Showing posts with label OWASP. Show all posts
Showing posts with label OWASP. Show all posts

Thursday, June 19, 2008

WASC OWASP Party @ Blackhat

WASC-OWASP Party at Blackhat

Blackhat Vegas is around cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 corner. Our WASC-OWASP party last year rocked with around 300 people showing up. There was a huge line outside cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 shadow bar and it was by far cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 best party at Blackhat last year. If you weren't able to make it last year, do not miss it this time. Get your wristband from breach's booth at Blackhat.

Join cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 leading minds in web application security for cocktails and appetizers
at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Shadow Bar inside Caesar's Palace.

When: Wednesday, August 6, 7:30 PM – 9:30 PM
Where: Shadow Bar, Caesar's Palace, Las Vegas
RSVP: Visit cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Breach Security booth at BlackHat to get your wristband
Contact: egoldberg@breach.com

Sponsored by:
Breach Security

Monday, November 05, 2007

Panel discussion on Website Vulnerability Disclosure during AppSec Conference on Nov 15

As most of you know that OWASP-WASC AppSec Conference is held in ebay between Nov12-Nov15 including cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 training sessions. There are very many exciting topics to look forward to in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 conference and not to forget cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 vendor parties at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 end of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 day. One of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 things i am excited about is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 panel discussion on Website Vulnerability Disclosure (which i will be moderating). We have some really great people on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 panel and i am expecting a great lively discussion as cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 topic is also a little bit touchy :)

The panelists are
1. Robert "RSnake" Hansen - CEO of SecTheory with his blog at "http://ha.ckers.org".
2. Bruce Lowenthal - Director of Oracle Security Alerts Group, Oracle
3. Zulfikar Ramzan - Advanced Threat Team, Symantec;
4. Katie Moussouris - Security Strategist, Microsoft
5. Christopher Ernst - US Secret Service, San Francisco Field Branch.

I am expecting this to be one of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 best panel since it is not only a sensitive topic but also since we will have cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 corporate, hacker and govt/law point of view on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 subject.

Since i have been working on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 questions to ask during cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 panel discussion, i thought i will also take ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rs opinion on what kind of questions cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y would like to be asked. So, if you have any suggestions, please feel free to send me an email or leave cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m as a comment on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 blog.

Do plan to be cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re as it should be fun. The date/time of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 panel discussion is
Nov 15, 16:30 - 17:30

Here is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 entire conference agenda
http://www.owasp.org/index.php/7th_OWASP_AppSec_Conference_-_San_Jose_2007/Agenda

Conference Registration page (if you havent registered already) including cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 details on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 vendor parties
http://www.owasp.org/index.php/7th_OWASP_AppSec_Conference_-_San_Jose_2007

Tuesday, September 04, 2007

OWASP & WASC AppSec 2007

The OWASP/WASC Black Hat cocktail party was so successful it only made sense to join forces again, this for an upcoming conference. OWASP & WASC AppSec 2007 is scheduled for Nov 12 – 15 @ eBay campus in San Jose, California. This will be an entire conference dedicated to web application security and something not to be missed. In fact, we’re a little nervous because cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 venue might be able to fit everyone (300 max) wanting to attend.

Currently we’re busy formalizing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 agenda and coordinating cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 logistics with parties and events. If cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 wish list pans out, we’ll have an amazing speaker/topic line-up, a ton of industry experts in attendance, security professionals from all over silicon valley, and a hopefully a few surprises to go with it. The official announcement is below and I'll update cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 blog with new developments.

FYI: There are plenty of sponsorship opportunities for interested organizations.

OWASP and WASC have joined forces for this year's AppSec 2007 conference being held at eBay in San Jose, CA on Nov 12-15. A huge concentration of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 industry leading experts will be in attendance presenting high quality web application security content. AppSec 2007 offers a unique opportunity for security professionals, software developers, and IT managers to get up to speed on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 latest and greatest attack techniques, defense strategies, and industry trends in an atmosphere of peers. The conference format and venue is also perfect for networking and sharing experiences with ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rs that are down in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 trenches. AppSec 2007 expects to exceed all attendance records from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 previously years, making space extremely limited. There's only room for approximately 300 attendees. So if you're planning to come, please register soon.

For more details and registration:
http://www.owasp.org/index.php/OWASP_&_WASC_AppSec_2007_Conference.

The conference also features:
1) Two full days of tutorials on a wide variety of web application security topics.
http://www.owasp.org/index.php/7th_OWASP_AppSec_Conference_-_San_Jose_2007/Training
2) A web services security track
3) Vendor services and technology expoConference

Location: The AppSec 2007 Conference will be held at eBay at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir facility at: 2211 North First Street in San Jose, CA Nov 12th-15th.

Training Days: Novermber 12th-13th
Main Conference: November 14th-15th

Monday, July 02, 2007

Reflection on Dinis Cruz


In cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 last episode of reflection, we have someone who has become a pillar of OWASP. Dinis Cruz is a chief OWASP evangelist and a part of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 OWASP board. At OWASP, he organizes events such as cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 OWASP Autumn of Code, delivers keynotes and advanced technical presentations on OWASP Conferences and leads cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 OWASP .Net Project where (amongst ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rs) he created cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 tools: OWASP Report Generator, OWASP Site Generator, SAM'SHE (Security Analyzer for Microsoft's Shared Hosting Environments) and Asp.Net Reflector. Dinis Cruz is a Security Consultant based in London specialized in Penetration Testing, ASP.NET Application Security, Source-Code Security reviews, Reverse Engineering and Security Curriculum Development. On his reflection, Dinis shares with us how he started in web application security. In his own words

“When I was 10 years old and started programming assembly on my brocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r’s ZX Spectrum 48k. I remember being very happy by using PEEK and POKE to manipulate pixels on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 screen (I also remember translating by hand Assembly Code into Bytes since at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 time I had a book on assembly but had no compiler (ahhhh, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se kids today have it so easy).

I cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n went though an Amiga phase (probably cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 best computer ever, which was at that time miles ahead of everybody else), trying to write games and cool demos (again cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re was no Internet available).

After that came cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 BBS world with 2400 baud modems, followed by a super fast 14440 Modem and big phone bills. Once cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Internet arrived I couldn’t get enough of it.

I started with Web Application Security about 6 years ago when I become fascinated on how easy it was to remotely 0wn computers. I cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n decided to shift my professional focus into security and have not looked back since.

I think my programming background was a big help since once I understood cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 issues with security I was able to use those skills to find vulnerabilities (and propose solutions)

On security, my first experiments where with first Edition of Hacking Exposed which taught me cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 basics of Network Security, followed by a special focus on ASP Classic and .NET Framework security.

My journey with OWASP started with an email that I sent to Mark Curphey in October 2003 about my research on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 security implications of running ASP.NET code in Full Trust. Mark replied with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 challenge "Hey!, why don’t you publish this material on OWASP and manage cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 OWASP .Net project?", which I accepted and have since dedicated considerable amount of energy to it. OWASP is a very empowering, open organization where motivated and focused individuals can find cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir place and shine. OWASP was a perfect match for my values and professional objectives. I published most of my .NET Research and eventually become cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Chief OWASP Evangelist.”


Based out of London, UK, Dinis is 32 years old. Below is a list of his contributions to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 community.


Articles:-

Roadmap to a Partial Trust Managed Code world
http://blogs.owasp.org/diniscruz/2007/03/05/roadmap-to-a-partial-trust-managed-code-world/

‘Security Awareness Modes’ & cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ‘day Microsoft changes’
http://blogs.owasp.org/diniscruz/2007/03/05/security-awareness-modes-cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365-day-microsoft-changes/

On Microsoft’s lack of Partial Trust Managed Code (PTMC) focus and ideas for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 future
http://blogs.owasp.org/diniscruz/2007/03/05/on-microsofts-lack-of-partial-trust-managed-code-ptmc-focus-and-ideas-for-cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365-future/

I give up, no more posts to Full-Disclosure and DailyDave about Full Trust and .Net /Java Sandboxes
http://archives.neohapsis.com/archives/fulldisclosure/2006-04/0147.html

An 'Asp.Net' accident waiting to happen
http://www.owasp.org/index.php/An_

Microsoft must deliver secure environments not tools to write secure code
http://www.owasp.org/index.php/Microsoft_must_deliver_secure_environments_not_tools_to_write_secure_code
Full Trust Asp.Net Security Vulnerabilties, and Microsoft's current position
http://www.owasp.org/index.php/Full_Trust_Asp.Net_Security_Vulnerabilties,_and_Microsoft

What are cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 'Real World' security advantages of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 .Net Framework and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 JVM?
http://www.owasp.org/index.php/What_are_cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365_

.NET research from OWASP .NET Project

Rooting The CLR (demo files available on request)
http://www.owasp.org/index.php/Rooting_The_CLR

Buffer OverFlow in ILASM and ILDASM
http://www.owasp.org/index.php/Buffer_OverFlow_in_ILASM_and_ILDASM

Full Trust CLR Verification issue: changing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Method Parameters order
http://www.owasp.org/index.php/Full_Trust_CLR_Verification_issue:_changing_cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365_Method_Parameters_order

Full Trust CLR Verification issue: changing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 return address order
http://www.owasp.org/index.php/Full_Trust_CLR_Verification_issue:_changing_cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365_return_address_order

Full Trust CLR Verification issue: Changing Private Field using Proxy Struct
http://www.owasp.org/index.php/Full_Trust_CLR_Verification_issue:_Changing_Private_Field_using_Proxy_Struct

Full Trust CLR Verification issue: Exploiting Passing Reference Types by Reference
http://www.owasp.org/index.php/Full_Trust_CLR_Verification_issue:_Exploiting_Passing_Reference_Types_by_Reference

Manipulating private method behavior by overriding public virtual methods in public classes
http://www.owasp.org/index.php/Manipulating_private_method_behaviour_by_overriding_public_virtual_methods_in_public_classes

CSharp readonly modifier is not enforced by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 CLR (when in Full Trust)
http://www.owasp.org/index.php/CSharp_readonly_modifier_is_not_inforced_by_cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365_CLR_(when_in_Full_Trust)

ANSI/UNICODE bug in System.Net.HttpListenerRequest
http://www.owasp.org/index.php/ANSI/UNICODE_bug_in_System.Net.HttpListenerRequest


Tools written by him:-

DN_BOFinder (DotNet Buffer Overflow Finder)
http://www.owasp.org/index.php/DN_BOFinder

OWASP Site Generator
http://www.owasp.org/index.php/Owasp_SiteGenerator

OWASP Report Generator
http://www.owasp.org/index.php/Owasp_Report_Generator

.NET Assembly Analyzer
http://www.owasp.org/index.php/.Net_Assembly_Analyzer

New version (v2.0) of Foundstone's HacMe Bank (with Web Services) http://secure.foundstone.com/index.htm?subnav=resources/navigation.htm&subcontent=/resources/proddesc/hacmebank.htm

Video of above is located here
http://secure.foundstone.com/index.htm?subnav=resources/navigation.htm&subcontent=/resources/videos/hacmebank/index.htm

Foundstone's CodeScout (basic Source code analysis tool) http://secure.foundstone.com/resources/proddesc/codescout.htm

Foundstone's .NETMon (Flow Trace Tool for .NET)
http://secure.foundstone.com/resources/proddesc/dotnetmon.htm

HttpModule for Foundstone’s Validator.NET http://secure.foundstone.com/resources/proddesc/validator.htm

OWASP’s SAMSHE (Security Analyzer for Microsoft's Shared Hosting Environments)
http://www.owasp.org/index.php/SAM
is a part of
http://www.owasp.org/index.php/ANBS

OWASP’s ANSA (Asp.Net Security Analyser)
http://www.owasp.org/index.php/ANSA

Online Active Directory User Management System

Multi-lingual website Content Management System (COTS application)

Windows Security Log Analysis solution

Relational Database for London University Researchers
Back end for travel agency website

E-Commerce system for music publisher selling custom CDs online

Online website Content Management System


Contributions:-

Created and organized cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 OWASP Autumn of Code 2006 http://www.owasp.org/index.php/OWASP_Autumn_Of_Code_2006

OWASP Spring of Code 2007 http://www.owasp.org/index.php/OWASP_Spring_Of_Code_2007

Participation as a speaker in several Security Conferences (including Keynote presentations at OWASP conferences)

Buffer Overflows on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 .Net Framework, 2006 Seattle

Panel: "The role of frameworks (e.g., .Net, Java, Enterprise Library, Struts, JaCorb) in 'forcing' developers to create and deploy 'secure' applications" , 2006 Seattle

Keynote OWASP 2.0 - Enabling organizations to develop, maintain, and acquire applications cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y can trust, 2006 Europe (Leuven) and 2006 Seattle

Panel: "The role of Sandboxing in creating secure .Net and Java applications.”, 2006 Europe ( Leuven )

Rooting cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 CLR, 2005 Washington DC

The Fog of Software, 2005 London

OWASP DotNet Security tools: DefApp, ANBS, SAM'SHE, ASP.NET Reflector, Beretta, .NETMon , 2005 London

Full Trust Asp.Net Insecurity, 2004 NYC


Videos:

FSTV (Foundstone TV) Interview on '.NET, web security tools, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 future of OWASP, and ‘Open Source Software' , BlackHat 2006 http://video.google.com/videoplay?docid=941077664562737284

Attacking Web and Windows Apps ( UK 's DDD3 on Jun 2006) http://www.roadtowinfx.com/ddd3/2006-06-03%20Developer%20Developer%20Developer%20session%203.lo%20res.wmv

Attacking Web and Windows Applications (presented in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 DDD2 on Oct 2005)
http://www.roadtowinfx.com/ddd/2005-10-22_DeveloperDay_session06.wmv

Rooting cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 CLR, OWASP conference in DC's NISC, Oct 2005 http://video.google.com/videoplay?docid=-2492965730809426450&q=owaspLog

Training:-

Advanced Asp.Net Exploits and Countermeasures (IOActive):

London (July 17th/18th)
http://www.nxtgenug.net/Course.aspx?CourseID=4

Black Hat in Las Vegas (July 28th/29th and July 30th/31st )
http://www.blackhat.com/html/bh-usa-07/train-bh-us-07-io-net.html

Advanced Asp.Net Security (Security Compass)

Writing Secure ASP.NET Code (IOActive)

Writing Secure Code - ASP.NET (C#) (Foundstone)

Writing Secure Code Boot Camp ( Intense School / Vigilar)


Memberships:-

OWASP


Company working for:-

Dinis has a main contract with Ounce Labs but continue to do ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r projects and training (for example cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Black Hat training in Las Vegas for IOActive)


Companies worked for:-

Dinis has been cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 director of his UK based company for 10 years now, and have worked (under direct contract) for companies like: Ounce Labs, ABN AMRO, IOActive, Foundstone, Vigilar, Infosys, Security Compass, UK’s Defence Science and Technology Laboratory, UK’s Department for Transport, UK’s Competition Commission and many ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rs.


Email:-

Dinis.Cruz at owasp.net


Blog:-

http://blogs.owasp.org/diniscruz


Website:-

http://www.owasp.org/


Education:-

Dinis has 50% of a degree from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Portuguese’s University of Algarve in ‘Computing Systems and Analysis’ (where he completed 3 out of five years) and have 50% of a degree from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 UK ’s University of Westminster in ‘Commercial Music’ (where he completed 1 and ½ of 3 years).

So basically he has a degree in ‘Computing Commercial Systems and Music Analysis’


Dinis uses both Apple and Windows and prefer to program in C#. When he is not in front of a computer, he likes to spend time with his family, play football, golf, guitar and drums.

With this cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 reflection project comes to an end. I would like to thank everyone who participated in it and spent time with me in putting all cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 information togecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r. It has been truly a fantastic experience.

Last Week - Cesar Cerrudo

Wednesday, June 06, 2007

WASC meetup in Blackhat USA 2007



OWASP and WASC have joined hands to have a combined meetup at Blackhat USA 2007 in Las Vegas which was earlier planned as a WASC meetup. Breach Security has stepped forward to sponsor cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 event. Please click on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 image to see a larger version of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 invite. Come and join us for a drink and meet ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r like minded people from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 industry.
NOTE: Those who have already RSVPed need not to RSVP again.

Monday, April 30, 2007

Reflection on Andrew Van Der Stock


This week on reflection we have Andrew Van der Stock. Andrew is very active in webappsec industry through OWASP and is involved in a lot of activities including OWASP top ten or OWASP Guide, etc. He has contributed a lot to webappsec field, more so in terms of research and awareness on securing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 applications racá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n exploiting cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m. He used to be based out of Australia and has recently moved to Columbia, MD and joined Aspect Security. Today he shares with us his journey with web application security and his thoughts on black hat and white hat hackers (or should I say security professionals). In his own words


”I started playing with computers when I was 7 on a Commodore Pet. My first attempts of squeezing more out of my computer than it probably was capable of was with my Amstrad 6128, which ran a Z80 at 4 MHz. I more than doubled cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 speed of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 3" (yes, 3") disk drive by driving it directly. This is where I had my first taste of assembly language and low level prodding and probing.

Back in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 mid-1990, I was a system administrator at an Australian hospital. Doctors would frequently try to dump private electronic patient (UR) records for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir private use, possibly to sell to drug companies, but always illegal. This unregulated (at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 time) but
immoral use of our health data infuriated me and got me into ethics and privacy in a big way. This led me to join SAGE-AU, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 System Administrator's Guild of Australia, eventually rising to be SAGE-AU's President.

I used to be cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 editor of SAGE Advice, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 SAGE-AU journal, and I ended up writing about 20-30 articles for that. Most are system administration flavored, so not that useful to your readers.

I used to pen a weekly column for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Australian newspaper (a daily national broadsheet in Australia). I think I wrote about 30 odd articles for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m back in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 day, but cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir archives are closed to non-subscribers so I can't tell for sure. I lost a lot of data (we all
learn once!) when I went from my early Macs to my SMP workstation running Windows NT 3.51, and I still don't have all my data from that time. Luckily, I'm back on a beautiful Mac again, and as I've learnt cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 hard lessons of data, I have everything dating back to 1995.

I was cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 author of most of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 technical standards and policy set by auDA, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Australian Domain Name Administrator (similar in function to ICANN). I worked with two or three ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rs for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 majority of this project, although as always, we started with many more. My work on this panel regulates how DNS works in Australia.

I never completed my degree. If anyone from RMIT CS is reading, I wouldn't mind getting some credits for my work at OWASP so I can finish it up. Let's talk! If anyone else is interested in offering me a place in masters by research program in web app sec, I'd be interested. I don't think I'm really cut out for undergraduate course work, but I love doing ground breaking research.

I am a dual Microsoft MCSE. My first MCSE was NT 4.0 back in 1997, and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n I got my Windows 2000 early adopter MCSE in late 1999 when cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y were trialing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 exams. Early adopters got a nice Gold MCSE card! Many folks find this a bit funny, especially as I've been active in open source for so long... And that I'm really a Mac dude at heart.
But I have a soft spot for Microsoft as cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y do cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 basic research in our field, and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y own up to security flaws and fix cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m properly. Now, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y're reaping cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 rewards. Good for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m. Many vendors could learn a thing or ten from MS. I'm pretty sure my MCSE's are expired now.

In 1998, I entered cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 field properly as a security consultant. At that stage, finance institutions were starting to review cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 lockdown of apps. I was drafted into looking at various apps for many larger finance institutions, who were concerned with unmanaged risk and "mobile code" - ActiveX and Java applets running on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir PCs. My interest grew from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re, even though I didn't really start code reviewing stuff every day until cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 early part of this century.

In web app sec, I am completely self taught, but I did learn a lot from folks at OWASP – no one lives in a vacuum. I still do a lot of research using forum software to see how things can be fixed in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 real world. I love working with some very smart folks who challenge me every day. It's a sad day when you don't learn or discover something new.

To understand this field, you must understand cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 threats and attacks to defend against cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m. I am reasonably certain anyone can learn how to attack if cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y Think Evil for long enough. It's far easier to Think Evil and destroy than it is to create solid software.

The proof of this putrid state of affairs is s'kid marks getting lots of unthinking column centimeters every day, and yet how little praise cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 folks in Microsoft got for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir work on .NET 2.0. .NET 2.0 advances cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 field in so many ways – say by automatically rejecting any option in a select list which wasn't sent out in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 first place. Whoever thought of that should be on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 front page of CNET for a year to make up for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 waste of space most "hacking" stories get. And cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re are so many more unsung heroes - master craftsmen (and women!) all. For every La Padula or Bell or Schneier, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re's a thousand or more s'kid marks. This is a very asymmetrical situation and it's not good for our industry.

Criminals who attack systems are simply criminals, or in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 abstract, attackers. Low level attackers are "s'kid marks" to me – morons who have a script who think cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y are cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 most l33t players. Unfortunately, a million s'kid marks equates to a lot of damage as eventually one or two will strike it lucky during school break.

The true hackers are folks like polymaths like Turing, von Neumann, Douglas Engelbart (cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 primary creator of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 desktop metaphor back in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 1960s), Steve Wozniak (a true hardware hacker), cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 folks who made my HP 48G calculator (a work of art and macá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365matical tour de force!), and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 recently deceased John Backus (cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 guy who created Fortran and is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 "Backus" in BNF, used in every RFC grammar from here to
eternity). Those folks are worthy of respect and are cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 true meaning of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 word "hacker". But now, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 word is lost forever because of constant misuse over a long period of time.

My thing is software engineering as a repeatable practice. We have to stop treating web app sec as a black art. We have to stop lauding cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 attackers and praising cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 folks who deliberately break software for nothing more than getting cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir name in lights. We have to stop thinking cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se folks are somewhat special. If you're a s'kid mark today, it's time to step up and move on. If you're any good, come join us on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 light side of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 force – before you commit a crime. There's so much to do and so much research begging for someone to just come and do it.

We should be celebrating cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 folks who put cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 hard yards into security research which protects us all – permanently. I'm trying to do this with CSRF at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 moment, and will be taking some time this year to make PHP 6.0 safer. I know how to attack software and have done so, but I prefer to build strong software, so my skills lie in ensuring that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 defenses and controls I write about, recommend, or indeed implement are robust against known attacks as well as cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 stuff over cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 horizon. Occasionally, I am at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 horizon, such as when I went and played with JSON injection before pretty much anyone else. I don't claim to have invented JSON injection as it's so totally obvious anyone with half a clue could have recreated my work without any knowledge of what I was doing.

We need more folks who hang out at OWASP and WASC. We should have totally eliminated all forms of injection and ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r common weaknesses by now - and moved on to where cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 value lies – cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 business rules. It's a shame so many are sucked in by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 dark side of our industry. It's such a waste of good talent.

I'm one of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 dudes working on questions for SANS "National Secure Programming Skills Assessment", a soon to be forthcoming certification which will sort cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 wheat from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 chaff. I'm doing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Java questions (eventually) and hope to be involved in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 PHP questions when cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y kick that off. With some luck, this will not become a paper certification (where certified but clueless folks are rampant), but a suitable metric to prove skill.

I had a book contract to write an Ajax Security Book based upon my world famous Ajax Security Presentation from February last year. However, life intervened, and that's on permanent hold, especially as Billy Hoffman & co is writing what will be a superb Ajax Security book if his research is anything to go by.

I have cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 bones of a security architecture book waiting to go. If anyone feels like writing it with me, I should be free enough sometime in about two-five years :) Really should finish Guide 3.0 before starting this one though.

I've been involved in open source a long time. My first open source project, which I never completed (shame!) was GNU stty (gstty). Since cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n, I've been involved in XFree86 (from about 1996 onwards), Linux kernel when things didn't work on my SMP workstation (SMP was rare in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 day), on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 extreme periphery of NetBSD (my friend Luke was NetBSD core, so I wanted to show a little loyalty to his projects ;), pnm2ppa – print drivers for HP's worst ever printers for Unix/Linux/BSD.

Since 2001, I've been running Aussieveedubbers, a largish VW nut forum. Through that, I got into writing forums. Initially, I helped write XMB, which after a spat became UltimaBB, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n GaiaBB, and possibly that code base will be re-forked back into XMB. UltimaBB is very secure compared to its contemporaries as I've been busy with it. However, like all projects using my infinite spare time... Things take a back seat to my real job and my real life.”

Below are his contributions to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 webappsec community.

Articles:-

OWASP Guide 2.0 – as lead author and editor.
http://www.owasp.org/index.php/Guide_Table_of_Contents

OWASP Top 10 2007 (along with Dave Wichers and Jeff Williams).
http://www.owasp.org/index.php/Top_10_2007

Many web app sec blog articles:

http://www.greebo.net/?cat=3 (web app sec, 47 blog entries)
http://www.greebo.net/?cat=16 (OWASP, 24 blog entries)
http://www.greebo.net/?cat=17 (conferences and travel)


Memberships:-

Executive Director - OWASP
Columbia PHP user group
SAGE-AU 1995 - 2002, ex-President Jun 2000 – Mar 2001
AISA


Conferences:-

Andrew has presented at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following conferences:

SAGE-AU - The System Administrators Guild of Australia
OWASP – Open Web Application Security ProjectLinux Australia
AusCERT – Australian Computer Emergency Response Team
RuxCon - Australian security conference, Vulnerability assessment and hacking information, for Australia
Black Hat – Black Hat
OSCON – Oreilly Open Source Convention


His favorite presentation is Ajax Security presentation. http://www.greebo.net/owasp/ajax_security.pdf

Predictable ISN numbers in Foundry ServerIron. My first bugtraq advisory back in 2000. So proud!
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0178


Tutored "Internet 101" back in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 early 1990's at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Business Faculty at RMIT University


Tools written by him:-

WebSphere {xor} Secret Magic Ring Decoder Toy (C#)

XMB / UltimaBB / GaiaBB – forum software. It's a good test harness for new webappsec ideas. XMB 1.9.7 is due soon which fixes a lot of security issues. (PHP)


Companies worked for:-

Web Application Security jobs:

e-Secure – Senior Security Architect
b-sec – Chief Technologist
National Australia Bank – Security Application Architect
Aspect Security – Senior Engineer


Company working for:-

Aspect Security


Email:-

vanderaj__at__owasp__dot__org



Website:-

http://www.owasp.org


He has one of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 sharpest brains in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 industry. These contributions above do not reflect cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 amount of work he has done in promoting awareness in web application security.

Last Week – Nish Bhalla
Next Week – Bill Pennington

Friday, March 30, 2007

Reflection on Jeff Williams


This week on reflection need no introduction. Jeff Williams, is one of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 major contributors in webappsec community. He has written many whitepapers, spoken at many conferences including Secure Software Summit, OWASP conferences, ISSA InfoSec Conference, NSA High Confidence Software and Systems Conference (HCSS), JavaOne, National Computer Security Conference (NCSC), etc, written many tools available at OWASP and also chairs OWASP foundation. Jeff Williams has done a lot of work in promoting awareness of web application security.

On his reflection, Jeff shares with us how he got into web application security and his journey with OWASP and a little bit about his personal life and interests. In his own words

“I set out to be a user interface guy, but I got into security accidentally. I was working at TRW in 1992 on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 user interface for a big Navy system that just happened to be highly secure – targeting B2 in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Orange Book. I took on an R&D project to port cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 user interface to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 new compartmented mode workstation (what became Trusted Solaris) and I found that I really liked cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 challenge of securing such a complex system.

Then Java 1.0 came along and I got NIST and NRL funding to do security research. At cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 time, we thought cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Java sandbox was a good idea, but that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re were attacks that might bypass it. So I wrote a special classloader that modified cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 bytecode to wrap security relevant method calls with a reference monitor. After that I spent several years developing a Java-based multilevel secure network guard on Trusted Solaris. That guard handled HTTP, FTP, TDS, and a number of ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r protocols – sort of a very early application firewall. But unlike cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 modern WAFs, we took a whitelist approach where you would define exactly cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 data formats and rules for allowing messages.

In cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 mid-90’s, I chaired cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 group that authored cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 SSE-CMM, which is now ISO 21827. As it turns out, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 processes involved in systems security engineering are quite similar to those necessary for secure software development. I’m very glad to see that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 idea of assurance arguments from my work is starting to be used in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 application security world.

Then in 1998, while I was cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 technical director of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Global Security Practice at Exodus Communications, a Fortune 10 company approached us and said “We’d like to host our applications with you, but we have this rule – every line of code has to be reviewed before it goes on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Internet.” So I started an application security practice and started providing application assessments, developer training, and help with security requirements and architecture. We built a successful practice securing some of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 biggest and most complex web applications in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 world.

In April 2002, togecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r with Dave Wichers, Noelle Hardy, and some ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r great folks, I started Aspect Security to focus exclusively on application security. I just feel so fortunate to get to work with such an amazing group of consultants and customers. I’m having cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 most fun of my professional career.

I first heard of OWASP in 2001 from Chuck Pfleeger (cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 author of Security in Computing). The idea of a free and open community for application security was an interesting idea. At cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 time, getting companies to focus on application security was difficult. In meetings with several government agencies, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y acknowledged that it was an issue, but that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y were managing to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 SANS Top 20. I came home and literally in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 shower said to myself, “I wish we had an application security top ten…” So a small team of us at Aspect took cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 lead in drafting cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 first OWASP Top Ten.

Later, Aspect donated WebGoat, a hands-on training environment for application security issues that we had developed for our courses. A huge number of organizations, including Google, use WebGoat today to teach cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir developers about application security. We started to see that participation in OWASP allowed Aspect to demonstrate our skills in a very constructive way, and many of our customers have contacted us after seeing our participation in OWASP.

I was honored to take over cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 leadership of OWASP in 2003. At that time, we had a number of great contributors, but OWASP itself was just a domain name and a few small projects. So I got us set up as a 501c3 nonprofit organization and put a management structure in place. I want cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 OWASP Foundation to provide a free, open, supportive community infrastructure for application security projects. We’re making cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 barriers to entry for contribution so low that security experts will be motivated to make cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 effort and share cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir expertise.

One of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 key challenges has been to ensure that OWASP is not influenced by commercial interests. When I set up cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 AppSec conference and local chapter rules, I made sure that vendors are cannot use OWASP to market cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir products. We’re also starting to ferret out abuse of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 OWASP brand by companies that claim cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir products “address cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 OWASP Top Ten” or enable “OWASP Compliance.” The local chapters have been growing very quickly and starting to contribute back to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 mocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rship. Our conferences have also been a great experience.

I think cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 switch to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 MediaWiki platform in 2006 was a major step for OWASP. Prior to that, contributing content was a difficult and painful process. Now, anyone can create an account and contribute easily. We have a team set up to review all cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 contributions and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 number of abuses in our first year has been astoundingly low (less than 10 incidents). We’re to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 point now where we get dozens of articles and contributions every day. I don’t see how a non-open approach to building an application security body of knowledge can possibly keep up with our productivity.

We’re still a long way from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 point where a company can go to OWASP for everything cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y need in order to build, acquire, and operate secure applications… but we’ve got an incredible process and we’re working very hard to get cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re.

I have a wonderful wife Jennifer and three kids, Chance (9), Zack (7), and Zoe (1). We live in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 woods and spend a lot of time outside with our four Labrador retrievers. I’m very much into sports – I rowed on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 crew team at U.Va. and still play basketball three times a week. For a while I was into extreme rollerblading and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n I got into mountain bike trials – I broke a lot of equipment, but never had any serious injuries :)"

Based out of Ashton, MD, Jeff is 39 years old and is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 CEO of Aspect Security. Below are his contributions to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 webappsec community

Articles / Presentations:-

Opening cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Black Box: A Source Code Security Analysis Case Study
http://www.aspectsecurity.com/documents/Aspect_Opening_Black_Box.doc

Application Security Initiatives - The Best Defense Is a Good Offense
http://www.aspectsecurity.com/documents/Application_Security_Initiatives.htm

Let's Sue cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Idiots -- Security, Software, Contracts, and Lawyers -
White paper, The OWASP Foundation
http://www.aspectsecurity.com/article/sscl.htm

How to Build an HTTP Request Validation Engine for Your J2EE Application -
White paper, The OWASP Foundation
http://www.aspectsecurity.com/article/bld_HTTP_req_val_engine.htm

Access Control (aka Authorization) in Your J2EE Application -
White paper, The OWASP Foundation
http://www.aspectsecurity.com/article/access_control.htm

Trustworthy Java - Are your apps bulletproof? -
White paper, The OWASP Foundation
http://www.aspectsecurity.com/article/trust_java.htm

The Ten Most Critical Web Application Security Vulnerabilities -
White paper, The OWASP Foundation
http://www.aspectsecurity.com/owasp.htm

Security Code Review - cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Best Way to Eliminate Vulnerabilities in Software" -
White paper, Aspect Security
http://www.aspectsecurity.com/documents/AspectCodeReviewWhitePaper.pdf

Can a 'Social Protocol' Help Protect Privacy?
http://www.aspectsecurity.com/documents/p3p.pdf

Jini and Mobile Agent Security -
Proceedings of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Workshop on Agent Technologies (AT ‘98)
http://www.aspectsecurity.com/documents/jini.pdf

A Practical Approach to Improving and Communicating Assurance -
Proceedings of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 10th Canadian Information Technology Security Symposium (CITSS)
http://www.aspectsecurity.com/documents/Arguing.pdf

A Practical Approach to Measuring Assurance -
Proceedings of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 1998 Security Applications Conference (ACSAC)
http://www.aspectsecurity.com/documents/Measuring.pdf

System Security Engineering Capability Maturity Model (SSE-CMM) version 2.0 -
Released at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 21st Annual National Information System Security Conference (NISSC)
http://www.aspectsecurity.com/documents/SSECMMv2Final.pdf

Just Sick about Security -
Proceedings of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 New Security Paradigms Workshop
http://www.aspectsecurity.com/documents/Sick.pdf

An Enterprise Assurance Framework -
Proceedings of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 5th Workshop on Enabling Technologies
http://www.aspectsecurity.com/documents/WetIce.pdf

Pretty Good Assurance -
Proceedings of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 New Security Paradigms Workshop
http://www.aspectsecurity.com/documents/Pretty.pdf

Need for a Framework for Reasoning about Assurance -
Proceedings of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 International Workshop on IT Assurance and Trustworthiness (WITAT)
http://www.aspectsecurity.com/documents/Need.pdf

Assurance is an N-Space (Where N is Hopefully Small) -
Proceedings of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 International Invitational Workshop on Developmental Assurance
http://www.aspectsecurity.com/documents/Nspace.pdf

A Capability Maturity Model For Security Engineering -
Proceedings of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 6th Annual Canadian Computer Security Symposium
http://www.aspectsecurity.com/documents/CITSS94.doc

Unsafe at Any (CPU) Speed: Why We Keep Making cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Same Mistakes -
NSA High Confidence Software and Systems Conference

Web Applications: The “Last Mile” of Internet Security -
White paper, Exodus Communications

A Constructionist Approach to Law and Society -
Law and Society Seminar, Georgetown University Law Center

Interpreting Anticircumvention (DMCA) -
Advanced International Copyright Law, Georgetown University Law Center

P3I – Protection Profile Process Improvement -
Proceedings of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 22nd National Information System Security Conference (NISSC)
Proceedings of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 10th Canadian Information Technology Security Symposium (CITSS)

Windows NT Security -
17th Annual National Computer Security Conference (NCSC)

Windows NT Client Security and Windows NTAS Security -
The Local Area Network Security Conference (LANSEC)

Reusing Existing C3I Systems in a Secure Environment -
Proceedings of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Application of COTS and Reusable Components Conference

A Framework for Reasoning about Assurance -
Published by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 National Computer Security Center of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 NSA
Proceedings of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 11th Annual Conference on Computer Assurance (COMPASS)

Interconnecting MLS Command Centers -
White paper for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Multilevel Security Initiative at Hanscomb AFB


Tools written:-

OWASP WebGoat
http://www.owasp.org/webgoat
I built cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 first WebGoat back in 1998 as a controller servlet with a few simple lessons on SQL injection, cross-site scripting, and access control. Since cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n, it’s grown to have dozens of lessons and has been revamped several times. Many people have contributed to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 project and it’s still quite active.

OWASP Stinger
http://www.owasp.org/stinger
Stinger was a simple idea that every part of every HTTP request should be validated with regular expressions. A mechanism for enforcing a positive security model for validation in an application. It uses a Java “filter” to ensure that all requests are validated and even developers can’t avoid it.

OWASP PDF XSS Attack Filter
https://www.owasp.org/index.php/PDF_Attack_Filter_for_Java_EE
This was a one-night project to build a little filter that generates a token to avoid a specific very dangerous flaw in Adobe Reader.


Contributions:-

OWASP Top Ten
http://www.owasp.org/index.php/OWASP_Top_Ten_Project

OWASP Secure Software Contract Annex
http://www.owasp.org/index.php/OWASP_Secure_Software_Contract_Annex

OWASP Testing Guide (Risk Rating Sections)
http://www.owasp.org/index.php/How_to_value_cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365_real_risk

OWASP Honeycomb Project (Work in progress)
http://www.owasp.org/index.php/Category:OWASP_Honeycomb_Project


Website:-

http://www.aspectsecurity.com

http://www.owasp.org


Memberships:-

OWASP Chair


Companies worked for:-

Aspect Security
Exodus Communications
Arca Systems
TRW
MITRE


Company working for:-

CEO of Aspect Security


Education:-

JD cum laude – Georgetown Law - Cyberlaw and Intellectual Property
MA – George Mason - Human Factors Engineering
BA – University of Virginia - Cognitive Psychology and Computer Science (Specialization in AI)


I am sure we will see a lot more contribution from him going forward. Though he doesn’t have a blog yet but you can find most of his work on OWASP.

Next Week – Chris Shiflett

Last Week – Robert Auger