Difference between revisions of "Podcast 1"

From OWASP
Jump to: navigation, search
Line 1: Line 1:
 
Recorded November 21, 2008
 
Recorded November 21, 2008
 +
 +
Participants
 +
- Arshan Dabirsiaghi is the the Director of Research for Aspect Security.
 +
- Jeremiah Grossman is the CTO of Whitehat.
 +
- Jim Manico is a Web Application Architect and Security Instructor for Aspect Security.
 +
- Jeff Williams is the CEO of Aspect Security and also volunteers as one of the chairs of the OWASP Foundation.
  
 
Recap OWASP EU Summit
 
Recap OWASP EU Summit

Revision as of 19:13, 21 November 2008

Recorded November 21, 2008

Participants

- Arshan Dabirsiaghi is the the Director of Research for Aspect Security.
- Jeremiah Grossman is the CTO of Whitehat.
- Jim Manico is a Web Application Architect and Security Instructor for Aspect Security. 
- Jeff Williams is the CEO of Aspect Security and also volunteers as one of the chairs of the OWASP Foundation.

Recap OWASP EU Summit

- Jeremiah gave up on browser security
- Robert bailed on the summit
- Talked with Adobe rep
- Figured out the charter for ISWG
- Press coverage is hilarious

Builder vs Breaker

- is this a real skill gap?
- easier to build/defend
- fixing stuff is boring (kuza55)

We've reached Application Security Tipping Point

- Chris Wysopal (Zero in a bit)
- Attacks are getting simpler (and we're barely fixing old vulns)
- Assets are moving more and more to the web
- New technology  =  make all same mistakes again
- Aspect never wanted to be NGS - but everything is broken
- Just this morning, hilarious SSO product bypass (thats all we'll say, not method/verb tampering)

Canonicalization is a nightmare

- mod_security turns off Unicode validation by default
- another commercial WAF bypassable by default with invalid UTF-8
- any byte-based validation is failure on the web (or unmanaged langs)

Securing WebGoat with mod_security

- Summer of Code project with Stephen Craig Evans
- very interesting Lua scripting capability
- stateful WAFing is possible with Lua