Kansas City December 2006 Meeting

The OWASP Kansas City chapter meeting in December 2006 was held from 6:30 to 8:30 pm on 12/6/2006. The location of the meeting was:

American Century Investments 4520 Main Street, Tower II (South Tower), Room 2A

Meeting Summary

After welcome and introductions, Dave Ferguson from FishNet Security presented a variety of ways that attackers can subvert web applications. These were real-life examples he has encountered in his consulting work. Vulnerabilities discussed were cross-site scripting, cross-site request forgery, and parameter tampering.

Following a break, Rohini Sulatycki from VML discussed her experience with AJAX and explained that the technology is not inherently secure or insecure, but is simply one approach that can be taken when developing a web application. The specific implementation of the approach is what determines the level of security of the application.

Finally, Barry Archer from American Century Investments led a discussion about web application firewalls (WAF's). Barry covered deployment architecture, protocol support, detection/protection techniques, performance, and evaluation criteria.

Documents

Attacking the Application (pdf)
AJAX Security Concerns (pdf)
Introduction to Web Application Firewalls (doc)