Web Admin Blog

Real Web Admins. Real World Experience.

Entries for the ‘Web Application Security’ Category

Completing the LASCON 2017 Badge Game

For those who don’t know, every year I put together a game that starts on the back of the LASCON badge.  It’s typically some combination of crypto challenges alongside application security vulnerabilities with the goal of having it take somewhere around 1-3 hours, depending on experience, to complete.  Those who complete the game are rewarded […]

Demanding Secure Developers

Much like many other companies these days, National Instruments hires many of our developers straight out of school. Many times when engaging with these new hire developers, I will ask them what kind of security they learned at their university. In almost all cases I’ve found that the answer hasn’t changed since I graduated back […]

Static Application Vulnerability Testing: Binary Scanning vs Source Code Scanning

I had a meeting yesterday with a vendor who sells a SaaS solution for binary application vulnerability testing. They tell a very interesting story of a world where dynamic testing (“black box”) takes place alongside static testing (“white box”) to give you a full picture of your application security posture. They even combine the results […]

A XSS Vulnerability in Almost Every PHP Form I’ve Ever Written

I’ve spent a lot of time over the past few months writing an enterprise application in PHP.  Despite what some people may say, I believe that PHP is as secure or insecure as the developer who is writing the code.  Anyway, I’m at the point in my development lifecycle where I decided that it was […]

Techniques in Attacking and Defending XML/Web Services

This presentation was by Jason Macy and Mamoon Yunus of Crosscheck Networks – Forum Systems.  It wins the award (the one I just made up) for being the most vendor-oriented presentation at the conference.  Not that it wasn’t an interesting presentation, but their solution to defend against most of the attacks was “Use an XML […]

OWASP Top 10 – 2010

This presentation was by Dave WIchers, COO of Aspect Security and an OWASP Board Member.  My notes are below: What’s Changed? It’s about Risks, not just vulnerabilities New title is: “The Top 10 Most Critical Web Application Security Risks” OWASP Top 10 Risk Rating Methodology Based on the OWASP Risk Rating Methodology, used to prioritize […]

Securing the Core JEE Patterns

This presentation was by Rohit Sethi, the Project Leader for the Secure Pattern Analysis Project at OWASP and he works at Security Compass, a security analysis and training company.  My notes from the session are below: Before anyone starts building complex systems, they need to design. We create threat models on completed designs. What about […]

Threat Modeling

This presentation was by John Steven, the NoVA Chapter Lead and Senior Director of Advanced Technology Consulting at Cigital, Inc.   He notes that this is not that MS thing, it is not going to help you find XSS, and is not going to help you with Risk Management.  My notes are below: Don’t use threat […]

OWASP Live CD: An open environment for Web Application Security

General Goals Going Forward Showcase great OWASP projects Provide the best, freely distributable application security tools/documents Ensure that the tools provided are easy to use as possible Continue to document how to use the tools and how the modules were created Align the tools with the OWASP Testing Guide v3 to provide maximum coverage Awesome […]

The ESAPI Web Application Firewall

This presentation was by Arshan Dabirsiaghi and was about the OWASP ESAPI Web Application Firewall (WAF) project.  My notes are below: WAF Fallacies (at least in regards to OWASP ESAPI WAF) WAFs add attack surface WAFs can create culture problems WAFs can’t fix business logic vulnerabilities WAFs are way too expensive WAFs complicate networks Why […]