This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Podcast 1"
From OWASP
m |
|||
(19 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
− | Recorded November 21, 2008 - [[ | + | '''[[OWASP_Podcast | OWASP Podcast Series]] #1''' |
− | Participants | + | |
+ | <b>Recorded November 21, 2008</b><br/> | ||
+ | [http://itunes.apple.com/WebObjects/MZStore.woa/wa/viewPodcast?id=300769012 http://images.apple.com/itunes/overview/images/overview-icon-itunes20081106.jpg] [http://www.owasp.org/download/jmanico/podcast.xml https://www.owasp.org/images/d/d3/Feed-icon-32x32.png] [http://www.owasp.org/download/jmanico/owasp_podcast_1.mp3 direct download] | ||
+ | |||
+ | == Participants == | ||
- Arshan Dabirsiaghi is the the Director of Research for Aspect Security. | - Arshan Dabirsiaghi is the the Director of Research for Aspect Security. | ||
- Jeremiah Grossman is the CTO of Whitehat. | - Jeremiah Grossman is the CTO of Whitehat. | ||
− | - Jim Manico is a Web Application Architect and Security | + | - Jim Manico is a Web Application Architect and Security Engineer for Aspect Security. |
- Jeff Williams is the CEO of Aspect Security and also volunteers as one of the chairs of the OWASP Foundation. | - Jeff Williams is the CEO of Aspect Security and also volunteers as one of the chairs of the OWASP Foundation. | ||
− | Recap OWASP EU Summit | + | == Recap OWASP EU Summit == |
- Talked with Adobe rep | - Talked with Adobe rep | ||
- Figured out the charter for ISWG | - Figured out the charter for ISWG | ||
Line 12: | Line 16: | ||
- Press coverage is hilarious | - Press coverage is hilarious | ||
- OWASP Education Project http://www.owasp.org/index.php/Category:OWASP_Education_Project | - OWASP Education Project http://www.owasp.org/index.php/Category:OWASP_Education_Project | ||
+ | - [http://www.google.com/trends?q=xss%2C+clickjacking Clickjacking trends] | ||
− | Builder vs Breaker | + | == Builder vs Breaker == |
- is this a real skill gap? | - is this a real skill gap? | ||
- easier to build/defend | - easier to build/defend | ||
- fixing stuff is boring (kuza55) | - fixing stuff is boring (kuza55) | ||
− | We've reached Application Security Tipping Point | + | == We've reached Application Security Tipping Point == |
- Chris Wysopal (Zero in a bit) | - Chris Wysopal (Zero in a bit) | ||
- Attacks are getting simpler (and we're barely fixing old vulns) | - Attacks are getting simpler (and we're barely fixing old vulns) | ||
Line 26: | Line 31: | ||
- Just this morning, hilarious SSO product bypass (thats all we'll say, not method/verb tampering) | - Just this morning, hilarious SSO product bypass (thats all we'll say, not method/verb tampering) | ||
− | Canonicalization is a nightmare | + | == Canonicalization is a nightmare == |
- mod_security turns off Unicode validation by default | - mod_security turns off Unicode validation by default | ||
- another commercial WAF bypassable by default with invalid UTF-8 | - another commercial WAF bypassable by default with invalid UTF-8 | ||
- any byte-based validation is failure on the web (or unmanaged langs) | - any byte-based validation is failure on the web (or unmanaged langs) | ||
− | Securing WebGoat with mod_security | + | == Securing WebGoat with mod_security == |
- Summer of Code project with Stephen Craig Evans | - Summer of Code project with Stephen Craig Evans | ||
- very interesting Lua scripting capability | - very interesting Lua scripting capability | ||
- stateful WAFing is possible with Lua | - stateful WAFing is possible with Lua | ||
+ | - [http://blog.modsecurity.org/2008/12/helping-protect-cookies-with-httponly-flag.html Modsecurity and HTTPOnly] |
Latest revision as of 02:34, 31 January 2009
Recorded November 21, 2008
direct download
Participants
- Arshan Dabirsiaghi is the the Director of Research for Aspect Security. - Jeremiah Grossman is the CTO of Whitehat. - Jim Manico is a Web Application Architect and Security Engineer for Aspect Security. - Jeff Williams is the CEO of Aspect Security and also volunteers as one of the chairs of the OWASP Foundation.
Recap OWASP EU Summit
- Talked with Adobe rep - Figured out the charter for ISWG - OWASP Live CD http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project - Press coverage is hilarious - OWASP Education Project http://www.owasp.org/index.php/Category:OWASP_Education_Project - Clickjacking trends
Builder vs Breaker
- is this a real skill gap? - easier to build/defend - fixing stuff is boring (kuza55)
We've reached Application Security Tipping Point
- Chris Wysopal (Zero in a bit) - Attacks are getting simpler (and we're barely fixing old vulns) - Assets are moving more and more to the web - New technology = make all same mistakes again - Aspect never wanted to be NGS - but everything is broken - Just this morning, hilarious SSO product bypass (thats all we'll say, not method/verb tampering)
Canonicalization is a nightmare
- mod_security turns off Unicode validation by default - another commercial WAF bypassable by default with invalid UTF-8 - any byte-based validation is failure on the web (or unmanaged langs)
Securing WebGoat with mod_security
- Summer of Code project with Stephen Craig Evans - very interesting Lua scripting capability - stateful WAFing is possible with Lua - Modsecurity and HTTPOnly