Difference between revisions of "Podcast News"

Revision as of 21:16, 20 January 2010

OWASP Podcast News

OWASP NEWS October 2010

OWASP Podcast Roundtable

Next Recording : January 21, 2010

ack! gee, thanks a lot for that disturbing image... *shudder* and you thought sleep deprivation had done weird things to you! :)

article ideas for discussion:

1) [Full-disclosure] Microsoft Windows NT #GP Trap Handler Allows Users to Switch Kernel Stack http://archives.neohapsis.com/archives/fulldisclosure/2010-01/0346.html

--> holey OS code, Batman! how do you even start to get a handle on this bugger? this isn't web app specific, but it squarely hits secure coding between the eyes. how does a bug like this survive for 17 years?

2) Top Ten Web Hacking Techniques of 2009 (Official) http://jeremiahgrossman.blogspot.com/2010/01/top-ten-web-hacking-techniques-of-2009.html

--> do you agree? anything jump out? any good back-stories?

3) Google: A new approach to China http://googleblog.blogspot.com/2010/01/new-approach-to-china.html

--> is this important news? how does this affect the development community, particularly by extension? has anything really changed?

4) Google, China, "Aurora", and Advanced Persistent Threat (this makes me want to start chanting "lions and tigers and bears - OH MY!":)

Operation “Aurora” Hit Google, Others http://siblog.mcafee.com/cto/operation-%E2%80%9Caurora%E2%80%9D-hit-google-others/

Hack of Google, Adobe Conducted Through Zero-Day IE Flaw http://www.wired.com/threatlevel/2010/01/hack-of-adob/

Microsoft Security Advisory (979352) Vulnerability in Internet Explorer Could Allow Remote Code Execution http://www.microsoft.com/technet/security/advisory/979352.mspx

Google v China http://taosecurity.blogspot.com/2010/01/google-v-china.html

Web-based systems vs. Advanced Persistent Threat http://jeremiahgrossman.blogspot.com/2010/01/web-based-systems-vs-advanced.html

--> A new IE 0-day brings mega-tech-corps to their knees. France and Germany respond by recommending against the use of IE altogether. Is this news? with so many IE6 apps still in use today, does it even matter?

--> this is also the source of a couple potential buzzword winners for 2010... "Operation Aurora" and "advanced persistent threat"...

5) Microsoft Advances Search Privacy with Bing http://microsoftontheissues.com/cs/blogs/mscorp/archive/2010/01/18/microsoft-advances-search-privacy-with-bing.aspx

--> is this really that big a deal? do they really need the IP address at all? is this doing enough, or does it fall far short?

6) Microsoft Seeks New Legal Framework For Cloud http://www.informationweek.com/news/government/policy/showArticle.jhtml?articleID=222301657&cid=IWK_Government-Twitter

--> what sort of legislation/regulation do we need? what would be useful? we all know, I think, that's it going to happen one way or another. the question is what is and isn't useful.

Difference between revisions of "Podcast News"

Revision as of 21:16, 20 January 2010

OWASP Podcast Roundtable

Navigation menu

Personal tools

Namespaces

Variants

Views

More

Search

Navigation

Reference

Tools

@@ Line 1: / Line 1: @@
 '''[[Podcast_News|OWASP Podcast News]]'''
-OWASP NEWS October 2009<br/>
+OWASP NEWS October 2010<br/>
 ==OWASP Podcast Roundtable ==
-'''Next Recording : October 22, 2009'''
+'''Next Recording : January 21, 2010'''
-The entire October 22 roundtable will focus on "Overcoming Objections to an Application Security Program"
+ack! gee, thanks a lot for that disturbing image... *shudder* and you
-<br/>
+thought sleep deprivation had done weird things to you! :)
-http://jeremiahgrossman.blogspot.com/2009/08/overcoming-objections-to-application.html
-<ul>
+article ideas for discussion:
-<li>"There have been no security problems in the past, nor is there any evidence we’ll be attacked in the future."</li>
-<li>"Security is an IT problem. They have firewalls, patch & configuration management systems, and SSL currently in place protecting us."</li>
+) [Full-disclosure] Microsoft Windows NT #GP Trap Handler Allows Users
-<li>"We need new features first and there is no discretionary budget left to allocate towards security."</li>
+to Switch Kernel Stack
-<li>"Hackers can't break in because our Web application can't be accessed externally."</li>
+http://archives.neohapsis.com/archives/fulldisclosure/2010-01/0346.html
-<li>"We outsource our software development and the vendor is responsible for making sure the code is secure."</li>
-<li>"We use penetration-testing services. We fix or accept the risk of any issues found, which keeps us safe."</li>
+--> holey OS code, Batman! how do you even start to get a handle on this
-<li>"We passed our most recent compliance audit and not required to do anything more."</li>
+bugger? this isn't web app specific, but it squarely hits secure coding
-<li>"We trust our developers and they already know how to develop secure code after completing the training course."</li>
+between the eyes. how does a bug like this survive for 17 years?
-<li>"We already have scanning tools. Doing more will slow down the development process, inhibit innovation, and add large unnecessary costs."</li>
-</ul>
+) Top Ten Web Hacking Techniques of 2009 (Official)
+http://jeremiahgrossman.blogspot.com/2010/01/top-ten-web-hacking-techniques-of-2009.html
+--> do you agree? anything jump out? any good back-stories?
+) Google: A new approach to China
+http://googleblog.blogspot.com/2010/01/new-approach-to-china.html
+--> is this important news? how does this affect the development
+community, particularly by extension? has anything really changed?
+) Google, China, "Aurora", and Advanced Persistent Threat
+(this makes me want to start chanting "lions and tigers and bears - OH
+MY!":)
+Operation “Aurora” Hit Google, Others
+http://siblog.mcafee.com/cto/operation-%E2%80%9Caurora%E2%80%9D-hit-google-others/
+Hack of Google, Adobe Conducted Through Zero-Day IE Flaw
+http://www.wired.com/threatlevel/2010/01/hack-of-adob/
+Microsoft Security Advisory (979352)
+Vulnerability in Internet Explorer Could Allow Remote Code Execution
+http://www.microsoft.com/technet/security/advisory/979352.mspx
+Google v China
+http://taosecurity.blogspot.com/2010/01/google-v-china.html
+Web-based systems vs. Advanced Persistent Threat
+http://jeremiahgrossman.blogspot.com/2010/01/web-based-systems-vs-advanced.html
+--> A new IE 0-day brings mega-tech-corps to their knees. France and
+Germany respond by recommending against the use of IE altogether. Is
+this news? with so many IE6 apps still in use today, does it even matter?
+--> this is also the source of a couple potential buzzword winners for
+... "Operation Aurora" and "advanced persistent threat"...
+) Microsoft Advances Search Privacy with Bing
+http://microsoftontheissues.com/cs/blogs/mscorp/archive/2010/01/18/microsoft-advances-search-privacy-with-bing.aspx
+--> is this really that big a deal? do they really need the IP address
+at all? is this doing enough, or does it fall far short?
+) Microsoft Seeks New Legal Framework For Cloud
+http://www.informationweek.com/news/government/policy/showArticle.jhtml?articleID=222301657&cid=IWK_Government-Twitter
+--> what sort of legislation/regulation do we need? what would be
+useful? we all know, I think, that's it going to happen one way or
+another. the question is what is and isn't useful.