Web Admin Blog

Real Web Admins. Real World Experience.

Entries Tagged ‘Security’

The OWASP Security Spending Benchmarks Project

This presentation was by Boaz Belboard, the Executive Director of Information Security for Wireless Generation and the Project Leader for the OWASP Security Spending Benchmarks Project.  My notes are below: It does cost more to produce a secure product than an insecure product. Most people will still shop somewhere, go to a hospital, or enroll […]

Building an In-House Application Security Assessment Team

This presentation was by Keith Turpin from The Boeing Company.   About three years ago, all of Boeing’s assessments were coming from outsourced service providers.  They realized that they were unable to have control over the people and process and had difficulties integrating the controls into the SDLC and decided to bring these functions in house.  […]

OWASP Top 10 – 2010

This presentation was by Dave WIchers, COO of Aspect Security and an OWASP Board Member.  My notes are below: What’s Changed? It’s about Risks, not just vulnerabilities New title is: “The Top 10 Most Critical Web Application Security Risks” OWASP Top 10 Risk Rating Methodology Based on the OWASP Risk Rating Methodology, used to prioritize […]

Application Security Metrics from the Organization on Down to the Vulnerabilities

This presentation was by Chris Wysopal, the CTO of Veracode.  My notes are below: “To measure is to know.” – James Clerk Maxwell “Measurement motivates.” – John Kenneth Galbraith Metrics do Matter Metrics quantify the otherwise unquantifiable Metrics can show trends and trends matter more than measurements do Metrics can show if we are doing […]

Securing the Core JEE Patterns

This presentation was by Rohit Sethi, the Project Leader for the Secure Pattern Analysis Project at OWASP and he works at Security Compass, a security analysis and training company.  My notes from the session are below: Before anyone starts building complex systems, they need to design. We create threat models on completed designs. What about […]

Development Issues within AJAX Applications: How to Divert Threats

This presentation was by Lars Ewe, CTO of Cenzic on AJAX applications and trying to explore the different implications of running AJAX in your environment.  My notes are below: Agenda What is AJAX? AJAX and Web App Security AJAX and Test Automation Vulnerability Examples: XSS, CSRF, & JavaScript Hijacking AJAX Best Security Practices Demo Q&A […]

Enterprise Application Security – GE’s Approach to Solving Root Cause

The first presentation of the day that I went to  was by GE’s Darren Challey and was about GE’s application security program and how he took a holistic approach to securing the enterprise.  My notes on this presentation are below: Why is AppSec so hard? AppSec changes rapidly (look at difference between 2004, 2007, and […]

Everything You Need To Know About Cloud Security in 30 Minutes or Less

The last presentation of the day was by Rich Mogull on “Everything you need to know about cloud security in 30 minutes or less”.  It all started with all of the presentations and diagrams having pictures of clouds so some guy decides to sell that.  Makes security practitioners sad. Why the cloud is a problem […]

Virtualization Security Best Practices from a Customer’s and Vendor’s Perspective

The next session during the ISSA half-day seminar on Virtualization and Cloud Computing Security was on security best practices from a customer and vendor perspective.  It featured Brian Engle, CIO of Temple Inland, and Rob Randell, CISSP and Senior Security Specialist at VMware, Inc.  My notes from the presentation are below: Temple Inland Implementation – […]

About the Cloud Security Alliance

The next presentation at the ISSA half-day seminar was on the “Cloud Security Alliance” and Security Guidance for Critical Areas of Focus in Cloud Computing by Jeff Reich.  Here are my notes from this presentation: Agenda About the Cloud Security Alliance Getting Involved Guidance 1.0 Call to Action About the Cloud Security Alliance Not-for-profit organization […]