Difference between revisions of "Podcast 6"

From OWASP
Jump to: navigation, search
m (New page: ''' OWASP Podcast Series #6''' Recorded January 24, 2009 - [http://itunes.apple.com/WebObjects/MZStore.woa/wa/viewPodcast?id=300769012 http://images.apple.com/itunes/o...)
 
m
Line 5: Line 5:
  
 
Participants
 
Participants
  - Brian Holyfield is a co-founder of Gotham Digital Science, where he helps clients detect, correct and prevent software security problems.  Alot of his time recently has been spent researching how to protect applications at run-time.
+
  - Brian Holyfield is a co-founder of Gotham Digital Science.
  - Marcin Wielgoszewski is a security consultant based out of New York City and is the founder of the tssci-security.com blog.
+
  - Marcin Wielgoszewski is a security consultant based out of New York City.
  - Andre Geronda is a web application security trainer in the Pheonix area. He is also a contributor for the tssci-security.com blog.
+
  - Andre Geronda is a web application security trainer in the Pheonix area.
- Jim Manico is a Web Application Architect and Security Engineer for Aspect Security.
+
 
+
Recap OWASP EU Summit
+
- Talked with Adobe rep
+
- Figured out the charter for ISWG
+
- OWASP Live CD http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project
+
- Press coverage is hilarious
+
- OWASP Education Project http://www.owasp.org/index.php/Category:OWASP_Education_Project
+
- [http://www.google.com/trends?q=xss%2C+clickjacking Clickjacking trends]
+
 
+
Builder vs Breaker
+
- is this a real skill gap?
+
- easier to build/defend
+
- fixing stuff is boring (kuza55)
+
 
+
We've reached Application Security Tipping Point
+
- Chris Wysopal (Zero in a bit)
+
- Attacks are getting simpler (and we're barely fixing old vulns)
+
- Assets are moving more and more to the web
+
- New technology  =  make all same mistakes again
+
- Aspect never wanted to be NGS - but everything is broken
+
- Just this morning, hilarious SSO product bypass (thats all we'll say, not method/verb tampering)
+
 
+
Canonicalization is a nightmare
+
- mod_security turns off Unicode validation by default
+
- another commercial WAF bypassable by default with invalid UTF-8
+
- any byte-based validation is failure on the web (or unmanaged langs)
+
 
+
Securing WebGoat with mod_security
+
- Summer of Code project with Stephen Craig Evans
+
- very interesting Lua scripting capability
+
- stateful WAFing is possible with Lua
+
- [http://blog.modsecurity.org/2008/12/helping-protect-cookies-with-httponly-flag.html Modsecurity and HTTPOnly]
+

Revision as of 17:03, 24 January 2009

OWASP Podcast Series #6

Recorded January 24, 2009

- overview-icon-itunes20081106.jpg Feed-icon-32x32.png

Participants

- Brian Holyfield is a co-founder of Gotham Digital Science.
- Marcin Wielgoszewski is a security consultant based out of New York City.
- Andre Geronda is a web application security trainer in the Pheonix area.