Podcast 12

OWASP Podcast Series #3

OWASP NEWS March 2009 Recorded First Week in March 2009

OWASP AppSec News
Feb 10 - https://buildsecurityin.us-cert.gov/daisy/bsi/articles/knowledge/business/1093-BSI.html BSI asks "What measures do vendors use for software assurance?" Feb 11 - http://www.communities.hp.com/securitysoftware/blogs/rafal/archive/2009/02/10/an-unfortunate-case-of-learned-behavior.aspx

Rafal Los of HP talks about tools Feb 13 - http://www.cigital.com/justiceleague/2009/02/13/do-cloud-based-apps-destroy-web-app-security/ Feb 14 - http://wivet.googlecode.com Wivet, a benchmarking project that aims to statistically analyze web link extractors (i.e. gauge the quality of web application security scanners) recently released version 3 and updated their wiki with new information about scanner results and a future look through their wishlist Feb 15 - http://www.dragoslungu.com/2009/02/15/gartner-magic-quadrant-on-static-application-security-testing-feb-2009/

Feb 16 - http://www.owasp.org/index.php/Cincinnati#November_Meeting A local OWASP meeting in Cincinnati has recently posted a presentation given in November 2008 by Jeremiah Blatz on "Web Application Hacking for Developers" Feb 18 - http://www.blackhat.com/html/bh-dc-09/bh-dc-09-archives.html#Smith The powerpoints and whitepapers for BlackHat DC 2009 were made available, including a fabulous presentation from Colin Ames, Delchi, and Val Smith on "Dissecting Web Attacks" Feb 19 - http://nickcoblentz.blogspot.com/2009/02/create-security-strategy-before.html Scott Matsumoto waxes philosophical about the effect of cloud computing on web applications Nick Colbentz discusses plans for web application security integration with cloud computing Feb 20 - http://www.cigital.com/justiceleague/2009/02/19/gartner-and-static-analysis/ Gartner releases a Magic Quadrant on Static Application Security Testing John Steven at Cigital weighs in with his SAST views Feb 20 - http://www.securitycatalyst.com/the-balkanization-of-web-application-security/<br/ > Bill Pennington theorizes, "most people in the web application security space are specialist in one particular area, source code review, black box testing, web application firewalls or developer training. This lack of knowledge of the other solutions generally breeds fear and contempt".<br/ > Feb 22 - http://appsecnotes.blogspot.com/2009/02/dirbuster-shoots-and-scores.html<br/ > Dave Ferguson discusses the OWASP DirBuster tool, developed by James Fisher<br/ > Feb 22 - http://funkatron.com/site/comments/safely-parsing-json-in-javascript/<br/ > A discussion about safely parsing JSON in Javascript, which includes Douglas Crocker's prescriptions<br/ > Feb 24 - http://www.infosecramblings.com/2009/02/24/insecure-magazine-20-is-out/<br/ > Kevin Riggins brings attention to the latest issue of INSECURE magazine, issue 20. The recent magazine includes an article on "Web 2.0 case studies: challenges, approaches and vulnerabilities"<br/ > <br/ > Society of Payment Security Professionals<br/ > https://www.paymentsecuritypros.com/en/articles/search.asp?category=Articles<br/ > https://www.paymentsecuritypros.com/en/users/login.asp?/appsecurityusergroup/index.asp<br/ > SPSP has recently posted information about Education and Training Validity, as well as Certification Validation. Ed Bellis of Orbitz and Trey Ford of WhiteHatSec are heading up the AppSec working group within SPSP, but the information about the group and wiki are currently members only<br/ > <br/ > Safari and GIFAR<br/ > Feb 13 - http://xs-sniper.com/blog/2009/02/13/stealing-more-files-with-safari/

Feb 24 - http://riosec.com/updates-on-gifar-vulnerability<br/ > Feb 25 - http://www.cgisecurity.com/2009/02/apple-goes-public-with-security-in-safari-4.html<br/ > Billy Rios speaks about the recent Safari security bugs and GIFAR. Robert Auger speaks to the recent security improvements upcoming in Safari version 4<br/ > <br/ > OWASP Software Assurance Day 2009 Feb 23 - http://www.owasp.org/index.php/OWASP_Software_Assurance_Day_DC_2009<br/ > OWASP SnowFROC Feb 12 - http://cleartext.wordpress.com/2009/02/12/march-events/<br/ > Two new OWASP events for the month of March!<br/ > <br/ > CanSecWest Vancouver 2009<br/ > http://cansecwest.com/speakers.html<br/ > An updated speakers list shows that Jeff "rfp" Forristal of Zscaler Research will be presenting on "Network design for effective HTTP traffic filtering" and Chris Weber of Casaba Security will present on "Exploiting Unicode-enabled software". Most security analysts expect to see new Safari, Flash, and/or other exploits in the PWN2OWN Contest!<br/ >