Notes From Boulder OWASP 2007 Meetings
November Meeting Notes - Patrick White - Aspect-Oriented Programming
Security and AOP (Aspect Oriented Programming)
Speaker: Patrick White, Program Manager for .Fortify Software.
Topic: Security and AOP
Aspect Oriented Programming is an incredibly interesting methodology that has gradually gained popularity over the years. As interesting as the concepts are, they are often admittedly difficult to actualize. In this talk Patrick will be examining what AOP is and how it can make a real and meaningful impact during your development. In addition, he'll look at how powerful security features can be added to an application using AOP either in sync or out sync with development.
Bio: Patrick White is a Program Manager at Fortify Software. He holds a BS in Computer Engineering and Computer Science from the University of Southern California and has earned numerous Microsoft certifications including MCSE, MCSD, and MCPD. He previously worked for several Bay Area startups and was at Microsoft before joining the Fortify Software team.
Patrick's presentation can be found here: https://www.owasp.org/images/2/27/SecurityAndAOPII_FortifySoftware20071115.pdf Yeah, sometimes it's OK to bolt on security after the fact...
September Meeting Notes - Jeremiah Grossman - Top 10 Web Attack Techniques, their Potential Impact, and Strategies to Protect Your Company
First Boulder OWASP Meeting was held September 20th, 2007 Jeremiah's presentation was OUTSTANDING and MUCH APPRECIATED. Jeremiah kindly allowed it to be posted here:
There was also a brief discussion about integrating security into the SDLC. Here's a link for a GREAT presentation done by Michael Walters. Note the diagrams on slide 13:
Also, if your QA team isn't aware of SQuAD (the Software Quality Association of Denver) you may want to point them to www.squadco.com as a resource.
September Meeting First Boulder OWASP Meeting to be held September 20th, 2007
Site: Corporate Express US Headquarters 1 Environmental Way Broomfield, CO 80021
Time: Dinner and beverages will be available starting at 6 PM, compliments of Business Partner Solutions. Presentation will start at 6:30.
Speaker: Jeremiah Grossman, CTO of WhiteHat Security.
Topic: Top 10 Web Attack Techniques, their Potential Impact, and Strategies to Protect Your Company
To date, information security has been focused mainly on vulnerabilities at the network and software (OS, web server, etc.) levels. However, a new battleground is quickly developing that poses an even greater threat to companies’ brands/reputations and data. As companies drive more and more business processes to the web, vulnerabilities in their custom Web applications have become the new target for a new class of hackers. And the payoff is now financial gain, not personal notoriety.
Jeremiah Grossman will: – Reveal the top 10 attacks of 2006 by creativity and scope – Predict what these attacks mean for website vulnerability management in 2007 – Present strategies to protect your corporate websites
Bio: Jeremiah Grossman is the founder and CTO of WhiteHat Security, considered a world-renowned expert in Web security, co-founder of the Web Application Security Consortium, and recently named to InfoWorld's Top 25 CTOs for 2007. Mr. Grossman is a frequent speaker at industry events including the BlackHat Briefings, RSA, ISACA, CSI, OWASP, Vanguard, ISSA, Defcon, and a number of large universities. He has authored dozens of articles and white papers; is credited with the discovery of many cutting-edge attack and defensive techniques; and is a co-author of XSS Attacks. Mr. Grossman is frequently quoted in major media publications such as InfoWorld, USA Today, PCWorld, Dark Reading, SC Magazine, SecurityFocus, Cnet, SC Magazine, CSO, and InformationWeek. Prior to WhiteHat he was an information security officer at Yahoo!
Local News 2007
XSS defense - the "dimuitive worm contest"
RSnake hosted a contest to write the smallest XSS worm. His results are here: XSS Worm Analysis And Defense. It's good reading for anyone trying to come to grips with XSS prevention.
Flash Security Testing
Security Focus has a very interesting article regarding AOP and security written by Rohit Sethi on October 16th, 2007. It complements and reinforces the AOP talk given by Pat White from Fortify Software for the Nov Chapter Meeting. If you know of any other useful AOP references please share by posting to the chapter mailing list...
Cool References - November 28th, 2007
Google for "Microsoft AntiXSS Library" and you'll see some pretty cool resources for stifling Cross-Site-Scripting problems.
OWASP has a similar project: http://www.owasp.org/index.php/Category:OWASP_Encoding_Project
in addition to the OWASP Enterprise Security API project (which looks REALLY COOL):
Finally, many of the OWASP wikis are available as books, either for purchase in hard-copy or as a free download:
Boulder OWASP News - November 15th, 2007
Several Security Professionals have expressed interest in serving as Chapter Officers or part of a Board of Directors. If this is of interest to you too please contact Andy. We expect to assemble interested parties in early Dec to plan out 2008.
What should I expect to see at a bOWASP meeting?
Each speaker will be encouraged to cover:
- demonstration of the threat ( "look! I got EVERYONE'S credit card #!") - overview/sample of vulnerable code, preferably in PHP, Java, or .Net env. - some details regarding how to correct the code - some thoughts as to how to test for the problem and/or "immunize" against it during a typical SDLC - additional tools and references