Podcast News

OWASP Podcast News

OWASP NEWS April 2009

OWASP AppSec News

4/2 http://www.securitybalance.com/2009/04/mq-one-of-the-blind-spots/
Augusto Paes de Barros from the Security Balance blog posts about message queue security
4/3 http://i8jesus.com/?p=37
Arshan Dabirsiaghi posts on his blog about Browser scheme/slash quirks
4/3 http://www.greebo.net/2009/04/04/owasp-eu-2009-coming-soon/
Andrew van der Stock warns that OWASP EU 2009 is coming soon!
4/7 http://michael-coates.blogspot.com/2009/04/ssl-whos-to-blame.html
Michael Coates talks about SSL and who is to blame: webites, browsers, or users?
4/8 http://blog.portswigger.net/2009/04/using-burp-extender.html
PortSwigger adds some interesting information about using the Burp Extender
4/9 http://michael-coates.blogspot.com/2009/04/universities-web-app-security.html
Michael Coates asks the question, "[which] universities out there are offering classes which address web application security?"
4/9 http://blogs.msdn.com/sdl/archive/2009/04/09/improving-security-with-url-rewriting.aspx
Bryan Sullivan talks about improving web application security with URL Rewriting
4/12 http://aboulton.blogspot.com/2009/04/security-assessing-java-rmi-slides.html
Adam Boulton's OWASP presentation on Security Assessing Java RMI has been made available on his blog
4/12 http://shiflett.org/blog/2009/apr/a-rev-canonical-http-header
Chris Shiflett sugggets #revcanonical HTTP Header
4/16 http://www.informit.com/articles/article.aspx?p=1338343
http://www.cigital.com/justiceleague/2009/04/16/software-security-2008/
Gary McGraw uses statistics to show that Software Security has come of age
4/17 http://research.zscaler.com/2009/04/we-used-to-laugh-at-xss.html
Michael Sutton discusses history of XSS from Defcon 10 (2002) to the present day (Twitter worm)
4/17 http://jeremiahgrossman.blogspot.com/2009/04/software-security-grew-to-nearly-500m.html
Jeremiah uses McDonalds and Mortons as comparatives for black-box vs. white-box security testing
4/17 http://jeremiahgrossman.blogspot.com/2009/04/website-threats-and-their-capabilities.html
OWASP Catalyst announced
4/20 http://paco.to/?p=305
Paco lists 5 reasons for software certifications
4/20 http://www.greensheet.com/newswire.php?newswire_id=11693
Qualys, Inc., the leading provider of on demand IT security risk and compliance management solutions, today announced QualysGuard(R) PCI Connect which is the industry's first Software-as-as-Service (SaaS) ecosystem for PCI compliance connecting merchants to multiple partners and security solutions in order to document and meet all 12 requirements for PCI DSS
4/20 http://labs.securitycompass.com/index.php/2009/04/20/security-analysis-of-core-j2ee-design-patterns/
Rohit Sethi of SecurityCompass posts a blog post on a new Security Compass Labs blog about "Security Analysis of Core Java Enterprise Patterns"
4/21 http://docs.google.com/Doc?id=dd7x5smw_16hdd34ggz
mario heiderich posts some results of browser fuzzing on extraneous characters in tags
4/22 http://plynt.com/blog/2009/04/how-frequently-should-an-appli/
The Plynt blog asks the question, "How frequently shoud Applications be Tested?"
4/24 http://www.owasp.org/index.php/Man_vs._Code
Mike Boberski of the OWASP ASVS Project posts a wiki article about using Notepad++ to syntax highlight PHP code
4/25 http://shreeraj.blogspot.com/2009/04/web2proxy-beta-web-20-application-proxy.html
Shreeraj Shah releases a new tool, Web2Proxy, which is a Web 2.0 Application Proxy, Profiling, and Fuzzing Tool
4/26 http://enablesecurity.com/2009/04/26/the-state-of-web-application-security-and-their-firewalls/
Wendel Guglielmetti Henrique from Trustwave and Sandro Gauchi of EnableSecurity spoke at TROOPERS09 in Munch about "The Truth of Web Application Firewalls: what the vendors do NOT want you to know"
4/27 http://tacticalwebappsec.blogspot.com/2009/04/scanner-and-waf-data-sharing.html
Ryan Barnett gives guidance on how best to make VA+WAF work together