Web Admin Blog

Real Web Admins. Real World Experience.

Entries Tagged ‘owasp’

Completing the LASCON 2017 Badge Game

For those who don’t know, every year I put together a game that starts on the back of the LASCON badge.  It’s typically some combination of crypto challenges alongside application security vulnerabilities with the goal of having it take somewhere around 1-3 hours, depending on experience, to complete.  Those who complete the game are rewarded […]

The OWASP Board “Ivory Tower” Dilemma

I have been an active member of the OWASP community in some form since 2007.  I’ve been the OWASP Austin Chapter Leader, served as the Chair of the Global Chapters Committee, and, most recently, was elected (and re-elected) to the OWASP Board of Directors.  In the past, I have heard a number of people in […]

My First Six Months as an OWASP Board Member

When I first put my name in the hat for the OWASP elections in the fall of 2013, I thought I knew what I was signing up for.  I thought that my seven year history with the organization in a number of different roles (Chapter Leader, Chapter Committee Chair, AppSecUSA Chair) had me well prepared […]

The OWASP Security Spending Benchmarks Project

This presentation was by Boaz Belboard, the Executive Director of Information Security for Wireless Generation and the Project Leader for the OWASP Security Spending Benchmarks Project.  My notes are below: It does cost more to produce a secure product than an insecure product. Most people will still shop somewhere, go to a hospital, or enroll […]

OWASP Top 10 – 2010

This presentation was by Dave WIchers, COO of Aspect Security and an OWASP Board Member.  My notes are below: What’s Changed? It’s about Risks, not just vulnerabilities New title is: “The Top 10 Most Critical Web Application Security Risks” OWASP Top 10 Risk Rating Methodology Based on the OWASP Risk Rating Methodology, used to prioritize […]

OWASP Live CD: An open environment for Web Application Security

General Goals Going Forward Showcase great OWASP projects Provide the best, freely distributable application security tools/documents Ensure that the tools provided are easy to use as possible Continue to document how to use the tools and how the modules were created Align the tools with the OWASP Testing Guide v3 to provide maximum coverage Awesome […]

The ESAPI Web Application Firewall

This presentation was by Arshan Dabirsiaghi and was about the OWASP ESAPI Web Application Firewall (WAF) project.  My notes are below: WAF Fallacies (at least in regards to OWASP ESAPI WAF) WAFs add attack surface WAFs can create culture problems WAFs can’t fix business logic vulnerabilities WAFs are way too expensive WAFs complicate networks Why […]

Software Assurance Maturity Model (SAMM)

This presentation on the OWASP Software Assurance Maturity Model (SAMM) was by Pravir Chandra, the project lead.  I was actually really excited in seeing this topic on the schedule as SAMM is something that I’ve been toying with for my organization for a while.  It’s actually a very simple and intuitive approach to how to […]

All About OWASP

The second presentation of the morning was various members of the OWASP board speaking about the goals of OWASP for the upcoming year.  My summary is below. Jeff Williams Cross Site Scripting is an epidemic We need to view insecure software as a disgrace Everything OWASP is free and void of commercialism “When information comes […]

Using Proxies to Secure Applications and More

I’ve been really surprised that for as long as I’ve been active with OWASP, I’ve never seen a proxy presentation.  After all, they are hugely beneficial in doing web application penetration testing and they’re really not that difficult to use.  Take TamperData for example.  It’s just a firefox plugin, but it does header, cookie, get, […]