|
|
| (70 intermediate revisions by 7 users not shown) |
| Line 1: |
Line 1: |
| − | '''[[Podcast_News|OWASP Podcast News]]''' | + | '''[[Podcast_News|OWASP Podcast News]]''' |
| | | | |
| − | OWASP NEWS April 2009<br/> | + | OWASP NEWS 2010<br> |
| | | | |
| − | ==OWASP AppSec News== | + | == OWASP Podcast Roundtable == |
| − | 3/18 http://www.gdssecurity.com/l/b/2009/03/17/source-boston-iis7-slides-posted/<br />
| + | |
| − | Brian Holyfield of Gotham Digital Science posted his slides from SOURCE Boston on IIS7 Security<br />
| + | '''Next Recording : Week of August 30, 2010. Day and Time TBD''' |
| − | 3/19 http://blogs.msdn.com/sdl/archive/2009/03/19/why-the-new-sdl-threat-modeling-approach-works.aspx<br />
| + | |
| − | http://blogs.msdn.com/sdl/archive/2009/03/30/speaker-to-suits.aspx<br />
| + | Suggested Topics: |
| − | Adam Shostack of the Microsoft SDL Blog posts about Threat-modeling and what he refers to as "boundary objects"<br />
| + | |
| − | 3/22 http://securityninja.co.uk/blog/?p=244<br />
| + | # Is application security "a science" or a "hobby"? |
| − | The Security Ninja posts some information on the recent release of the OWASP Security Spending Benchmarks Project<br />
| + | # Do script kiddies, Ninjas, 3l1t3z, etc make a mockery of a serious business? |
| − | 3/23 http://www.communities.hp.com/securitysoftware/blogs/spilabs/archive/2009/03/20/exposing-flash-application-vulnerabilities-with-swfscan.aspx<br />
| + | # Is AppSec becoming a commodity service, what disciplines require skill and experience? |
| − | The HP Application Security Center releases SWFScan, a free, new Windows-based tool to help developers find and fix security vulnerabilities in applications developed with the Adobe Flash Platform<br />
| + | # ? |
| − | 3/23 http://voices.washingtonpost.com/securityfix/2009/03/web_fraud_20_data_search_tools.html<br />
| + | # ? |
| − | Brian Krebs from the Washington Post demonstrates some very scary Web 2.0 websites where thieves can purchase personal data such as social security numbers, mother's maiden names, and other info for rock-bottom prices<br />
| + | # ? |
| − | 3/24 http://www.theregister.co.uk/2009/03/24/hackersblog_quits/<br />
| |
| − | John Leyden of The Register reports that the HackersBlog Romanian group responsible for the high-profile SQL injection attacks has disbanded<br />
| |
| − | 3/24 http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1351731,00.html<br />
| |
| − | SearchSecurity Editor, Robert Westervelt, points to a survey that show that more companies seek third-party web app code review<br />
| |
| − | 3/25 http://www.thespanner.co.uk/2009/03/25/xss-rays/<br />
| |
| − | Gareth Heyes releases a new tool, XSS Rays, that he built for Microsoft.<br />
| |
| − | 3/27 http://1raindrop.typepad.com/1_raindrop/2009/03/the-he-got-game-rule.html<br />
| |
| − | Gunnar Peterson posts on his blog about a book that he feels should influence the security community beyond application developers and application security professionals<br />
| |
| − | 3/30 http://www.cigital.com/justiceleague/2009/03/30/maturity-models-vs-top-10-lists/<br />
| |
| − | John Steven argues that Top N lists and Maturity Models are good for tracking industry success, but maybe not organizational success<br />
| |
| − | 3/31 http://googleonlinesecurity.blogspot.com/2009/03/reducing-xss-by-way-of-automatic.html<br />
| |
| − | The Google Online Security Blog announces a templating system that can reduce XSS by way of Auto Context-Aware Escaping<br />
| |
| − | 4/1 http://www.suspekt.org/2009/04/01/the-month-of-java-bugs/<br />
| |
| − | Look for the Month of Java Bugs for May 2009!<br />
| |
| − | 4/2 http://www.securitybalance.com/2009/04/mq-one-of-the-blind-spots/<br />
| |
| − | Augusto Paes de Barros from the Security Balance blog posts about message queue security<br />
| |
| − | 4/3 http://i8jesus.com/?p=37<br />
| |
| − | Arshan Dabirsiaghi posts on his blog about Browser scheme/slash quirks<br />
| |
| − | 4/3 http://www.greebo.net/2009/04/04/owasp-eu-2009-coming-soon/<br />
| |
| − | Andrew van der Stock warns that OWASP EU 2009 is coming soon!<br />
| |
| − | 4/7 http://michael-coates.blogspot.com/2009/04/ssl-whos-to-blame.html<br />
| |
| − | Michael Coates talks about SSL and who is to blame: webites, browsers, or users?<br />
| |
| − | 4/8 http://blog.portswigger.net/2009/04/using-burp-extender.html<br />
| |
| − | PortSwigger adds some interesting information about using the Burp Extender<br />
| |
| − | 4/9 http://michael-coates.blogspot.com/2009/04/universities-web-app-security.html<br />
| |
| − | Michael Coates asks the question, "[which] universities out there are offering classes which address web application security?"<br />
| |
| − | 4/9 http://blogs.msdn.com/sdl/archive/2009/04/09/improving-security-with-url-rewriting.aspx<br />
| |
| − | Bryan Sullivan talks about improving web application security with URL Rewriting<br />
| |
| − | 4/12 http://aboulton.blogspot.com/2009/04/security-assessing-java-rmi-slides.html<br />
| |
| − | Adam Boulton's OWASP presentation on Security Assessing Java RMI has been made available on his blog<br />
| |
| − | 4/12 http://shiflett.org/blog/2009/apr/a-rev-canonical-http-header<br />
| |
| − | Chris Shiflett sugggets #revcanonical HTTP Header<br />
| |
| − | 4/16 http://www.informit.com/articles/article.aspx?p=1338343<br />
| |
| − | http://www.cigital.com/justiceleague/2009/04/16/software-security-2008/<br />
| |
| − | Gary McGraw uses statistics to show that Software Security has come of age<br />
| |
| − | 4/17 http://research.zscaler.com/2009/04/we-used-to-laugh-at-xss.html<br />
| |
| − | Michael Sutton discusses history of XSS from Defcon 10 (2002) to the present day (Twitter worm)<br />
| |
| − | 4/17 http://jeremiahgrossman.blogspot.com/2009/04/software-security-grew-to-nearly-500m.html<br />
| |
| − | Jeremiah uses McDonalds and Mortons as comparatives for black-box vs. white-box security testing<br />
| |
| − | 4/17 http://jeremiahgrossman.blogspot.com/2009/04/website-threats-and-their-capabilities.html<br />
| |
| − | OWASP Catalyst announced<br />
| |
| − | 4/20 http://paco.to/?p=305<br />
| |
| − | Paco lists 5 reasons for software certifications<br />
| |
| − | 4/20 http://www.greensheet.com/newswire.php?newswire_id=11693<br />
| |
| − | Qualys, Inc., the leading provider of on demand IT security risk and compliance management solutions, today announced QualysGuard(R) PCI Connect which is the industry's first Software-as-as-Service (SaaS) ecosystem for PCI compliance connecting merchants to multiple partners and security solutions in order to document and meet all 12 requirements for PCI DSS<br />
| |
| − | 4/20 http://labs.securitycompass.com/index.php/2009/04/20/security-analysis-of-core-j2ee-design-patterns/<br />
| |
| − | Rohit Sethi of SecurityCompass posts a blog post on a new Security Compass Labs blog about "Security Analysis of Core Java Enterprise Patterns"<br />
| |
| − | 4/22 http://plynt.com/blog/2009/04/how-frequently-should-an-appli/<br />
| |
| − | The Plynt blog asks the question, "How frequently shoud Applications be Tested?"<br />
| |
| − | 4/24 http://www.owasp.org/index.php/Man_vs._Code<br />
| |
| − | Mike Boberski of the OWASP ASVS Project posts a wiki article about using Notepad++ to syntax highlight PHP code<br />
| |
| − | 4/25 http://shreeraj.blogspot.com/2009/04/web2proxy-beta-web-20-application-proxy.html<br />
| |
| − | Shreeraj Shah releases a new tool, Web2Proxy, which is a Web 2.0 Application Proxy, Profiling, and Fuzzing Tool<br />
| |
| − | 4/26 http://enablesecurity.com/2009/04/26/the-state-of-web-application-security-and-their-firewalls/<br />
| |
| − | Wendel Guglielmetti Henrique from Trustwave and Sandro Gauchi of EnableSecurity spoke at TROOPERS09 in Munch about "The Truth of Web Application Firewalls: what the vendors do NOT want you to know"<br />
| |
| − | 4/27 http://tacticalwebappsec.blogspot.com/2009/04/scanner-and-waf-data-sharing.html<br />
| |
| − | Ryan Barnett gives guidance on how best to make VA+WAF work together<br />
| |
