This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Podcast 1"
From OWASP
m |
|||
Line 8: | Line 8: | ||
Recap OWASP EU Summit | Recap OWASP EU Summit | ||
− | |||
− | |||
- Talked with Adobe rep | - Talked with Adobe rep | ||
- Figured out the charter for ISWG | - Figured out the charter for ISWG | ||
+ | - OWASP Live CD http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project | ||
- Press coverage is hilarious | - Press coverage is hilarious | ||
+ | |||
Builder vs Breaker | Builder vs Breaker |
Revision as of 01:17, 26 November 2008
Recorded November 21, 2008
Participants
- Arshan Dabirsiaghi is the the Director of Research for Aspect Security. - Jeremiah Grossman is the CTO of Whitehat. - Jim Manico is a Web Application Architect and Security Instructor for Aspect Security. - Jeff Williams is the CEO of Aspect Security and also volunteers as one of the chairs of the OWASP Foundation.
Recap OWASP EU Summit
- Talked with Adobe rep - Figured out the charter for ISWG - OWASP Live CD http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project - Press coverage is hilarious
Builder vs Breaker
- is this a real skill gap? - easier to build/defend - fixing stuff is boring (kuza55)
We've reached Application Security Tipping Point
- Chris Wysopal (Zero in a bit) - Attacks are getting simpler (and we're barely fixing old vulns) - Assets are moving more and more to the web - New technology = make all same mistakes again - Aspect never wanted to be NGS - but everything is broken - Just this morning, hilarious SSO product bypass (thats all we'll say, not method/verb tampering)
Canonicalization is a nightmare
- mod_security turns off Unicode validation by default - another commercial WAF bypassable by default with invalid UTF-8 - any byte-based validation is failure on the web (or unmanaged langs)
Securing WebGoat with mod_security
- Summer of Code project with Stephen Craig Evans - very interesting Lua scripting capability - stateful WAFing is possible with Lua