The LASCON Badge Game was back in 2018 and the feedback I received was that it was the best one so far. It started out with the following QR code on the back of the badge: Following that QR code took you to the URL https://pastebin.com/J61kDSe2. Viewing that URL gives you the following: V2VsY29tZSB0byB0aGUgTEFTQ09OIDIwMTggYmFkZ2UgZ2FtZSF= V2VsY29tZSB0byB0aGUgTEFTQ09OIDIwMTggYmFkZ2UgZ2FtZSE= […]
For those who don’t know, every year I put together a game that starts on the back of the LASCON badge. It’s typically some combination of crypto challenges alongside application security vulnerabilities with the goal of having it take somewhere around 1-3 hours, depending on experience, to complete. Those who complete the game are rewarded […]
Much like many other companies these days, National Instruments hires many of our developers straight out of school. Many times when engaging with these new hire developers, I will ask them what kind of security they learned at their university. In almost all cases I’ve found that the answer hasn’t changed since I graduated back […]
I had a meeting yesterday with a vendor who sells a SaaS solution for binary application vulnerability testing. They tell a very interesting story of a world where dynamic testing (“black box”) takes place alongside static testing (“white box”) to give you a full picture of your application security posture. They even combine the results […]
I’ve spent a lot of time over the past few months writing an enterprise application in PHP. Despite what some people may say, I believe that PHP is as secure or insecure as the developer who is writing the code. Anyway, I’m at the point in my development lifecycle where I decided that it was […]
This presentation was by Jason Macy and Mamoon Yunus of Crosscheck Networks – Forum Systems. It wins the award (the one I just made up) for being the most vendor-oriented presentation at the conference. Not that it wasn’t an interesting presentation, but their solution to defend against most of the attacks was “Use an XML […]
This presentation was by Dave WIchers, COO of Aspect Security and an OWASP Board Member. My notes are below: What’s Changed? It’s about Risks, not just vulnerabilities New title is: “The Top 10 Most Critical Web Application Security Risks” OWASP Top 10 Risk Rating Methodology Based on the OWASP Risk Rating Methodology, used to prioritize […]
This presentation was by Rohit Sethi, the Project Leader for the Secure Pattern Analysis Project at OWASP and he works at Security Compass, a security analysis and training company. My notes from the session are below: Before anyone starts building complex systems, they need to design. We create threat models on completed designs. What about […]
This presentation was by John Steven, the NoVA Chapter Lead and Senior Director of Advanced Technology Consulting at Cigital, Inc. He notes that this is not that MS thing, it is not going to help you find XSS, and is not going to help you with Risk Management. My notes are below: Don’t use threat […]
General Goals Going Forward Showcase great OWASP projects Provide the best, freely distributable application security tools/documents Ensure that the tools provided are easy to use as possible Continue to document how to use the tools and how the modules were created Align the tools with the OWASP Testing Guide v3 to provide maximum coverage Awesome […]
