning on going upstairs for the SaaS Security presentation, but I had to come downstairs again to get my lunch and this topic seemed interesting, especially given the prevalence of cross site scripting in websites (see OWASP Top 10).  The presentation was by Arshan Dabirsiaghi, the director of research at Aspect Security.  […]

Security in Agile Development – OWASP AppSec NYC 2008

This presentation, entitled “Security in Agile Development: Breaking the Waterfall Mindset of the Security Industry” was by Dave Wichers, member of the OWASP board and cofounder and COO of Aspect Security. Manifesto for Agile Software Development Individuals and interactions over processes and tools.  Working software over comprehensive documentation.  Customer collaboration over contract negotiation.  Responding to […]

Building a Source Code Analysis Tool for Security Consultants – OWASP AppSec NYC 2008

This presentation was by Dinis Cruz, and OWASP board member and he works for Ounce Labs, a producer of a source code analysis tool, but he said he was not speaking on behalf of either.  The presentation was entitled “Building a Tool for Security Consultants: A Story of a Customized Source Code Scanner”.  Everything was […]

Tiger Team – AppSec Projects – OWASP AppSec NYC 2008

This presentation was by Chris Nickerson, founder of Lares Consulting, and the goal was to talk about the use of layered attacks. General types of threats includes social engineering/human (corporate/personal manipulation, bogus e-mails, physical intrusion, media dropping, phone calls, conversation, role playing), electronic (application and business logic attacks, software vulnerability exploitation, …), physical (break-in, theft, […]

Best Practices Guide: Web Application Firewalls – OWASP AppSec NYC 2008

This presentation was by Alexander Meisel and is from a paper that was put together by the Germany OWASP chapter. He began by introducing the problem being online businesses having HTTP as their “weak spot”.  Then talked about the definition of the term “Web Application Firewall”.  It’s not a network firewall and not only hardware.  […]

Coding Secure with PHP – OWASP AppSec NYC 2008

This presentation was by Hans Zaunere, Managing Member, and it is entitled “PHundamental Security – Ecosystem Review, Coding Secure with PHP, and Best Practices”.  Take a look at http://www.nyphp.org/phundamentals/ for the ongoing guide and best practices.  Guru Stefan Esser recently presented an excellent talk at Zendcon. Security fundamentals are common across the board.  Different environments […]

Mastering PCI Section 6.6 – OWASP AppSec NYC 2008

This presentation is by Jacob West in the Security Research Group and Taylor McKinsley in Product Marketing from Fortify software.  I’d like to note that Fortify is a developer of a source code analysis tool and so this presentation may have a bias towards source code analysis tools. 56% of organizations fail PCI section 6.  […]