Difference between revisions of "Podcast 6"

From OWASP
Jump to: navigation, search
m (New page: ''' OWASP Podcast Series #6''' Recorded January 24, 2009 - [http://itunes.apple.com/WebObjects/MZStore.woa/wa/viewPodcast?id=300769012 http://images.apple.com/itunes/o...)
 
 
(12 intermediate revisions by 3 users not shown)
Line 1: Line 1:
 
'''[[OWASP_Podcast | OWASP Podcast Series]] #6'''
 
'''[[OWASP_Podcast | OWASP Podcast Series]] #6'''
 +
<br/>OWASP Roundtable<br/>
 +
<b>Recorded January 24, 2009</b><br/>
  
Recorded January 24, 2009
+
  [http://itunes.apple.com/WebObjects/MZStore.woa/wa/viewPodcast?id=300769012 http://images.apple.com/itunes/overview/images/overview-icon-itunes20081106.jpg] [http://www.owasp.org/download/jmanico/podcast.xml https://www.owasp.org/images/d/d3/Feed-icon-32x32.png] [http://www.owasp.org/download/jmanico/owasp_podcast_6.mp3 direct download]
  - [http://itunes.apple.com/WebObjects/MZStore.woa/wa/viewPodcast?id=300769012 http://images.apple.com/itunes/overview/images/overview-icon-itunes20081106.jpg] [http://www.owasp.org/download/jmanico/podcast.xml https://www.owasp.org/images/d/d3/Feed-icon-32x32.png]
+
 
 +
<b>"Current WAF's are applying these old school<br/>
 +
concepts, network security, to address software<br/>
 +
security problems ... I think this is just<br/>
 +
doomed to fail" - Marcin</b>
  
 
Participants
 
Participants
- Brian Holyfield is a co-founder of Gotham Digital Science, where he helps clients detect, correct and prevent software security problems.  Alot of his time recently has been spent researching how to protect applications at run-time.
+
<ul>
- Marcin Wielgoszewski is a security consultant based out of New York City and is the founder of the tssci-security.com blog.
+
<li>Brian Holyfield is a co-founder of Gotham Digital Science.
- Andre Geronda is a web application security trainer in the Pheonix area. He is also a contributor for the tssci-security.com blog.
+
<li>Marcin Wielgoszewski is a security consultant based out of New York City.
- Jim Manico is a Web Application Architect and Security Engineer for Aspect Security.
+
<li>Andre Gironda is a web application security trainer in the Phoenix area.
 
+
</ul>
Recap OWASP EU Summit
+
- Talked with Adobe rep
+
- Figured out the charter for ISWG
+
- OWASP Live CD http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project
+
- Press coverage is hilarious
+
- OWASP Education Project http://www.owasp.org/index.php/Category:OWASP_Education_Project
+
- [http://www.google.com/trends?q=xss%2C+clickjacking Clickjacking trends]
+
 
+
Builder vs Breaker
+
- is this a real skill gap?
+
- easier to build/defend
+
- fixing stuff is boring (kuza55)
+
 
+
We've reached Application Security Tipping Point
+
- Chris Wysopal (Zero in a bit)
+
- Attacks are getting simpler (and we're barely fixing old vulns)
+
- Assets are moving more and more to the web
+
- New technology  =  make all same mistakes again
+
- Aspect never wanted to be NGS - but everything is broken
+
- Just this morning, hilarious SSO product bypass (thats all we'll say, not method/verb tampering)
+
 
+
Canonicalization is a nightmare
+
- mod_security turns off Unicode validation by default
+
- another commercial WAF bypassable by default with invalid UTF-8
+
- any byte-based validation is failure on the web (or unmanaged langs)
+
  
Securing WebGoat with mod_security
+
Links
- Summer of Code project with Stephen Craig Evans
+
* [http://www.gdssecurity.com/l/spf/ Secure Parameter Filter for IIS (SPF)]
- very interesting Lua scripting capability
+
* [http://www.tssci-security.com/ tssci-security]
- stateful WAFing is possible with Lua
+
- [http://blog.modsecurity.org/2008/12/helping-protect-cookies-with-httponly-flag.html Modsecurity and HTTPOnly]
+

Latest revision as of 08:33, 13 February 2009

OWASP Podcast Series #6
OWASP Roundtable
Recorded January 24, 2009

overview-icon-itunes20081106.jpg Feed-icon-32x32.png direct download

"Current WAF's are applying these old school
concepts, network security, to address software
security problems ... I think this is just
doomed to fail" - Marcin

Participants

  • Brian Holyfield is a co-founder of Gotham Digital Science.
  • Marcin Wielgoszewski is a security consultant based out of New York City.
  • Andre Gironda is a web application security trainer in the Phoenix area.

Links