Podcast 1

Recap OWASP EU Summit - Jeremiah gave up on browser security - Robert bailed on the summit - Talked with Adobe rep - Figured out the charter for ISWG - Press coverage is hilarious

Builder vs Breaker - is this a real skill gap? - easier to build/defend - fixing stuff is boring (kuza55)

We've reached Application Security Tipping Point - Chris Wysopal (Zero in a bit) - Attacks are getting simpler (and we're barely fixing old vulns) - Assets are moving more and more to the web - New technology =  make all same mistakes again - Aspect never wanted to be NGS - but everything is broken - Just this morning, hilarious SSO product bypass (thats all we'll say, not method/verb tampering)

Canonicalization is a nightmare - mod_security turns off Unicode validation by default - another commercial WAF bypassable by default with invalid UTF-8 - any byte-based validation is failure on the web (or unmanaged langs)

Securing WebGoat with mod_security - Summer of Code project with Stephen Craig Evans - very interesting Lua scripting capability - stateful WAFing is possible with Lua