Web Admin Blog

Real Web Admins. Real World Experience.

Entries for the ‘OWASP AppSec NYC 2008’ Category

Enterprise Security API – OWASP AppSec NYC 2008

This presentation was by Jeff Williams, OWASP Chair, on the Enterprise Security API. Vulnerabilities and Security Controls Missing – 35% Broken – 30% Ignored – 20% Misused – 15% Goal is to enable developers.  Need to give them hands-on training, a secure coding guideline, and an Enterprise Security API. The problem with Security Libraries: overpowerful, […]

w3af: A framework to own the Web – OWASP AppSec NYC 2008

This presentation on the w3af (Web Application Attack and Audit Framework) was by Andres Riancho (ariancho@cybsec.com) who is the project leader.  w3af is an Open Source project (GPLv2).  A script that evolved into a serious project.  A vulnerability scanner.  An exploitation tool.  Found that the commercial tools were too pricey so developed a tool to […]

JBroFuzz: Building a Java Fuzzer for the Web – OWASP AppSec NYC 2008

This presentation was by Yiannis Pavlosoglou who is the developer on the OWASP fuzzing project. Address the challenges of fuzzing, during applicaton layer penetration tests and security assessments.  Designed for fuzzing web applications.  Open-source and free.  Written in Java.  Scriptable. Fuzzer Workflow Select fuzzers Send requests Collect responses Compare results Building a fuzzer entails a […]

New 0Day Browser Exploit: Clickjacking – OWASP AppSec NYC 2008

This talk was rumored to have been cancelled at a vulnerable vendors (Adobe) request, but Jeremiah Grossman and Robert Hansen decided to do parts of the talk anyway.  Here’s my notes from the semi-restricted presentation. Jeremiah started off with a brief introduction on what clickjacking is.  In a nutshell, it’s when you visit a malicious […]

Get Rich or Die Trying – OWASP AppSec NYC 2008

Unfortunately, the conference provided lunch today, but did not provide us time to eat it so I had to eat while listening to this talk.  It was by Trey Ford and Jeremiah Grossman from Whitehat Security and I’m pretty sure they’ve done it before.  You may even be able to download a copy of the […]

OWASP Google Hacking Project – OWASP AppSec NYC 2008

This presentation is by Christian Heinrich, the project leader for the OWASP “Google Hacking” project.  Presentation published on http://www.slideshare.net/cmlh  Dual licensed under OWASP License and AU Creative Commons 2.5. OWASP Testing Guide v3 – Spiders/Robots/Crawlers 1. Automatically traverses hyperlinks 2. Recursively retrieves content referenced Behavior governed by the robots exclusion protocol.  New method is <META […]

Web Application Security Roadmap – OWASP AppSec NYC 2008

For the first session of the day, I decided to check out the Web Application Security Roadmap presentation by Joe White, President of Cyberlocksmith Corporation.  Web application security is still very much in it’s infancy.  Traditional “operations” teams do not understand web application security risk and are ill-equipped to defend against web application threats.  Many […]

Day 1 Keynote – OWASP AppSec NYC 2008

I’m currently at the OWASP AppSec 2008 Conference in New York City and am listening to the keynote presentation shared by the board of OWASP.  Starting off is Jeff Williams, Chair of OWASP.  He talked about OWASP’s mission, what we’re currently working on, and offered the following suggestions on how to take OWASP into the […]