Difference between revisions of "Podcast 1"

From OWASP
Jump to: navigation, search
Line 1: Line 1:
'''Introduction'''
+
Recap OWASP EU Summit
* Introduction to OWASP (Dinis Crus)
+
- Jeremiah gave up on browser security
** enter one paragraph of descriptive text here
+
- Robert bailed on the summit
 +
- Talked with Adobe rep
 +
- Figured out the charter for ISWG
 +
- Press coverage is hilarious
  
'''Participant Introduction'''
+
Builder vs Breaker
* Jeff Williams, Arshan Dabirsiaghi, Eric Sheridan, Andrew van der Stock (Jeff Williams)
+
- is this a real skill gap?
** enter one paragraph of descriptive text here
+
- easier to build/defend
 +
- fixing stuff is boring (kuza55)
  
'''Main Topic'''
+
We've reached Application Security Tipping Point
* Input Validation Strategies (Jeff Williams)
+
- Chris Wysopal (Zero in a bit)
** enter one paragraph of descriptive text here
+
- Attacks are getting simpler (and we're barely fixing old vulns)
 +
- Assets are moving more and more to the web
 +
- New technology  =  make all same mistakes again
 +
- Aspect never wanted to be NGS - but everything is broken
 +
- Just this morning, hilarious SSO product bypass (thats all we'll say, not method/verb tampering)
  
'''Articles'''
+
Canonicalization is a nightmare
* Web Application Firewall Debate (Arshan)
+
- mod_security turns off Unicode validation by default
** enter one paragraph of descriptive text here
+
- another commercial WAF bypassable by default with invalid UTF-8
** http://jeremiahgrossman.blogspot.com/2008/06/can-wafs-protect-against-business-logic.html
+
- any byte-based validation is failure on the web (or unmanaged langs)
** http://www.tssci-security.com/archives/2008/06/27/week-of-war-on-wafs-day-5-final-thoughts/
+
 
* Disclosure (Eric)
+
Securing WebGoat with mod_security
** enter one paragraph of descriptive text here
+
- Summer of Code project with Stephen Craig Evans
** http://www.darkreading.com/blog.asp?blog_sectionid=403&doc_id=157993
+
- very interesting Lua scripting capability
** http://hackademix.net/2008/07/01/yahoos-attitude-encouraging-zero-day-full-disclosure/
+
- stateful WAFing is possible with Lua
* PCI 6.6 is Required (Andrew)
+
** enter one paragraph of descriptive text here
+
** http://www.thetechherald.com/article.php/200827/1354/Today-s-the-day-PCI-DSS-section-6-6-is-required
+

Revision as of 16:00, 21 November 2008

Recap OWASP EU Summit

- Jeremiah gave up on browser security
- Robert bailed on the summit
- Talked with Adobe rep
- Figured out the charter for ISWG
- Press coverage is hilarious

Builder vs Breaker

- is this a real skill gap?
- easier to build/defend
- fixing stuff is boring (kuza55)

We've reached Application Security Tipping Point

- Chris Wysopal (Zero in a bit)
- Attacks are getting simpler (and we're barely fixing old vulns)
- Assets are moving more and more to the web
- New technology  =  make all same mistakes again
- Aspect never wanted to be NGS - but everything is broken
- Just this morning, hilarious SSO product bypass (thats all we'll say, not method/verb tampering)

Canonicalization is a nightmare

- mod_security turns off Unicode validation by default
- another commercial WAF bypassable by default with invalid UTF-8
- any byte-based validation is failure on the web (or unmanaged langs)

Securing WebGoat with mod_security

- Summer of Code project with Stephen Craig Evans
- very interesting Lua scripting capability
- stateful WAFing is possible with Lua