This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Podcast 1"

From OWASP
Jump to: navigation, search
m
m
Line 8: Line 8:
 
  - Arshan Dabirsiaghi is the the Director of Research for Aspect Security.
 
  - Arshan Dabirsiaghi is the the Director of Research for Aspect Security.
 
  - Jeremiah Grossman is the CTO of Whitehat.
 
  - Jeremiah Grossman is the CTO of Whitehat.
  - Jim Manico is a Web Application Architect and Security Instructor for Aspect Security.  
+
  - Jim Manico is a Web Application Architect and Security Engineer for Aspect Security.  
 
  - Jeff Williams is the CEO of Aspect Security and also volunteers as one of the chairs of the OWASP Foundation.
 
  - Jeff Williams is the CEO of Aspect Security and also volunteers as one of the chairs of the OWASP Foundation.
  

Revision as of 07:11, 18 December 2008

OWASP Podcast Series #1

Recorded November 21, 2008

- direct download: owasp_podcast_1.mp3
- subscribe to OWASP Podcast Series RSS/iTunes feed

Participants

- Arshan Dabirsiaghi is the the Director of Research for Aspect Security.
- Jeremiah Grossman is the CTO of Whitehat.
- Jim Manico is a Web Application Architect and Security Engineer for Aspect Security. 
- Jeff Williams is the CEO of Aspect Security and also volunteers as one of the chairs of the OWASP Foundation.

Recap OWASP EU Summit

- Talked with Adobe rep
- Figured out the charter for ISWG
- OWASP Live CD http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project
- Press coverage is hilarious
- OWASP Education Project http://www.owasp.org/index.php/Category:OWASP_Education_Project

Builder vs Breaker

- is this a real skill gap?
- easier to build/defend
- fixing stuff is boring (kuza55)

We've reached Application Security Tipping Point

- Chris Wysopal (Zero in a bit)
- Attacks are getting simpler (and we're barely fixing old vulns)
- Assets are moving more and more to the web
- New technology  =  make all same mistakes again
- Aspect never wanted to be NGS - but everything is broken
- Just this morning, hilarious SSO product bypass (thats all we'll say, not method/verb tampering)

Canonicalization is a nightmare

- mod_security turns off Unicode validation by default
- another commercial WAF bypassable by default with invalid UTF-8
- any byte-based validation is failure on the web (or unmanaged langs)

Securing WebGoat with mod_security

- Summer of Code project with Stephen Craig Evans
- very interesting Lua scripting capability
- stateful WAFing is possible with Lua