This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Podcast 1"
From OWASP
Line 1: | Line 1: | ||
− | + | Recap OWASP EU Summit | |
− | + | - Jeremiah gave up on browser security | |
− | + | - Robert bailed on the summit | |
+ | - Talked with Adobe rep | ||
+ | - Figured out the charter for ISWG | ||
+ | - Press coverage is hilarious | ||
− | + | Builder vs Breaker | |
− | + | - is this a real skill gap? | |
− | + | - easier to build/defend | |
+ | - fixing stuff is boring (kuza55) | ||
− | '' | + | We've reached Application Security Tipping Point |
− | + | - Chris Wysopal (Zero in a bit) | |
− | + | - Attacks are getting simpler (and we're barely fixing old vulns) | |
+ | - Assets are moving more and more to the web | ||
+ | - New technology = make all same mistakes again | ||
+ | - Aspect never wanted to be NGS - but everything is broken | ||
+ | - Just this morning, hilarious SSO product bypass (thats all we'll say, not method/verb tampering) | ||
− | + | Canonicalization is a nightmare | |
− | + | - mod_security turns off Unicode validation by default | |
− | + | - another commercial WAF bypassable by default with invalid UTF-8 | |
− | + | - any byte-based validation is failure on the web (or unmanaged langs) | |
− | + | ||
− | + | Securing WebGoat with mod_security | |
− | + | - Summer of Code project with Stephen Craig Evans | |
− | + | - very interesting Lua scripting capability | |
− | + | - stateful WAFing is possible with Lua | |
− | |||
− | |||
− |
Revision as of 21:00, 21 November 2008
Recap OWASP EU Summit
- Jeremiah gave up on browser security - Robert bailed on the summit - Talked with Adobe rep - Figured out the charter for ISWG - Press coverage is hilarious
Builder vs Breaker
- is this a real skill gap? - easier to build/defend - fixing stuff is boring (kuza55)
We've reached Application Security Tipping Point
- Chris Wysopal (Zero in a bit) - Attacks are getting simpler (and we're barely fixing old vulns) - Assets are moving more and more to the web - New technology = make all same mistakes again - Aspect never wanted to be NGS - but everything is broken - Just this morning, hilarious SSO product bypass (thats all we'll say, not method/verb tampering)
Canonicalization is a nightmare
- mod_security turns off Unicode validation by default - another commercial WAF bypassable by default with invalid UTF-8 - any byte-based validation is failure on the web (or unmanaged langs)
Securing WebGoat with mod_security
- Summer of Code project with Stephen Craig Evans - very interesting Lua scripting capability - stateful WAFing is possible with Lua